A CIA and Google Ventures-backed private company called Recorded Future released a report today that unveiled that login credentials of government employees from 47 agencies have been leaking everywhere on the Web for more than a year.
The data was gathered through publicly available "open source intelligence" for a one year period up until November 2014. The company managed to collect this information from 17 "paste" websites such as Pastebin.com, as well as other public sources.
When Recorded Future was doing its intelligence analysis over this period, it found that the Department of Energy (which also handles nuclear safety) and the Department of Commerce were hit the hardest.
In February of this year, the Office of Management and Budget (the same one pushing all federal websites to adopt HTTPS right now) found that 12 agencies weren't using any form of two-factor authentication. Those 12 agencies include departments that should have the highest security standards, such as the departments of Health and Human Services, Treasury and Homeland Security.
Recent Senate testimony on the OPM breach that exposed the data of over 4 million government employees, even more government contractors, and potentially 18 million social security numbers, suggested that the lack of two-factor authentication as well as the lack of encryption directly affected the success of the hack.
Recorded Future also found that many government employees have used their government emails to log in to third-party Web services. When those services got hacked, it also exposed the federal employees' emails, which made it easier to then log in to government systems, as well.
Recorded Future analyzed over 660,000 open web sources but focused on the small subset of paste sites where such information is often shared. However, that also means the government employees' exposure could be much bigger than Recorded Future's small analysis sample.
Right now, the U.S. government doesn't seem to have a strong strategy for defending against such large-scale attacks. Many federal agencies, including those that deal with highly sensitive information, use security measures that would be considered subpar today.
It's becoming clear that the U.S. government needs to drastically increase the security of its digital properties before any more data is stolen. It also needs to do so quickly, before those who have already pilfered sensitive data in the recent hacks can start using it against the very systems the government is trying to secure.