In the latest installment of our investigation with Constella Intelligence(nouvelle fenêtre) into the cybersecurity risks politicians face, we found that 41% of Danish members of parliament have had their official email address exposed on the dark web, one of the highest percentages in the EU. We also looked at the Dutch and Luxembourgish parliaments, which had 18% and 16% of their members’ email addresses exposed, respectively.
Read the original report, which has all our findings to date
The email addresses of Danish, Dutch, and Luxembourgish politicians are available publicly (this is how we found them), so the fact that we found them in dark marketplaces where info is illegally bought and sold isn’t, in itself, a security failure. We’re also not suggesting these parliaments suffered a cyberattack or that this information was stolen. In the vast majority of cases, these official email addresses ended up on the dark web as part of a data breach by a common service provider, like Adobe, Dailymotion, Dropbox, LinkedIn, or news services.
However, these politicians should never have used their official email addresses to create such an account. This makes it easy for attackers to quickly identify politicians’ accounts. Next, they can check if any passwords are associated with these email addresses. Between the Danish, Dutch, and Luxembourgish politicians we looked at, we found 139 passwords in plaintext. That’s potentially 139 compromised accounts — and it could be many more if any of these politicians reused exposed passwords elsewhere.
We explore the Danish, Dutch, and Luxembourgish leaks in greater detail below and explain why politicians must take their cybersecurity seriously.
Politicians’ data exposed
We found much more than just emails and passwords during this investigation. While we’re not sharing any identifying information for obvious reasons, sensitive information like dates of birth, residence addresses, and social media accounts were linked to these politicians’ email addresses. (We also informed every affected politician that they had sensitive data exposed on the internet before publishing this article.)
Attackers can easily buy this information and use it to create convincing phishing campaigns or social engineering attacks.
Number of email addresses searched | Number of breached email addresses | Number of passwords exposed | Number of passwords exposed in plaintext | |
---|---|---|---|---|
Danish Parliament | 179 | 74 | 93 | 69 |
Dutch Parliament | 225 | 41 | 35 | 32 |
Luxembourgish Parliament | 60 | 10 | 43 | 38 |
Over 40% of Danish politicians have email addresses leaked
At 41%, Danish politicians have one of the highest rates of email address breaches in Europe. The email addresses of 74 of the 179 members of the Danish parliament appear a total of 555 times on the dark web. One politician had their email address exposed in 25 separate breaches, along with eight passwords exposed in plaintext. This should be a major concern as Danish politicians and infrastructure have been the target of significant cyberattacks.
In June 2024, the Danish Center for Cyber Security(nouvelle fenêtre) raised the threat level for cyberattacks to “Medium”, or three out of five, specifying that this was largely due to the threats from Russia. This follows an attack in May 2023 where the Russian hacker group NoName057(16) took the Danish Parliament’s website offline(nouvelle fenêtre) with a DDoS attack. Immediately after this attack, another hacking group exploited a zero-day vulnerability in un-updated firewalls to attack 22 organizations that operate and oversee Denmark’s energy infrastructure(nouvelle fenêtre) in the largest cyberattack in Denmark’s history. The main suspect is Sandworm (also known as Voodoo Bear and Seashell Blizzard), a hacking group affiliated with Russia’s intelligence service that performed similar attacks on Ukraine’s energy infrastructure.
The Netherlands’ lower house of parliament has three times as many breaches as the upper house
While Dutch politicians had relatively few email addresses exposed on the dark web overall (18%), there is a major discrepancy between the lower house (Tweede Kamer) and the upper house (Eerste Kamer). We searched for all 150 Tweede Kamer members’ email addresses and found 36 of them, or 24%. Meanwhile, out of the 75 members of the Eerste Kamer, we found the official email addresses for only five, roughly 6.7%. It’s the second largest disparity between houses we’ve seen in our investigation — only France has a higher one. There, 8.8% of the National Assembly had their email address exposed compared to 33% of the Senate.
The Netherlands has suffered multiple cyberattacks targeting critical networks. In September 2024, an unspecified “state actor” accessed the work-related contact information of all 63,000 members of the Dutch police force(nouvelle fenêtre). Just three months earlier, as the elections for the EU Parliament began in June, the Russian hacker group HackNeT took down two Dutch political parties’ websites(nouvelle fenêtre) using DDoS attacks. And in February 2024, authorities revealed that Chinese hackers had broken into the Dutch military’s network(nouvelle fenêtre). This represents multiple failures to protect sensitive information in the span of a year, underlining why politicians must be careful.
Luxembourg politicians have most passwords exposed per individual
Luxembourg has a relatively small parliament, but we still only found the official email addresses of 10 of its 60 members on the dark web (16%). However, Luxembourgish politicians have had a lot of passwords exposed and in plaintext — 38 to be exact — more than the entire Dutch parliament. However, this seems to be driven by one politician who had 29 of their passwords exposed in plaintext. While this is high and a major security vulnerability — each plaintext password is potentially a compromised account — it’s still nowhere near the worst offender we found in our investigation. That remains the French politician who had 138 passwords appear in plaintext on the dark web (their email appeared 137 times as well).
Similar to other countries we’ve looked at, Luxembourg has had multiple government websites taken down due to DDoS attacks by Russian hackers. For one two-week stretch in 2024, from the end of March through the beginning of April, Russian hackers attacked websites(nouvelle fenêtre) for the ministries of finance and justice, Luxembourg’s official statistics agency, and its national health fund, taking them offline repeatedly(nouvelle fenêtre).
We all must be more secure online – but especially government officials
As the examples above show, state actors affiliated with China and Russia are persistently probing European countries for any cracks in their cybersecurity. Even if none of these exposed email addresses leaked confidential information, they could be added to attackers’ databases, giving them one more piece of information they can leverage. And if a politician reused an exposed password on an official account (and neglected to use two-factor authentication), that could directly lead to a massive leak.
We can all learn from this. One of the biggest things to take away is you should never expose any personally identifiable information unnecessarily. Or, in this case, you should never use your professional email to create online accounts, especially if you’re a government official with access to secret information. Breaches happen all the time. If you create accounts using a government email, it’s only a matter of time before one will be leaked in a data breach. Then attackers instantly know they have information on a high-value target.
Here are some other easy steps that everyone — but especially politicians and other high-profile or public figures — can take to strengthen their account security:
- Use email aliases: Email aliases hide your real email address while still letting you send and receive emails. If you never share your real email address, it can’t be leaked in a data breach. You can also delete aliases that have been exposed in leaks without needing to reset all your other accounts.
- Use a password manager: A password manager makes it easy for you to use a strong, random, and unique password for each of your accounts. It should also provide ways to securely share passwords, making it easier to avoid having them fall into the wrong hands.
- Use dark web monitoring services: Given how much trust we’re forced to give the companies we create accounts for, everyone should use some form of dark web monitoring to alert you if your information appears in these illegal marketplaces. This at least gives you a chance to update your email (or email alias) and password before anyone can exploit it.
Proton Pass can solve all of these problems. If you choose our Proton Pass Plus plan, you get:
- Unlimited hide-my-email aliases
- A password generator
- Support for passkeys
- A built-in two-factor authentication code generator
- Pass Monitor, which alerts you if your Proton Mail email addresses or aliases appear on the dark web
- Proton Sentinel, which defends your Proton Account against takeover attacks
Take control of your account security (and, if you’re a parliamentarian, help avert a national scandal) by signing up for a Proton Pass Plus plan today.