Far fewer Italian and Spanish politicians have had personal details leaked onto the dark web than their European counterparts. We found the official emails of 91 out of 609 Italian politicians (nearly 15%) and only 39 out of 615 Spanish politicians (roughly 6%) on dark web marketplaces where such information is illegally bought and sold.
We worked with Constella Intelligence(nowe okno) on this investigation, which is part of our ongoing series examining the cybersecurity practices of lawmakers worldwide. Our original report found that roughly 44% of EU MEPs, 18% of French deputies and senators, 68% of UK MPs, and 20% of US political staffers had their email addresses and other sensitive details exposed on the dark web, all of which surpass the numbers out of Italy and Spain.
Read the original report, which has all our findings to date(nowe okno)
The email addresses of Italian and Spanish politicians are publicly available, so the fact that they’re being sold on the dark web isn’t a security failure, nor does it suggest that the Italian or Spanish parliaments were hacked. The email addresses and other sensitive data we found were typically leaked in a breach by common service providers, like Adobe, Dailymotion, Dropbox, LinkedIn, or news services (or, in some cases, dating websites).
The fact that politicians used their official email for these accounts is where the security failure occurred, as it makes it easy for attackers to identify the accounts of high-value targets. Additionally, 197 passwords associated with Italian and Spanish politicians were exposed in plaintext. If any of these politicians reused an exposed password to secure an official account, it could also be at risk.
We explore the Italian and Spanish leaks in greater detail below and explain what their potential ramifications could be.
Politicians’ data exposed
We found multiple types of sensitive information linked to politicians’ emails during this investigation, including dates of birth, residence addresses, and social media accounts. Attackers can use this information to create convincing phishing attacks targeting the person whose data leaked or their staffers and colleagues.
| Number of email addresses searched | Number of breached email addresses | Number of passwords exposed | Number of passwords exposed in plaintext | |
|---|---|---|---|---|
| Italian Parliament | 609 | 91 | 195 | 188 |
| Spanish Parliament | 615 | 39 | 14 | 9 |
Italian politicians’ email addresses are safe, passwords are not
Italian politicians had their emails exposed a total of 402 times on the dark web (this includes email addresses that appear multiple times). Meanwhile, British MPs had their email addresses exposed a total of 2,110 times — over five times more — even though the British House of Commons has roughly the same number of members as the Italian Parliament.
As in our previous investigation, we can see a disparity in the number of breaches between the two houses of the Italian Parliament. We found at least an email address for 73 of the 400 members of the Assembly (18.2%) and only 18 of the 209 members of the Senate (8.6%). Interestingly, this is a reversal of the trend we found with the French Parliament, where 8.8% of the National Assembly had at least their email address exposed compared to 33% of the Senate.
Also, Italian politicians have the most passwords exposed in plaintext in Europe (188) despite only having 195 passwords exposed overall and the fewest members of any parliament. This suggests that at least a few Italian politicians use dangerously outdated or untrustworthy websites.
These exposed email addresses and passwords are important because they are a vulnerability that attackers could exploit. The internet has become a new front in geopolitics, and Italian politicians and government agencies have been targeted repeatedly, particularly by Russian state-backed actors. In May 2023, the pro-Russian group Killnet claimed responsibility for DDoS attacks(nowe okno) on the websites of Italy’s parliament, military, National Institute of Health, and other government agencies. In August 2023, the pro-Russian group NoName057(16) committed DDoS attacks(nowe okno) on many of Italy’s major banks. In May 2024, NoName057(16) again took credit for attacks(nowe okno) on the websites of PM Giorgia Meloni, the Ministry of Infrastructure, and the Ministry of Enterprise.
These attacks show that Russian actors will be interested in testing and embarrassing Italian officials as long as they offer support to Ukraine.
Spanish politicians have the fewest leaks so far
Only 6.3% of Spanish lawmakers had their details exposed on the dark web, the lowest percentage of all the politicians we’ve looked at. Only 29 of the 350 members of the Spanish Congress and a minuscule 10 of the 265 members of the Senate had their details exposed. Even more impressive, we only found nine passwords exposed in plaintext.
