Reportedly, login credentials of around 47 U.S government institutions across 89 different domains have been leaked.
Apparently, in the earlier part of 2015, 12 out of these 47 agencies (including the Department of State & Energy) allowed access to their computer network without two-factor authentication to some of their users.
Resultantly, “the presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce,” according to CBS.
Agencies that haven’t implemented two-factor authentication yet also include “the General Services Administration, USAID, and the departments of State, Veterans Affairs, Agriculture, Housing and Urban Development, Transportation, Treasury, Health and Human Services, Energy, Interior and Homeland Security.”
The leaked emails and passwords belong to people working at the agencies, states a CIA-backed startup and reported by Recorded Future.
Undoubtedly, exposure of the passwords of these sensitive government agencies on the Open Web has made these vulnerable to espionage, socially designed cyber attacks, and engineered spear-phishing attacks against their employees.
The U.S has been blaming China and Russia for conducting sophisticated cyber attacks on its high-profile government institutions, but do they have an answer to how these credentials were leaked and publically available online?