Leaked: Politicians’ emails and passwords on the dark web

Leaked: Politicians’ emails and
passwords on the dark web

Over 4,300 government officials in Europe and the US have had their official email addresses — and even passwords — exposed on the dark web.

Politicians and staffers are using their official email addresses to sign up for everyday accounts, like social media, news sites, and dating apps. If (or when) these services suffer a breach, attackers can use these email addresses to easily identify high-profile targets.

For the average person, this is a serious privacy risk. For public officials, it’s a potential national security threat.

To conduct this investigation, we searched the dark web for information associated with the publicly available email addresses of government officials. In many cases we found that highly sensitive information — including passwords — was freely available on well-known criminal forums.

This presents an obvious cyber security risk if these people were reusing passwords for multiple services. But it also presents an additional risk because the personal information available puts these officials in danger of blackmail or social engineering.

Account security is incredibly important and easy to get wrong. It's vital that we all takes steps to protect ourselves — with tools like a password manager or email aliases — because if even politicians with a higher than normal threat model can make mistakes, so can anyone else.

This investigation would not have been possible without the assistance of Constella Intelligence(new window).

How widespread is the problem?

Institution	Email addresses searched	Email addresses breached	Percentage of email addresses breached	Passwords exposed	Passwords exposed in plaintext
EU Parliament	705	309	44%	195	161
UK House of Commons	650	443	68%	284	216
French Parliament	925	166	18%	322	320
US political staffers	16,543	3,191	20%	2,975	1,848
Italian Parliament	609	91	15%	195	188
Spanish Parliament	615	39	6%	14	9
Danish Parliament	179	74	41%	93	69
Dutch Parliament	225	41	18%	35	32
Luxembourgish Parliament	60	10	16%	43	38
German state parliaments	1,874	241	13%	220	153

Key highlights from the data

UK House of Commons: Most exposed

The UK House of Commons had the highest percentage of politicians' official email addresses exposed in breaches of all the institutions we've looked at so far. In total, the British politicians had their official emails exposed 2,311 times on the dark web. One MP alone had their details exposed 30 times.

Past attacks

In December 2023, the UK government accused Russia(new window) of a “years-long cyberattack” on British academics, politicians, and policymakers.

Danish Parliament: Most repeat exposures

41% of Danish politicians had their official email address breached, the third highest percentage of all the groups we've looked at. If a politician was involved in a breach, their details appeared 7.5 times on the dark web on average, the highest of the institutions we've looked at. The Danish politician with the most exposures had their email address appear 25 times, along with 8 passwords in plaintext.

Past attacks

In 2023, Russian affiliated hackers exploited a zero-day firewall vulnerability, compromising 22 organizations overseeing Denmark’s energy infrastructure(new window) — the most extensive cyberattack Denmark has faced.

European Parliament: Widespread leaks

44% of MEPs had an exposed government email address, behind only the British Parliament. Of the 309 MEPs exposed, 92 were caught up in 10 or more leaks. Of the MEPs that suffered a breach, their details appeared 7.48 times on average, the second high rate behind the Danish Parliament.

Past attacks

In 2024, two members and a staffer of the European Parliament’s security and defense subcommittee found spyware on their smartphones(new window).

German state parliaments: Three states fail cybersecurity

Overall, only 13% of German state politicians have their official email addresses exposed on the dark web, second lowest percentage we found. However, there are three states where at least half the politicians have exposed email addresses and other details: Sachsen-Anhalt, with 67%; Rheinland-Pfalz, with 51.1%, and Bremen, with 50%.

Past Attacks

In 2024, the Frankfurt University of Applied Sciences(new window) and Hochschule Kempten(new window) were forced to close due to cyberattacks, the Bavarian pharmaceutical giant AEP was hit by a ransomware attack(new window), and the Social Democratic(new window) party (SPD) was hacked.

Italian Parliament: Third fewest leaks

15% of Italian politicians have had their official email address exposed, the third lowest percentage of the institutions we looked at. They also only suffered a total of 402 email breaches. For comparison, the British Parliament, which has 650 MPs compared to Italy's 609, had a total of 2,110 breaches.

