E-mail addresses and passwords belonging to thousands of British MPs, parliamentary staff, and other top officials are being traded by Russian hackers, The Times reports.
E-mail addresses and passwords of British MPs and other government officials are now freely available on websites run by Russian hackers.
According to The Times, a large cache of data obtained from Russian-speaking hacking websites includes 'private log-in details of 1,000 British MPs and parliamentary staff, 7,000 police employees and more than 1,000 Foreign Office officials.'
These credentials were obtained by hackers following a cyber-attack on LinkedIn in 2012. Considering that Russian hackers have traded and bartered such credentials for over four years, it is possible that such hackers may have also infiltrated these e-mail accounts and snooped on government communications.
“The stolen credentials, believed to be the result of prior data breaches dating back to 2012, shouldn’t give any cause for concern – if basic cyber hygiene procedures were followed. But what are the chances that passwords in use back in 2012 remain the same?
"The truth is that we make it too easy for cyber attackers to tap into our online accounts and data by leaving our log-in credentials unchanged for years at a time – or using insecure passwords which are far too obvious," said Andre Stewart, VP for EMEA at Netskope.
The hacked email addresses included those of Peter Jones, the Foreign Office’s chief operating officer, former Detective Chief Inspector Andy Redwood, and former Cabinet Office minister Brooks Newmark. These individuals, along with many others, either used highly insecure and easy-to-guess passwords or used the same passwords on multiple websites.
Overall, 2,944 of all hacked email addresses and passwords belonged to officials at the Department for Work and Pensions, 1,442 to officials at the Department of Health, 1,392 to officials at the Foreign & Commonwealth Office and 938 to officials at the Ministry of Justice.
“This story shows just how important it is that people change all their passwords in the wake of a breach. People often use the same password for multiple sites, even for accessing work-essential applications and services, and do not change them for years; this means that when these credentials are harvested, as we can see in this instance, it can have serious repercussions. As we can see, hackers might sit on these for a number of years, lulling people into a false sense of security; so our advice is always the same, be careful and change your passwords regularly," said Rashmi Knowles CISSP, EMEA Field CTO at RSA.
The National Cyber Security Centre says it is aware of the 'renewed press interest in the historic hack of LinkedIn.' The centre is now advising LinkedIn users to change their passwords immediately, close their accounts if they are not using the service, and not use the same passwords for both personal and work accounts. Affected users have also been asked to use multi-factor authentication to make it more difficult for the Russian hackers.
“When it took place, LinkedIn gave advice that people should change their passwords. Anybody who is no longer using the password will not have had their account breached,” said a government official to The Guardian.
“Wherever possible, organisations must make end users aware of basic cyber hygiene, steering them towards safe courses of action – including regular password updates. After all, each new hack can release a treasure trove of user details in the form of usernames, passwords and other information which can then be used to access other online services. When the same credentials are used across multiple accounts, these breaches can expose data in many different cloud apps and services at the same time.
"This creates a significant risk to the enterprise because passwords used in simple personal applications are all too often used for data critical applications at work," Stewart added.
Back in May, The National Cyber Security Centre had flagged several attempts made by suspected hackers to obtain personal details of British Members of Parliament and has advised ministers and their staff to look out for such activities. Such phishing e-mails include asking MPs to disclose IDs and passwords of their personal accounts or to log onto fake websites.
"The emails are very convincing and could arrive at an individual’s personal or work email account, perhaps even appearing to come from someone known to the recipient," said the agency.
To prevent MPs from falling victim to social engineering or phishing scams, the National Cyber Security Centre also asked MPs and their staff to enable multi-factor authentication in their devices, view and validate device logins, terminate current sessions, forward suspicious e-mails and educate followers about phishing attempts.