Government employees and defense contractors still have got bad passwords, report says

A new report found that cyber breaches of government email accounts rose by 14 percent in 2022.

A new report found that cyber breaches of government email accounts rose by 14 percent in 2022. designer491 / GETTY IMAGES

According to new research, a majority of government employees with exposed passwords were found to have reused them across multiple accounts. 

A new report found that the number of breaches impacting .gov emails rose to 695 in 2022, a nearly 14 percent increase from the previous year, as a majority of government employees continued to practice poor cyber hygiene.

An estimated 61 percent of government employees with more than one password exposed in the last year had reused passwords across multiple accounts, according to the cybersecurity firm SpyCloud's 2023 Identity Exposure Report. 

The report also found troubling habits across the private sector, including 24,000 malware infections among a sampling of defense contractors. SpyCloud researchers observed exposures that included plaintext passwords, admin credentials and a list of commonly exposed passwords associated with government emails. 

The top three passwords associated with exposed government email accounts were "123456," "12345678," and "password," the report said.

Trevor Hilligoss, director of security research at SpyCloud, described the government sector's elevated risk of malware-infected devices as "one of the most profound concerns" identified in the report. 

"Government employees still use the same passwords to log into government systems as their private accounts, creating gaps criminals can use to infiltrate government systems," Hilligoss told FCW on Wednesday. "Agencies with employees reusing exposed passwords run the risk of allowing criminals to use one password to multiply their infiltration across accounts and deploy follow-up attacks targeting sensitive agency data."

According to SpyCloud, the government sector is at an even higher risk from malware-infected devices than the private sector. And despite a significant push from the White House and federal agencies like the Cybersecurity and Infrastructure Security Agency over the last year to bolster federal cybersecurity, the new report found that government employees continued reusing their passwords in 2022 at the same rate as the prior year. 

Hilligoss credited the federal government for securing data using techniques like multi-factor authentication and physical tokens, but noted that "threat actors are extraordinarily dedicated and growing ever more advanced in their tactics to steal data.

"Sophisticated and technical threat actors are bypassing common defense tactics like MFA using data exfiltrated from infostealer malware, such as the IP addresses — so that they can match the victim’s geographic location — and session cookies that make up the digital identity of government employees," he added.

In total, the firm's research team found an estimated 721 million total exposed credentials across 1,316 breach sources. Password trends overall included various pop culture callbacks, including references to artists Taylor Swift and Bad Bunny appearing in more than 327,000 recaptured passwords, the report said.   

The researchers said that data increasingly came from botnets in 2022, which can enable cybercriminals to impersonate individuals online. 

The new report comes as a growing pool of research indicates apparent apathy for maintaining good cyber hygiene practices among government employees. Another study published earlier this month surveyed government employees across the U.S., Australia, France, Germany, Netherlands and the United Kingdom, and found that about one-third of respondents believe "their actions don't matter when it comes to security." 

A Government Accountability Office report published in 2020 also instructed the Department of Defense (DOD) to "take decisive actions to improve cyber hygiene" and warned a series of cyber hygiene initiatives previously underway had gone incomplete or unreported.