We reached out to a Spanish cybersecurity expert to see if there was an explanation for Spain’s outlier performance. Ainoa Guillén Gonzalez, who is based in Madrid and the co-founder of SyndiK8, a cybercrime and threat intelligence research firm, was somewhat surprised by the results, but thinks Spanish politicians learned to prioritize their cybersecurity after observing what happened to labor and social movements that were organized online. “In the early 2010s in Spain, many strikes and protests were organized using Twitter, using social media, using email. Spanish politicians saw this and they also saw how the police and companies monitored social media in an attempt to control these movements. This taught the politicians very quickly the importance of good cybersecurity. And then later on, the Pegasus hacking scandal(nowe okno) reinforced these lessons all over again.”
In 2022, cybersecurity experts discovered the phones of 63 people involved in the Catalan independence movement had been infected with Pegasus spyware(nowe okno) (and two individuals had been targeted), including the then-regional Catalan president, Pere Aragonès. A short while later, the Spanish government discovered the prime minister and defense minister(nowe okno) also had Pegasus malware on their devices. It later came to light that this surveillance had gone on for years, between 2017 and 2020, and at least 18 of the Catalans had been surveilled with judicial approval. As a result, the Spanish intelligence chief resigned(nowe okno). In 2023, the investigation was closed(nowe okno) due to Israel’s unwillingness to cooperate, but in 2024, Spain’s highest court ordered prosecutors to reopen the case(nowe okno) after receiving new information from French officials (French President Emmanuel Macron was allegedly also targeted).
It’s hard to imagine these events didn’t have a massive impact on Spanish politician’s attitudes toward cybersecurity. However, French politicians likely saw the same kind of surveillance of protests, and they had far more information exposed. In the US, the hack of John Podesta’s emails(nowe okno), Hillary Clinton’s campaign manager during the 2016 presidential election, is arguably the most famous hack of recent memory, and 20% of US staffers’ email addresses still appeared on the dark web.
We should all be concerned about politicians’ breaches
Even if none of the accounts linked to the breaches listed above give attackers access to state secrets, each one is still a real problem that policymakers should take seriously. These accounts could reveal politicians’ private communications or other personal information, like schedules or social networks, that attackers could use for phishing attacks or blackmail.
If a politician reused the same password on multiple accounts and their password was exposed in a breach (and failed to use two-factor authentication(nowe okno)), that could potentially put confidential information at risk.
How we can all be more secure online
Cybersecurity is a constantly shifting battle. New defenses lead to new attacks that require experts to develop new defenses again. Still, there are simple steps we can all take to be more safe online. In this case, the first step is the most obvious — No one should use their professional email to create online accounts, especially government officials who have access to secret information. Breaches happen with frightening regularity, and if you use a government email, attackers instantly know they have information on a high-value target.
Here are some straightforward steps that everyone — but especially politicians and other high-profile or public figures — should take to strengthen their account security:
- Use email aliases: Email aliases mask the true owner of an account, preventing your real email from being exposed in a breach. You can quickly delete aliases that have been compromised without affecting your primary email or other aliases.
- Use a password manager: While a password manager can’t improve the security of the services you sign up for, it can ensure that each of your accounts has a strong, random, and unique password. A good password manager also simplifies password sharing and management, reducing the risk of exposing passwords by writing them down.
- Use dark web monitoring services: Even if you follow all cybersecurity best practices, your information can still be exposed through a company’s data breach. Dark web monitoring alerts you if your information appears online, allowing you to update your email (or better yet, your email alias) and password before attackers can exploit it.
Proton Pass(nowe okno) can solve all of these problems. If you choose our Proton Pass Plus plan, you get:
- Unlimited hide-my-email aliases(nowe okno)
- A password generator
- Support for passkeys(nowe okno)
- A built-in two-factor authentication code generator
- Pass Monitor(nowe okno), which alerts you if your Proton Mail email addresses or aliases appear on the dark web
- Proton Sentinel(nowe okno), which defends your Proton Account against takeover attacks
Take control of your account security (and, if you’re a parliamentarian, help avert a national scandal) by signing up for a Proton Pass Plus plan today.
