In the fifth instalment of our investigation into politicians’ cybersecurity practices, we found the official email addresses of 241 members of German state-level parliaments (like the Bavarian parliament, for example) for sale on the dark web, roughly 13% of the emails we searched. Constella Intelligence(new window) helped us compile this information.
Read the original report, which has all our findings to date
All of these email addresses are publicly available on government websites, so it’s not an issue that you can find them on the dark web. The issue arises from the fact that German politicians used their official emails to create accounts with external websites and services that later suffered breaches. The most common service providers these politicians signed up for like this include Dropbox, LinkedIn, Adobe, and news services. We also found less reputable sources for the breaches, including four adult websites.
Politicians put data, accounts at risk
We also found much more personal information, including dates of birth, residence addresses, social media accounts, and more. We’re not sharing any identifying information for obvious reasons, but by using their official email addresses to create accounts, these politicians have made it easy for attackers to identify their accounts and corresponding data, potentially putting them at risk of phishing or blackmail.
We also found 220 exposed passwords. This includes 153 passwords in plaintext that are linked to 54 politicians. That’s 153 accounts that attackers could take over (assuming the politicians haven’t applied two-factor authentication). If these politicians reused exposed passwords for government systems, they could also be at risk.
We informed every affected politician that they had sensitive data exposed on the internet before we published this article, but all of this information has been for sale on the dark web.
Even state-level politicians can be targets
Despite the overall impressive performance of German state-level politicians, there are three states where parliament members need to improve their cybersecurity.
The politicians in Rheinland-Pfalz, Nordrhein-Westfalen, and Sachsen-Anhalt had the most overall exposed email addresses, with 48 (48% of parliament members), 87 (45% of parliament members), and 61 (67% of parliament members), respectively. Nordrhein-Westfalen’s results were pushed higher by one individual who had their government email address exposed 24 times in various dark web databases, the most of any German politician. Same with Rheinland-Pfalz, which is home to the politician with the most exposed passwords — 14 (all in plaintext).
While it’s tempting to view local politicians as unlikely targets, the reality is German officials at every level and in every sphere have been subject to intense cyberattacks in the past several years. In 2024 alone, the Frankfurt University of Applied Sciences(new window) and the Hochschule Kempten(new window) were forced to close due to cyberattacks, the Bavarian pharmaceutical giant AEP was paralyzed by a ransomware attack(new window), and the Social Democratic party was hacked(new window) (authorities accused APT28, a hacking group with ties to Russia, of carrying this last attack). This January, a white hat hacker broke into D-Trust(new window), one of the companies that creates electronic health certificates for the government as well as other sensitive ID documents.
How we can all be more secure online
Ever since Germany expressed staunch support for Ukraine, Russia and its affiliated hacker groups have been subjecting German institutions to persistent cyberattacks. In this context, it’s even more concerning that roughly 50% of the politicians in Rheinland-Pfalz and Sachsen-Anhalt put their accounts and other data at risk by using their government email addresses.
Your email address is your digital ID, used to create nearly all your online accounts. If you use the same email address for all your accounts, then all those accounts (and their corresponding data) can be linked together. If you use an email that can easily be linked to you (or worse, to a government office), you make it easy for attackers to create convincing phishing attacks.
The solution is to reveal as little personally identifiable information as possible at any given time. These politicians should never have created online accounts using their government email addresses as it ties their potentially sensitive online activity to an identity attackers will instantly recognize as a high-value target. Breaches happen all too frequently. Once this information is out, the only solution is to change your accounts and be vigilant for phishing attacks.
Here are some other easy steps that everyone — but especially politicians and other high-profile or public figures — can take to strengthen their account security:
- Use email aliases: Email aliases hide your real email address while still letting you send and receive emails. You can even create a new alias for each account, allowing you to delete aliases exposed in leaks without needing to reset all your accounts.
- Use a password manager: A password manager makes it easy to generate and store strong, unique passwords for each account. It should also provide ways to securely share passwords so you don’t need to write them down or rely on other insecure methods.
- Use dark web monitoring services: Each week brings news of a major breach. While there’s nothing you can do to prevent this, a dark web monitoring service can alert you if your information appears in illegal marketplaces. This allows you to change your email address (or email alias) and password before anyone can break into your account.
Proton Pass is a simple solution that provides all of these services. If you choose our Proton Pass Plus plan, you get:
- Unlimited hide-my-email aliases
- A password generator
- Support for passkeys
- A built-in two-factor authentication code generator
- Pass Monitor, which alerts you if your Proton Mail email addresses or aliases appear on the dark web
- Proton Sentinel, which defends your Proton Account against takeover attacks
Protect your email address, your accounts (and, if you’re a politician, national secrets) by signing up for a Proton Pass Plus plan today.
