Dozens of MP’s online accounts appeared in data breaches
News | 03/18/2019 5:41 pm EST
Nearly a hundred emails for members of parliament — among them eight direct-to-MP emails — have been recorded in various data breaches dating back years, an analysis done by the Wire Report revealed.
That includes some 87 general email accounts for members of Parliament which were involved in at least one data breach where their data was unintentionally exposed to the public — 21 of which may have involved password leaks, either for their emails or other online accounts they registered using their emails.
A House of Commons spokesperson said no MP’s email has ever been reported breached and Parliament uses various security measures such as two-factor email authentication.
The analysis shows some MP emails were found in databases of matching email and password combinations listed for sale online or on the ‘dark web’, and some were found in datasets reportedly used for ‘credential stuffing’ attacks, where hackers try to break into other accounts where the compromised passwords were reused.
The Wire Report checked parliamentary emails through Troy Hunt’s breach-notifying website ‘Have I been pwned?’. Hunt is an Australia-based security researcher who created the website as a resource for members of the public to quickly check if their accounts may have been compromised. The site checks emails against a record of billions of accounts recorded in various data breaches made public, according to his website’s description. It does not make information on sensitive breaches publicly searchable, such as the 2015 breach of Ashley Madison, an infidelity-promoting dating website.
Hunt said in an email that while politicians tend to be bigger targets than ordinary members of the public, the findings don’t necessarily indicate a widespread problem unless MPs kept reusing their passwords — something not easy to determine.
“The usefulness of an MP’s password is entirely dependent on where they’ve used it. Finding an old, unique one in a credential stuffing list is pretty benign, but if that same password has been reused other places (which is often the case, hence why these lists can be so damaging), then use your imagination as to how bad that could get for them,” he said.
“Credential lists only work due to password reuse so if someone is using a password manager and creating strong, unique ones everywhere, the problem entirely disappears (at least beyond any risk still posed on the original service the password was breached from).”
Heather Bradley, spokesperson for the House of Commons Speaker’s office, said all parliamentary network services require using two-factor authentication for email access from outside the precinct and said other security measures are in place.
“While House of Commons user account information could appear among the stolen data when an online service provider is breached, no @parl.gc.ca domain MP emails have been reported as breached,” she said in a statement to the Wire Report. “If a Member or Member’s staff is concerned that their email has been compromised, a service is in place that they can contact 24/7. Preventative measures are in place and immediate steps are taken.”
Of the eight direct-to-MP email accounts that were found to be involved in breaches — and all eight of those were involved in breaches where passwords were potentially compromised — People’s Party of Canada leader Maxime Bernier’s was recorded in the most breaches: his email turned up a total of five times in separate breaches.
His appeared on the Anti Public Combo list, a database of some 458 million unique email addresses and passwords hacked from various online systems, which was sold online and used for credential stuffing.
Other MP passwords were exposed through sites including a Dropbox Inc. leak from 2012 where some 68 million records were traded online, MyFitnessPal (a smartphone and website health app that tracks diet and exercise metrics), a hack of concert ticket retailer Ticketfly, and a breach of the social website link-sharing app ShareThis, among others.
The personal parliamentary email accounts NDP MP Murray Rankin and ethics committee chair and Conservative MP Bob Zimmer, were found among the 41 million emails in the ShareThis breach, while Liberal MP David McGuinty and Tory MP Marilyn Gladu’s MyFitnessPal accounts, registered through their emails, were recorded in the breach.
Bloc MP Louis Plamondon’s general email address was found on two ‘combo’ lists that paired emails and passwords, among other breaches.
A number of MPs the Wire Report reached out to, including Bernier and McGuinty, did not respond to requests for comment for this story.
There have been a number of recently-reported instances of social media account compromises on Parliament Hill, although not necessarily any that happened as a result of large-scale data breaches.
The Hill Times reported last fall that Conservative MP Peter Kent’s Instagram and Facebook Inc. accounts were hacked — which he revealed during a committee hearing regarding cybersecurity. The Toronto Star had also reported, amid disgraced Tory MP Tony Clement’s sexting scandal, that Clement was apparently concerned his own Instagram account was hacked. Clement was forced to leave caucus over the scandal and now sits as an independent. Tory Senator Donald Plett’s Twitter Inc. account was compromised last fall as well, an instance that found its way into newspapers after the account tweeted about a spat between rappers Nicki Minaj and Cardi B, and changed Plett’s profile picture so it displayed a tattooed, shirtless male model.
Some of the breaches found in the analysis were from last year, while others potentially date back to at least as early as 2012. The analysis did not include political party email addresses or personal emails used outside of parliamentary work.
Communications Security Establishment (CSE) officials have warned federal MPs and the public that parties, candidates and social media will likely be increasingly targeted online by cyberattacks. It warned in a recent report that “almost certainly, multiple hacktivist groups will deploy cyber capabilities in an attempt to influence the democratic process in 2019.” Experts have warned of hacking vulnerabilities in the coming election, after hacking in the 2016 American election elevated concerns to a new level.
Not everyone has paid as close attention to escalating concerns about online threats. In 2017, the UK’s information commissioner warned British MPs against sharing computer passwords after some admitted they shared logins with their staff and it was common practice.
Bradley said the Canadian House of Commons spends “considerable effort in IT security awareness” and that the “parliamentary community is reminded of best practices on a regular basis.”