Proton

Relatively few Spanish and Italian politicians’ details exposed online

Far fewer Italian and Spanish politicians have had personal details leaked onto the dark web than their European counterparts. We found the official emails of 91 out of 609 Italian politicians (nearly 15%) and only 39 out of 615 Spanish politicians (roughly 6%) on dark web marketplaces where such information is illegally bought and sold. 

We worked with Constella Intelligence(new window) on this investigation, which is part of our ongoing series examining the cybersecurity practices of lawmakers worldwide. Our original report found that roughly 44% of EU MEPs, 18% of French deputies and senators, 68% of UK MPs, and 20% of US political staffers had their email addresses and other sensitive details exposed on the dark web, all of which surpass the numbers out of Italy and Spain.

Read the original report, which has all our findings to date(new window)

The email addresses of Italian and Spanish politicians are publicly available, so the fact that they’re being sold on the dark web isn’t a security failure, nor does it suggest that the Italian or Spanish parliaments were hacked. The email addresses and other sensitive data we found were typically leaked in a breach by common service providers, like Adobe, Dailymotion, Dropbox, LinkedIn, or news services (or, in some cases, dating websites). 

The fact that politicians used their official email for these accounts is where the security failure occurred, as it makes it easy for attackers to identify the accounts of high-value targets. Additionally, 197 passwords associated with Italian and Spanish politicians were exposed in plaintext. If any of these politicians reused an exposed password to secure an official account, it could also be at risk. 

We explore the Italian and Spanish leaks in greater detail below and explain what their potential ramifications could be. 

Politicians’ data exposed

We found multiple types of sensitive information linked to politicians’ emails during this investigation, including dates of birth, residence addresses, and social media accounts. Attackers can use this information to create convincing phishing attacks targeting the person whose data leaked or their staffers and colleagues.

Number of email addresses searchedNumber of breached email addressesNumber of passwords exposedNumber of passwords exposed in plaintext
Italian Parliament60991195188
Spanish Parliament61539149
Table of figures showing how much of Italian politicians' sensitive data is exposed on the dark web

Italian politicians’ email addresses are safe, passwords are not

Italian politicians had their emails exposed a total of 402 times on the dark web (this includes email addresses that appear multiple times). Meanwhile, British MPs had their email addresses exposed a total of 2,110 times — over five times more — even though the British House of Commons has roughly the same number of members as the Italian Parliament. 

As in our previous investigation, we can see a disparity in the number of breaches between the two houses of the Italian Parliament. We found at least an email address for 73 of the 400 members of the Assembly (18.2%) and only 18 of the 209 members of the Senate (8.6%). Interestingly, this is a reversal of the trend we found with the French Parliament, where 8.8% of the National Assembly had at least their email address exposed compared to 33% of the Senate.

Also, Italian politicians have the most passwords exposed in plaintext in Europe (188) despite only having 195 passwords exposed overall and the fewest members of any parliament. This suggests that at least a few Italian politicians use dangerously outdated or untrustworthy websites.  

These exposed email addresses and passwords are important because they are a vulnerability that attackers could exploit. The internet has become a new front in geopolitics, and Italian politicians and government agencies have been targeted repeatedly, particularly by Russian state-backed actors. In May 2023, the pro-Russian group Killnet claimed responsibility for DDoS attacks(new window) on the websites of Italy’s parliament, military, National Institute of Health, and other government agencies. In August 2023, the pro-Russian group NoName057(16) committed DDoS attacks(new window) on many of Italy’s major banks. In May 2024, NoName057(16) again took credit for attacks(new window) on the websites of PM Giorgia Meloni, the Ministry of Infrastructure, and the Ministry of Enterprise. 

These attacks show that Russian actors will be interested in testing and embarrassing Italian officials as long as they offer support to Ukraine.

Table of figures showing how much of Spanish politicians' sensitive data is exposed on the dark web

Spanish politicians have the fewest leaks so far

Only 6.3% of Spanish lawmakers had their details exposed on the dark web, the lowest percentage of all the politicians we’ve looked at. Only 29 of the 350 members of the Spanish Congress and a minuscule 10 of the 265 members of the Senate had their details exposed. Even more impressive, we only found nine passwords exposed in plaintext. 

