The email addresses and other sensitive information of 918 British MPs, members of the European Parliament, and French deputies and senators have been leaked to dark web marketplaces where data is illegally bought and sold. As part of our investigation with Constella Intelligence(new window), we searched the dark web for 2,280 official government email addresses from the British Parliament, European Parliament, and French Parliament. We found that around 40% had been exposed, along with passwords, birth dates, and more.
British MPs fared the worst, with over two-thirds (68%) of checked email addresses appearing on the dark web, followed by nearly half (44%) of EU MEPs. French deputies and senators had the best security, with only 18% of searched emails appearing in hacker exchanges.
The fact that these emails, which are publicly available on government websites, are on the dark web isn’t a security failure by itself. Nor is it evidence of a hack of the British, European, or French parliaments. Instead, it shows that politicians used their official email addresses to set up accounts on third-party websites (which were later hacked or suffered a breach), putting themselves and the information they’re entrusted to keep safe needlessly at risk.
Even more concerning is that these email addresses were matched with 697 passwords in plain text. (Proton informed every affected politician that they had sensitive data exposed on the internet before publishing this article). If a politician reused one of these exposed passwords to protect their official email account, it could also be at risk.
We’ve seen the havoc that a single compromised email account can wreak. During the 2016 US presidential election, Hillary Clinton’s chief of staff famously fell for a phishing attack(new window) and had his emails exposed, revealing embarrassing messages(new window) and providing fodder for all manner of speculation(new window). Imagine the chaos attackers could create if they were able to gain access to a fraction of these politicians’ official email accounts.
Many of these MPs, MEPs, deputies, and senators are in senior positions, including heads of committees, government ministers, and senior opposition leaders, and have access to highly sensitive information. Even worse, several of them are currently serving or have formerly served on committees charged with overseeing and enforcing national (and international) digital strategies.
While we aren’t publishing any identifiable data to avoid putting individuals at risk, we can reveal that our investigation showed elected politicians regularly used their official emails to sign up for services like LinkedIn, Adobe, Dropbox, Dailymotion, petition websites, news services, and even, in a small number of cases, dating websites.
Below, we share the full results of our investigation, what this lax attitude toward cybersecurity could lead to, and what politicians (and everyone else) can do to improve their online security.
Politicians’ exposed data
In our investigation, we unfortunately found all kinds of sensitive information linked to politicians’ emails, including their date of birth, the address of their residences, and social media accounts. Taken together, this information gives attackers plenty of details to make convincing phishing attacks.
| Number of email addresses searched | Number of breached email addresses | Number of passwords exposed | Number of passwords exposed in plaintext | |
|---|---|---|---|---|
| EU Parliament | 705 | 309 | 161 | 27 |
| British Parliament | 650 | 443 | 216 | 30 |
| French Parliament | 925 | 166 | 320 | 137 |
French politicians outperform other elected officials
As previously mentioned, only 18% of the French politicians’ emails we searched for appeared in dark web exchanges. However, these breaches aren’t evenly distributed. In the French Senate, 115 of the 348 (33%) senators’ emails we searched for were exposed, compared to only 51 out of 577 (roughly 9%) for deputies in the National Assembly.
If a French politician was breached, their information appeared in an average of 7.8 breaches. If this number seems high, it’s undoubtedly because France is home to the single politician who suffered the most breaches of their email address (137) and had the most passwords exposed in plaintext (133).
France is also home to an example of the worst-case scenario actually happening. In November 2023, journalists discovered that an attacker stole the username and password to a member of Parliament’s email address and sold access to their official inbox on the dark web(new window). Perhaps the most surprising aspect of this story is that the asking price was only $150 (€138).
Just over a month before the Paris Olympics begin, these results highlight concerns around politicians’ cybersecurity practices, where just one breach could be a serious national security threat.
Most British politicians have been breached
According to our findings, British MPs are fortunate not to have suffered a major scandal involving account takeovers, as 68% of searched email addresses were found on the dark web, including senior figures both in the government and the opposition. MPs’ email addresses were exposed a total of 2,110 times on the dark web, with the most frequently targeted MP experiencing up to 30 breaches. They also showed up repeatedly, with the average breached MP having their details show up in 4.7 breaches.
