The email addresses and other sensitive information of 4,239 British, EU, French, Italian, and Spanish politicians and US political staffers have been leaked to dark web marketplaces where data is illegally bought and sold. As part of our initial investigation with Constella Intelligence(nieuw venster) in May 2024, we searched the dark web for 2,280 official government email addresses from the British Parliament, European Parliament, and French Parliament. We found that around 40% had been exposed, along with passwords, birth dates, and more.
In September 2024, we expanded this investigation to examine how many US political staffers’ email addresses are on the dark web. (We did not include the email addresses of US politicians, as they’re not always publicly available.) We searched for over 16,000 staffers’ emails.
In October 2024, we added Italy and Spain to our investigation, searching for the official email addresses of 609 members of the Italian Parliament and 615 members of the Spanish Parliament.
British MPs fared the worst, with over two-thirds (68%) of checked email addresses appearing on the dark web, followed by nearly half (44%) of EU MEPs, roughly 20% of US political staffers, 18% of French politicians, and roughly 15% of Italian politicians. Spanish politicians have had by far the fewest breaches so far with only 6% of searched emails appearing in hacker exchanges.
The fact that these emails, which are publicly available on government websites, are on the dark web isn’t a security failure by itself. Nor is it evidence of a hack of the British, European, French, Italian, or Spanish parliaments or the US Congress. Instead, it shows that politicians and staffers used their official email addresses to set up accounts on third-party websites (which were later hacked or suffered a breach), putting themselves and the information they’re entrusted to keep safe needlessly at risk.
Even more concerning is that these email addresses were matched with 2,754 passwords in plain text across all the researched regions. (Proton informed every affected politician and staffer that they had sensitive data exposed on the internet before publishing this article). If a politician or staffer reused one of these exposed passwords to protect their official email account, it could also be at risk.
Many of these politicians are in senior positions, including heads of committees, government ministers, and senior opposition leaders, and have access to highly sensitive information. Even worse, several of them are currently serving or have formerly served on committees charged with overseeing and enforcing national (and international) digital strategies. And many of the staffers serve politicians in equally prominent positions and also have access to sensitive information.
While we aren’t publishing any identifiable data to avoid putting individuals at risk, we can reveal that our investigation showed elected politicians and their staff regularly used their official emails to sign up for services like LinkedIn, Adobe, Dropbox, Dailymotion, petition websites, news services, and even, in a small number of cases, dating websites.
Below, we share the full results of our investigation, what this lax attitude toward cybersecurity could lead to, and what politicians, their staff, and everyone else can do to improve their online security.
- Politicians’ and staffers’ data exposed
- French politicians outperform other elected officials
- Most British politicians have been breached
- The EU is also a target
- Thousands of US politicians’ staffers are exposed
- Italian politicians have a password problem
- Spanish politicians have by far the fewest breaches
- Cybersecurity is national security
- Simple steps can make us all more secure
Politicians’ and staffers’ data exposed
In our investigation, we unfortunately found all kinds of sensitive information linked to politicians’ emails, including their date of birth, the address of their residences, and social media accounts. Taken together, this information gives attackers plenty of details to make convincing phishing attacks.
| Number of email addresses searched | Number of breached email addresses | Number of passwords exposed | Number of passwords exposed in plaintext | |
|---|---|---|---|---|
| EU Parliament | 705 | 309 | 161 | 27 |
| British Parliament | 650 | 443 | 216 | 30 |
| French Parliament | 925 | 166 | 320 | 137 |
| US political staffers | 16,543 | 3,191 | 2,975 | 1,848 |
| Italian Parliament | 609 | 91 | 195 | 188 |
| Spanish Parliament | 615 | 39 | 14 | 9 |
French politicians outperform other elected officials
As previously mentioned, only 18% of the French politicians’ emails we searched for appeared in dark web exchanges. However, these breaches aren’t evenly distributed. In the French Senate, 115 of the 348 (33%) senators’ emails we searched for were exposed, compared to only 51 out of 577 (roughly 9%) for deputies in the National Assembly.
If a French politician was breached, their information appeared in an average of 7.8 breaches. If this number seems high, it’s undoubtedly because France is home to the single politician who suffered the most breaches of their email address (137) and had the most passwords exposed in plaintext (133).
France is also home to an example of the worst-case scenario actually happening. In November 2023, journalists discovered that an attacker stole the username and password to a member of Parliament’s email address and sold access to their official inbox on the dark web(nieuw venster). Perhaps the most surprising aspect of this story is that the asking price was only $150 (€138).
Just over a month before the Paris Olympics begin, these results highlight concerns around politicians’ cybersecurity practices, where just one breach could be a serious national security threat.
Most British politicians have been breached
According to our findings, British MPs are fortunate not to have suffered a major scandal involving account takeovers, as 68% of searched email addresses were found on the dark web, including senior figures both in the government and the opposition. MPs’ email addresses were exposed a total of 2,110 times on the dark web, with the most frequently targeted MP experiencing up to 30 breaches. They also showed up repeatedly, with the average breached MP having their details show up in 4.7 breaches.
