Big elections raise the visibility and scrutiny of political cyber events. Alleged breaches of Hillary Clinton’s private email server and actual hacks of Democratic National Committee (DNC) emails made headlines in the 2016 election cycle. This Presidential election season, official U.S. Capitol email addresses, passwords, and personally identifiable information (PII) were exposed on dark web markets. The potential results are alarming.
The official email addresses of 3,191 congressional aides/staffers have appeared on the dark web, according to a Proton and Constella Intelligence report published in May 2024. These were official work email addresses. Some 1,848 of these addresses were listed with plaintext passwords. The data came from third-party breaches of social media and other sites. A small number of accounts were from dating and adult sites.
According to Alberto Casares, chief technology officer of Constella Intelligence, an identity intelligence company, information on affected Capitol employees has been found in more than 200 different data breaches and several infostealers (a kind of malware used in phishing and malicious download and drive-by attacks).
Weak security policies, practices, and procedures
Written security policies, practices, and procedures for Capitol aid/staffer email accounts are not apparent, if those even exist. There is, however, evidence of lax cybersecurity training and secure systems.
“The staff in legislative offices are generally young recent college graduates who have not received formal training in cybersecurity and the safe handling of electronic data,” said Philip Lieberman, who is has worked extensively with Congress on matters of national security. Lieberman created the former Lieberman Software, a multi-national cybersecurity, IT management, and cyberwarfare company that is now part of BeyondTrust.
“Legislative office systems are consumer-grade, and there is little budget or expertise in device management and identity management within the organization,” said Lieberman.
Likely password reuse
“For staffers, the choice of password is up to them. It is easiest to use one password for all personal and business cases, and that is the path most people choose,” said Lieberman.
Aides or staffers registering official email addresses and passwords on vulnerable third-party sites put those credentials at risk. Cybercriminals can use those to gain unauthorized access to any account or system that uses the same password, including Capitol accounts.
“During the analysis, we identified the reuse of passwords by the analyzed users,” said Casares. Constella Intelligence analyzed the email addresses and sensitive data of U.S. Capitol staffers that had been breached.
“By analyzing the compromised data, our system automatically detected instances where the same passwords were used across multiple accounts and services,” said Casares. “We can see where a single password has been reused across different platforms, increasing the risk of broader compromise,” he said. While not every affected staffer reused passwords, some did, according to Casares.
The frequent reuse of passwords is a common trend in data exposures, said Casares; individuals often reuse the same credentials across multiple sites.
For example, in a separate incident, the most commonly reused password at the U.S. Department of the Interior (Password-1234) was used in 478 unique active accounts, according to a 2023 report from the Department’s Office of Inspector General.
Security holes permit password reuse
“There is no cross-checking of common passwords between systems. Most organizations don’t subscribe to a service to check whether their passwords are compromised and available on the dark web,” said Lieberman.
Poor password hygiene means users don’t change their passwords. People share them with friends and co-workers, circulating them broadly. It’s part of why passwords and password databases stolen today are valuable years later.
How Constellation Intelligence found the data
Cybercriminals typically breach social media, dating, and adult sites by exploiting software vulnerabilities, misconfigurations, and unintentional data exposures and using malware, especially infostealers, according to Casares.
“Constella Intelligence identifies compromised data across the Internet, including the deep and dark web, using cutting-edge A.I. technologies and more than fifteen years of expertise from its subject matter experts,” said Casares. He said Constella monitors not only data breaches but also infostealers.
“As a result of our analysis, we discovered that some of the profiles we examined were specifically infected by infostealer malware. This led to the exposure of their official email addresses, among many other sensitive personal data,” said Casares.
The social, dating, and adult sites
The report specifies LinkedIn, Facebook, and Twitter as breached sites containing the Capitol staffers’ data. Some 1,487 Capitol aides’ LinkedIn accounts were exposed; 416 of their Facebook accounts and 347 of their Twitter profiles were also breached, according to the Proton/Constella report (which did not specifically name other sites tied to Capitol aides and staffers).
Beyond that, Casares said it’s reasonable to assume the sites include adult, dating, and sensitive content platforms that have been publicly reported in recent years.
Personal and Capitol data at risk
Personally Identifiable Information (PII) is the data most at risk, said Casares. PII is any information someone could use to identify a specific person. For some staffers, multiple exposed attributes were found, including social security numbers, dates of birth, and home addresses, said Casares.
Bad actors trade in PII on the dark web and build detailed profiles of millions of people. The more robust the profile, the greater the risk of identity theft—posing as the user to gain access to systems and accounts and commit acts of fraud. Fraud examples include extortion and opening financial accounts in the user’s name.
“With leaked passwords, attackers could use credential stuffing to access official accounts,” said John Price, CEO of SubRosa, a cybersecurity and risk advisory firm, and emeritus counterintelligence and security consultant for the U.K. Ministry of Defense. “Bad actors could impersonate staffers, steal confidential documents, or plant malware for long-term surveillance of Capitol networks,” he said.
In credential stuffing attacks, attackers use malicious bots to enter credentials, such as usernames and passwords, into many login screens rapidly to find the ones that unlock access.
Cybercriminals can target control of staffers’ official email accounts. “Once you have access to their email, the entire inbox, and the file structure of an email account, exporting that information is easy to do quite quickly,” said Price.
With access to Capitol email accounts, attackers could read, intercept, and fake email communications. According to Price, attackers could access classified information if the staffers were transmitting data that was not within the specified classification level.
No change since the breaches
According to Lieberman, there is no enforcement power at the Federal level regarding Congressional restrictions on staffers’/aides’ using social or adult sites with emails or passwords they use professionally or otherwise.
“Civilian and defense agencies that lawmakers regulate have been utilizing strong authentication for at least 20 years. Lawmakers should consider using defense or well-known cybersecurity contractors to manage their identities and provide password management with password rotation,” said Lieberman. “Like everything in Washington, D.C., it is about money and power. Legislators need to fund better IT services, training, and security for their own use,” said Lieberman.
R. Colin Johnson is a Kyoto Prize Fellow who has worked as a technology journalist for two decades.