Past attacks

In May 2024, Russian affiliated hackers took down the websites of Prime Minister Giorgia Meloni(new window) and the Ministries of Infrastructure and Enterprise.

Luxembourgish Parliament: One politician had 20+ passwords exposed

We found 16% of Luxembourgish politicians' official email addresses on the dark web — but because Luxembourgish Parliament only has 60 members, this equals 10 exposed emails. However, one politician not only had their email address exposed, but also 29 passwords, all in plaintext.

Past attacks

In 2024, DDoS attacks repeatedly disrupted websites for the ministries of finance and justice(new window), the official statistics agency, and the national health fund.

Spanish Parliament: Fewest leaks by far

Spanish Parliament has by far the fewest politician's with exposed official email addresses. Only 6% of Spanish politicians had their email appear on the dark web — the Italian Parliament is the next lowest with 15%. Even more impressive, we found only nine passwords in plaintext linked to Spanish politicians.

Past attacks

In 2022, Pegaus spyware(new window) was found on the devices of 63 individuals involved in the Catalan independence movement and the Spanish Prime Minister.

US political staffers: A major risk

20% of US political staffers had exposed government-assigned email addresses, the fourth highest percentage we've found. (However, the percentage of politicians with exposed emails in Denmark, which is in third, is twice as high.) We looked at US political staffers because Congress members do not always publicly share their official email addresses. Roughly 10% of breached staffers had their details appear more than 10 times in databases on the dark web.

Past attacks

In 2024, an unknown attacker pretending to be Senate Majority Leader Chuck Schumer attempted to phish dozens of senators(new window) with text messages.

French Parliament: Strong security – except for one lawmaker

Only 18% of French politicians had their official emails exposed — but France is also home to the least secure lawmaker found in our survey. One politician's email appeared in 137 breaches, along with 133 passwords in plaintext. The Senate was hit hardest overall, with 33% of members exposed, compared to just 9% in the National Assembly.

Past attacks

In November 2023, journalists discovered that a hacker stole the credentials for a French MP’s inbox and sold them on the dark web for $150(new window).

Dutch Parliament: Inconsistent cybersecurity

While only 18% of Dutch politicians have exposed email addresses, the breaches are not evenly distributed between the two houses of parliament. Out of the 150 members of the Tweede Kamer (lower house), 36 had their emails exposed (24%). Comparatively, only five of the Eerste Kamer’s 75 members (around 7%) had their email addresses leaked.

Past attacks

In September 2024, all 63,000 members of the Dutch police force had their work-related contacts illegally accessed(new window) by a suspected state actor, and in February 2024, a breach exposed the Dutch military’s network to Chinese hackers(new window).

Why this matters

It's important to note that these leaks aren't proof of government network hacks. These email addresses were exposed by breaches at services like LinkedIn, Dropbox, Adobe, and others.

Still, when a politician or staffer's email address is exposed, it's more than just an inconvenience — it's a signal to attackers that this is a high-value target.

Politicians with exposed accounts using their official email address are at more risk of:

Phishing: Attackers can craft targeted social engineering attacks using leaked personal details or data from vulnerable accounts.
Blackmail: Attackers can leverage sensitive or personal information for coercion.
Account takeovers: If officials reused exposed passwords, attackers could infiltrate government systems.

How Proton Pass protects you

Hide-my-email aliases: Use unique email aliases instead of exposing your real email address
Secure password manager: Generate and store strong, unique passwords for every account
Passkey support: Future-proof login security with phishing-resistant passkeys
Built-in 2FA code generator: Store your credentials and 2FA codes in one encrypted vault
Dark Web Monitoring: Get alerts if your Proton email addresses or aliases appear in data leaks
Proton Sentinel: Proactively defend your Proton Account from takeover attempts

Take control of your security

Ready to protect yourself?

Stop reusing passwords
Never use your professional email address for everyday accounts
Use aliases to keep your real email address hidden
Let Dark Web Monitoring alert you of breaches

Get Proton Pass Plus