The UK has repeatedly been targeted by state-backed cyberattacks, including from Russia. In December 2023, the UK government accused Russia(nieuw venster) of a “years-long cyberattack” on British academics, politicians, and policymakers. It claimed Russia’s FSB was attempting to phish these individuals to spy on their private emails.
With the upcoming general election taking place in the UK, it’s vital that new MPs take their personal — and national — cybersecurity seriously and adhere to strict security processes and protocols for official accounts.
The EU is also a target
While members of the European Parliament suffered fewer breaches than their British peers, nearly half of the emails we searched for appeared on the dark web. Of the 309 MEPs exposed, 92 were caught up in 10 or more leaks. Politicians in Brussels had their email addresses exposed 2,311 times, along with 161 passwords in plaintext. This is a red alert, as the European Parliament has increasingly become a target of sophisticated attacks and has admitted it’s not prepared.
When Politico(nieuw venster) asked about the security of the European Parliament and upcoming elections, an anonymous staffer (who wished to remain nameless due to the sensitivity of the issue) said, “We’re standing with our bare bottoms out and if anyone wants to hack us, like any Chinese threat actor or any state actor, they can”.
The threats are real. In February, two members and a staffer of the European Parliament’s security and defense subcommittee found spyware on their smartphones(nieuw venster). And in March, it was revealed that APT31 (also known as Judgment Panda), a hacking group with ties to Chinese intelligence agencies, was the likely suspect behind an attempted hack of every European Union member(nieuw venster) of the Inter-Parliamentary Alliance on China, a coalition of lawmakers critical of the Chinese government.
Thousands of US politicians’ staffers are exposed
We performed the same dark web monitoring for the staffers of US politicians as we did for European politicians (we did not include politicians themselves as their emails aren’t always made public). These staffers have access to reams of sensitive information, and some hold security clearances(nieuw venster) to access confidential information.
While roughly 20% of the 16,543 email addresses we searched for appeared on the dark web, that still means that 3,191 staffers for US representatives and senators have accounts at risk. We also found 1,848 passwords in plaintext alongside these email addresses, representing an incredible number of accounts that could be compromised.
Nearly 300 congressional staffers had their details exposed in more than 10 leaks, and one of these individuals had 31 passwords in exposed plaintext on the dark web (the most we found among US political staffers). At the very least, these compromised accounts could provide attackers with plenty of information for convincing social engineering attacks.
This is concerning because Washington DC has been one the main targets for attackers around the globe for over a decade. Earlier this year, an unknown attacker attempted to phish dozens of senators(nieuw venster) with text messages purporting to be from the White House and Senate Majority Leader Chuck Schumer. In 2023, the Washington Post(nieuw venster) reported on Vietnamese state actors attempting to compromise Congressional devices with malicious links shared on X (formerly Twitter). In 2018, the Russian hackers known as “Fancy Bear” were accused of attempting to gain access to at least three congressional candidates’ messages and emails(nieuw venster). And of course, Hillary Clinton’s campaign chief, John Podesta, had his email hacked(nieuw venster) during the 2016 presidential election.
The fact that so many US political staffers’ login information is available on the dark web coupled with the volume of attacks they face makes it likely that at least some of these accounts have been compromised. As the USA approaches another contentious election cycle, US political staffers’ cybersecurity practices are a matter of national security.
Even if you’re not a politician, having your email address leaked can put your accounts and data at risk. Email aliases are an easy solution. Keep your real email private, obscure who you are, and turn off aliases that are compromised with a single click. Get a Proton Pass Plus plan to get unlimited email aliases.
Italian politicians’ email addresses may be safe, but their passwords are not.
A total of 402 instances of email exposure for Italian politicians were found on the dark web, including multiple occurrences of the same addresses. In comparison, British MPs had their emails exposed 2,110 times — over five times more — despite the British House of Commons and the Italian Parliament having a similar number of members.
As in previous investigations, a notable difference in breaches was observed between the two houses of the Italian Parliament. At least one email address was found for 73 of the 400 members of the Assembly (18.2%) but only for 18 of the 209 Senators (8.6%). This contradicts the trend seen in the French Parliament, where 8.8% of the National Assembly had an email address exposed, compared to 33% of the Senate.
Italian politicians also had the most plaintext passwords exposed in Europe (188), despite having only 195 total password exposures. This, combined with the small size of the Italian Parliament, indicates some politicians may be using outdated or unreliable websites.
These exposed email addresses and passwords present significant vulnerabilities that attackers can exploit. The internet has become a key battleground in geopolitics, with Italian politicians and government agencies repeatedly targeted by Russian state-sponsored actors. In May 2023, the pro-Russian group Killnet claimed responsibility for DDoS attacks(nieuw venster) on Italy’s parliament, military, National Institute of Health, and other government sites. By August 2023, another pro-Russian group, NoName057(16), attacked(nieuw venster) several major Italian banks, and in May 2024, it targeted the websites of Prime Minister Giorgia Meloni(nieuw venster) and the Ministries of Infrastructure and Enterprise.
These attacks demonstrate that Russian actors will continue to test Italian officials as long as they support Ukraine.
