MPs have been warned not to use their parliamentary emails for other purposes or recycle their passwords after their private information was found online.
According to Swiss online service provider Proton, its research found 216 data breaches linked to MPs’ email addresses, and that over two-thirds of MPs’ email addresses have appeared on the dark web.
It’s understood no parliamentary account has been found to be currently at risk.
Will Geddes, a leading security specialist, told The Epoch Times malign actors could use leaked passwords to hijack a victim’s account, or accounts, if the person reuses the same password.
Proton, which sells privacy-related products, published a blog on Thursday, saying its joint investigation with Constella Intelligence found that British MPs fared the worst compared to their counterparts in French and EU parliaments.
According to Proton, researchers searched the dark web for 2,280 official email addresses, including 650 from the UK Parliament, 925 from the French Parliament, and 705 from the European Parliament.
Of 650 UK official parliamentary email addresses searched, more than two-thirds, or 68 percent, had appeared on the dark web, compared to 18 percent of French lawmakers’ email addresses and 44 percent of MEPs’ email addresses, the company said.
The appearance of the official email addresses on the dark web does not constitute data breach in and of itself, because the addresses are publicly available.
However, the research found that politicians regularly used their official email addresses to sign in to online services such as LinkedIn, Adobe, Dropbox, Dailymotion, petition websites, news services, and “in a small number of cases, dating websites,” and some passwords have been compromised.
“In our investigation, we unfortunately found all kinds of sensitive information linked to politicians’ emails, including their date of birth, the address of their residences, and social media accounts,” Proton said.
According to the company, 216 passwords associated with UK parliamentary email addresses have been exposed in plaintext, with 30 breaches linked to the worst affected MP.
In comparison, 161 passwords linked to MEPs were exposed, with the most targeted MEP exposed for 27 times; and 320 passwords linked to French lawmakers were exposed, with one politician targeted 137 times.
Proton also warned that if a politician reused a leaked password for their official accounts and failed to use two-factor authentication, hackers may be able to get into government systems.
According to Mr. Geddes, a hacker can launch a “distribution attack across a number of different websites” using an email address as the username and the leaked password associated with the email to either harvest information or “hijack that account and set it on someone else.”
Fundamentally, MPs “shouldn’t be using their parliamentary email addresses for doing anything other than parliamentary work,” the security expert said, adding that it can lead to “all sorts of risks.”
He also recommended using a password manager instead of recycling the same password, and using multi-factor authentication to sign into accounts.
A parliamentary spokesperson said: “Parliament takes cyber security extremely seriously. We have robust measures in place, including providing advice to users to make them aware of the risks and how to manage their digital safety—working closely with our partners in the National Cyber Security Centre.”
There are currently no MPs since Parliament has been dissolved ahead of the July 4 general election.
The opt-in service offers an extra layer of security by warning users if they try to visit a malicious domain from their personal devices. It will also block outgoing traffic to these domains.
The NCSC director for national resilience and future technology, Jonathon Ellison, urged eligible users to sign up, saying, “Individuals who play important roles in our democracy are an attractive target for cyber actors seeking to disrupt or otherwise undermine our open and free society.”