We reached out to a Spanish cybersecurity expert to see if there was an explanation for Spain’s outlier performance. Ainoa Guillén Gonzalez, who is based in Madrid and the co-founder of SyndiK8, a cybercrime and threat intelligence research firm, was somewhat surprised by the results, but thinks Spanish politicians learned to prioritize their cybersecurity after observing what happened to labor and social movements that were organized online. “In the early 2010s in Spain, many strikes and protests were organized using Twitter, using social media, using email. Spanish politicians saw this and they also saw how the police and companies monitored social media in an attempt to control these movements. This taught the politicians very quickly the importance of good cybersecurity. And then later on, the Pegasus hacking scandal(new window) reinforced these lessons all over again.”

In 2022, cybersecurity experts discovered the phones of 63 people involved in the Catalan independence movement had been infected with Pegasus spyware(new window) (and two individuals had been targeted), including the then-regional Catalan president, Pere Aragonès. A short while later, the Spanish government discovered the prime minister and defense minister(new window) also had Pegasus malware on their devices. It later came to light that this surveillance had gone on for years, between 2017 and 2020, and at least 18 of the Catalans had been surveilled with judicial approval. As a result, the Spanish intelligence chief resigned(new window). In 2023, the investigation was closed(new window) due to Israel’s unwillingness to cooperate, but in 2024, Spain’s highest court ordered prosecutors to reopen the case(new window) after receiving new information from French officials (French President Emmanuel Macron was allegedly also targeted).

It’s hard to imagine these events didn’t have a massive impact on Spanish politician’s attitudes toward cybersecurity. However, French politicians likely saw the same kind of surveillance of protests, and they had far more information exposed. In the US, the hack of John Podesta’s emails(new window), Hillary Clinton’s campaign manager during the 2016 presidential election, is arguably the most famous hack of recent memory, and 20% of US staffers’ email addresses still appeared on the dark web.

We should all be concerned about politicians’ breaches

Even if none of the accounts linked to the breaches listed above give attackers access to state secrets, each one is still a real problem that policymakers should take seriously. These accounts could reveal politicians’ private communications or other personal information, like schedules or social networks, that attackers could use for phishing attacks or blackmail.

If a politician reused the same password on multiple accounts and their password was exposed in a breach (and failed to use two-factor authentication(new window)), that could potentially put confidential information at risk.

How we can all be more secure online

Cybersecurity is a constantly shifting battle. New defenses lead to new attacks that require experts to develop new defenses again. Still, there are simple steps we can all take to be more safe online. In this case, the first step is the most obvious — No one should use their professional email to create online accounts, especially government officials who have access to secret information. Breaches happen with frightening regularity, and if you use a government email, attackers instantly know they have information on a high-value target. 

Here are some straightforward steps that everyone — but especially politicians and other high-profile or public figures — should take to strengthen their account security:

  • Use email aliases: Email aliases mask the true owner of an account, preventing your real email from being exposed in a breach. You can quickly delete aliases that have been compromised without affecting your primary email or other aliases.
  • Use a password manager: While a password manager can’t improve the security of the services you sign up for, it can ensure that each of your accounts has a strong, random, and unique password. A good password manager also simplifies password sharing and management, reducing the risk of exposing passwords by writing them down.
  • Use dark web monitoring services: Even if you follow all cybersecurity best  practices, your information can still be exposed through a company’s data breach. Dark web monitoring alerts you if your information appears online, allowing you to update your email (or better yet, your email alias) and password before attackers can exploit it.

Proton Pass(new window) can solve all of these problems. If you choose our Proton Pass Plus plan, you get:

Take control of your account security (and, if you’re a parliamentarian, help avert a national scandal) by signing up for a Proton Pass Plus plan today.

Related articles

laptop showing Bitcoin price climbing
en
  • Guias de privacidade
Learn what a Bitcoin wallet does and the strengths and weaknesses of custodial, self-custodial, hardware, and paper wallets.
pixel tracking: here's how to tell which emails track your activity
en
Discover what pixel tracking is and how it works, how to spot emails that track you, and how to block these hidden trackers.
A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
en
  • Atualizações de produto
  • Proton Pass
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
en
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.
Infostealers: What they are, how they work, and how to protect yourself
en
Discover insights about what infostealers are, where your stolen information goes, and ways to protect yourself.
Mockup of the Proton Pass app and text that reads "Pass Lifetime: Pay once, access forever"
en
Learn more about our exclusive Pass + SimpleLogin Lifetime offer. Pay once and enjoy premium password manager features for life.