The UK has repeatedly been targeted by state-backed cyberattacks, including from Russia. In December 2023, the UK government accused Russia(new window) of a “years-long cyberattack” on British academics, politicians, and policymakers. It claimed Russia’s FSB was attempting to phish these individuals to spy on their private emails.
With the upcoming general election taking place in the UK, it’s vital that new MPs take their personal — and national — cybersecurity seriously and adhere to strict security processes and protocols for official accounts.
The EU is also a target
While members of the European Parliament suffered fewer breaches than their British peers, nearly half of the emails we searched for appeared on the dark web. Of the 309 MEPs exposed, 92 were caught up in 10 or more leaks. Politicians in Brussels had their email addresses exposed 2,311 times, along with 161 passwords in plaintext. This is a red alert, as the European Parliament has increasingly become a target of sophisticated attacks and has admitted it’s not prepared.
When Politico(new window) asked about the security of the European Parliament and upcoming elections, an anonymous staffer (who wished to remain nameless due to the sensitivity of the issue) said, “We’re standing with our bare bottoms out and if anyone wants to hack us, like any Chinese threat actor or any state actor, they can”.
The threats are real. In February, two members and a staffer of the European Parliament’s security and defense subcommittee found spyware on their smartphones(new window). And in March, it was revealed that APT31 (also known as Judgment Panda), a hacking group with ties to Chinese intelligence agencies, was the likely suspect behind an attempted hack of every European Union member(new window) of the Inter-Parliamentary Alliance on China, a coalition of lawmakers critical of the Chinese government.
Cybersecurity is national security
In our investigation, the affected politicians generally had their details leaked by service providers, like LinkedIn or Adobe. Even if a hostile takeover of one of these accounts won’t grant an attacker (or foreign government) access to state secrets, it could reveal that politician’s private communications or other sensitive data. Attackers could then use this information to phish or blackmail the politicians.
And this is the best possible scenario. If a breached politician reused a password that was exposed on the dark web on one of their official accounts (and failed to use two-factor authentication), it could let attackers into government systems.
Sadly, it only takes one error to put your online information at risk. And for a government, it only takes one set of hacked or leaked login credentials to expose classified secrets.
Simple steps can make us all more secure
The internet creates an almost impossible conundrum: It’s almost impossible to go through your day-to-day life without being online, but maintaining your security online is just as difficult. And politicians are just humans like the rest of us. They make mistakes too. And sometimes, even if you do everything right, your information can still end up in hacker databases.
Large companies clearly also deserve a large portion of the blame. As the endless(new window) onslaught(new window) of data(new window) breaches(new window) demonstrates(new window), they must take better care of the account information they collect. However, government officials, especially lawmakers with access to sensitive government information, must have a more robust threat model than the average person. This applies to any public figure — whether an academic, journalist, business executive, etc.
To begin with, no one should use their professional email to create online accounts, especially government officials who have access to secret information. Your email address is your online identity, something that allows Big Tech, advertisers, and sometimes even malicious attackers to follow you around the internet. Using your official government email address for accounts is like shouting, “I am a valuable target”, every time you walk into a room.
Here are some simple steps that everyone, but especially politicians and anyone else under public scrutiny, should adopt if they’re serious about increasing their account security:
- Use email aliases – Email aliases obscure who an account belongs to (at least if the alias is exposed in a breach). You can also easily delete an alias that has clearly been leaked or fallen into the wrong hands without affecting your real email address or other aliases.
- Use a password manager – A password manager may not prevent services from leaking passwords in plaintext, but it can ensure that each of your accounts is protected with a strong, random, unique password. A good password manager should also make sharing and managing passwords easy, making it less likely you’ll expose a password by writing it down.
- Use dark web monitoring services – You can do everything correctly and still have your information exposed online by a careless company’s data breach. But if you have dark web monitoring, you’ll be informed the moment your information is detected, letting you change your email address (or, ideally, your email alias) and password before attackers can use it.
Proton Pass can solve all of these problems. If you choose our Proton Pass Plus plan, you get:
- Unlimited hide-my-email aliases
- A password generator
- Support for passkeys
- A built-in two-factor authentication code generator
- Pass Monitor, which alerts you if your Proton Mail email addresses or aliases appear on the dark web
- Proton Sentinel, which defends your Proton Account against takeover attacks
Take control of your account security (and, if you’re a parliamentarian, help avert a national scandal) by signing up for a Proton Pass Plus plan today.
