A threat intelligence company analyzed data on 17 “paste sites,” including Pastebin.com, over a year-long period, and found login credentials linked to 47 U.S. government agencies across 89 unique domains accessible online.
The company, Recorded Future, collected and analyzed the data using open source intelligence between November 2013 and November 2014, noting in a Wednesday report (PDF) that the “presence of these credentials on the open web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce.”
“While some agencies employ VPNs, two-factor authentication, and other tokens to provide a safety net, many agencies lag behind,” the report said, pointing to a February 2015 Office of Management and Budget (OMB) report (PDF) to Congress which called attention to 12 agencies that “do not require most privileged users to log in with any form of two factor authentication.”
Among those 12 agencies was the Department of Energy, which Recorded Future observed to be the agency with the “widest exposure, with email/password combinations for nine different domains identified on the open Web.”
Recorded Future added that .gov accounts posted with plain text or hashed passwords were sometimes removed immediately from sites, such as Pastebin, but that it wasn’t aware of efforts to notify agencies that the data was exposed, or “likely still circulates in private circles and is available to the original attackers.”
The company decided not to identify the specific domains and logins exposed, following suit with its protocol during previous research on vulnerable credentials. The firm noted, however, that some paste sites do not regularly monitor content published by users, and that the leaked credentials it found came from a “range of vectors both targeted and untargeted,” including actors claiming affiliation with hacktivist groups, like Anonymous and LulzSec.
In the report, Recorded Future defines a “paste site” as a web application that allows a user to store and share plain text, with the most popular of the bunch being Pastebin – often used by hacktivists to expose data online.