Spanish politicians have the fewest data leaks we’ve found so far
Only 6.3% of Spain’s politicians had their information exposed on the dark web, the lowest percentage we’ve seen in our investigations so far. Specifically, 29 of the 350 members of the Spanish Congress and 10 of the 265 members of the Senate had their details leaked. Remarkably, only nine passwords were found in plaintext.
We found Spanish politicians’ outlier performance hard to explain, so we reached out to Ainoa Guillén Gonzalez, a cybersecurity expert based in Madrid and the co-founder of SyndiK8, a cybercrime and threat intelligence research firm. She was slightly surprised by the results, but thinks labor and social movements and how they organize online influenced Spanish politicians’ approach to cybersecurity. “In the early 2010s in Spain, many strikes and protests were organized using Twitter, using social media, using email. Spanish politicians saw this and they also saw how the police and companies monitored social media in an attempt to control these movements. This taught the politicians very quickly the importance of good cybersecurity. And then later on, the Pegasus hacking scandal(nieuw venster) reinforced these lessons all over again.”
In 2022, cybersecurity experts detected Pegaus spyware(nieuw venster) on the devices of 63 individuals involved in the Catalan independence movement, including then-president of Catalonia Pere Aragonès. Shortly after, the Spanish government revealed that both the prime minister and defense minister had devices infected with Pegasus malware. It was later revealed that this surveillance had taken place over several years, from 2017 to 2020, with at least 18 Catalan figures being monitored with judicial approval. As a consequence, the head of Spanish intelligence resigned(nieuw venster). Although the investigation was closed(nieuw venster) in 2023 due to a lack of cooperation from Israel, Spain’s highest court ordered prosecutors to reopen the case(nieuw venster) in 2024 after receiving new information from French authorities (including claims that French President Emmanuel Macron had also been targeted).
While these events had to have influenced Spanish politician’s attitudes toward cybersecurity, they’re hardly unique. French politicians, to name just one group, likely saw authorities monitor protestors organizing on social media, and they suffered far more breaches. US political staffers lived through the hack of John Podesta’s emails(nieuw venster), the campaign manager for Hillary Clinton during the 2016 presidential election, one of the most infamous hacks of recent times, and 20% of their email addresses still appeared on the dark web.
Cybersecurity is national security
In our investigation, the affected politicians generally had their details leaked by service providers, like LinkedIn or Adobe. Even if a hostile takeover of one of these accounts won’t grant an attacker (or foreign government) access to state secrets, it could reveal that politician’s private communications or other sensitive data. Attackers could then use this information to phish or blackmail the politicians.
And this is the best possible scenario. If a breached politician reused a password that was exposed on the dark web on one of their official accounts (and failed to use two-factor authentication(nieuw venster)), it could let attackers into government systems.
Sadly, it only takes one error to put your online information at risk. And for a government, it only takes one set of hacked or leaked login credentials to expose classified secrets.
Simple steps can make us all more secure
The internet creates an almost impossible conundrum: It’s almost impossible to go through your day-to-day life without being online, but maintaining your security online is just as difficult. And politicians are just humans like the rest of us. They make mistakes too. And sometimes, even if you do everything right, your information can still end up in hacker databases.
Large companies clearly also deserve a large portion of the blame. As the endless(nieuw venster) onslaught(nieuw venster) of data(nieuw venster) breaches(nieuw venster) demonstrates(nieuw venster), they must take better care of the account information they collect. However, government officials, especially lawmakers with access to sensitive government information, must have a more robust threat model than the average person. This applies to any public figure — whether an academic, journalist, business executive, etc.
To begin with, no one should use their professional email to create online accounts, especially government officials who have access to secret information. Your email address is your online identity, something that allows Big Tech, advertisers, and sometimes even malicious attackers to follow you around the internet. Using your official government email address for accounts is like shouting, “I am a valuable target”, every time you walk into a room.
Here are some simple steps that everyone, but especially politicians and anyone else under public scrutiny, should adopt if they’re serious about increasing their account security:
- Use email aliases – Email aliases obscure who an account belongs to (at least if the alias is exposed in a breach). You can also easily delete an alias that has clearly been leaked or fallen into the wrong hands without affecting your real email address or other aliases.
- Use a password manager – A password manager may not prevent services from leaking passwords in plaintext, but it can ensure that each of your accounts is protected with a strong, random, unique password. A good password manager should also make sharing and managing passwords easy, making it less likely you’ll expose a password by writing it down.
- Use dark web monitoring services – You can do everything correctly and still have your information exposed online by a careless company’s data breach. But if you have dark web monitoring, you’ll be informed the moment your information is detected, letting you change your email address (or, ideally, your email alias) and password before attackers can use it.
Proton Pass can solve all of these problems. If you choose our Proton Pass Plus plan, you get:
- Unlimited hide-my-email aliases
- A password generator
- Support for passkeys
- A built-in two-factor authentication code generator
- Pass Monitor, which alerts you if your Proton Mail email addresses or aliases appear on the dark web
- Proton Sentinel, which defends your Proton Account against takeover attacks
Take control of your account security (and, if you’re a parliamentarian, help avert a national scandal) by signing up for a Proton Pass Plus plan today.
