The United States federal government is still reeling from the massive hack on the Office of Personnel Management, but it now appears the incident is only the tip of the iceberg as researchers from Recorded Future found a huge volume of credentials belonging to federal employees being leaked in paste sites.
Security researchers from the organization that is being financed by a CIA venture arm have revealed that these credentials came from nearly 100 domains belonging to the U.S. government, and that most of these pieces of data include hashed passwords as well as clear text passwords. These passwords are believed to have been pasted online from November 2013 through the same period last year.
It is even easy for anybody to search and locate these passwords online, exposing many government employees to potential identity theft, phishing campaigns and social engineering tactics by attackers. The massive leak also puts nearly 50 government agencies to espionage attacks as a result of exposed credentials, though they provide access only to non-classified networks.
Furthermore, analysis by Recorded Future uncovered a poor security practice by the government agencies in question such as the lack of robust security measures like multi factor authentication that is fast becoming the norm among private Internet companies.
In fact, almost none of the affected government domains belonging to the State Department, Department of Homeland Security and General Services Administration, among others, imposed a two factor verification that should have been in place to protect users who access the networks.
OPM hack is only the tip of the iceberg
Quite coincidentally, some of the leaked passwords also belong to the Office of Personnel Management records, which means the OPM hack could be just a minute incident of a far more extensive breach of government personnel data.
The OPM hack involves millions of information that belong to federal employees such as personal records, security clearance applications and background checks. For example, Recorded Future researchers found several OPM credentials on many websites, including Pastebin, which is very accessible to the public, not the least to hackers.
It seemed that it took quite a while before the government agencies affected were informed of the data breach, though a number of paste sites took to removing the credentials once they got news from Recorded Future.
But since it has been a long while now, it is also possible that many of these credentials have already been sold or are now in some secret markets or private circulations.