State legislators are highly visible public figures in the US, responsible for crafting multi-billion-dollar state budgets, handling privileged information, and communicating with constituents.

According to a new Proton investigation, their email addresses and passwords are highly visible, too.

We’ve been investigating the cybersecurity practices of politicians around the world for more than a year. Our latest round of research found the 67% of US state legislators have been affected by data breaches linked to their publicly listed email addresses at least once.

See if your government officials have data on the dark web

We identified over 16,000 breach records associated with publicly listed email addresses across 49 states. More than 12,000 instances involved personally identifiable information (PII), which can be used to identify, surveil, and launch phishing scams against individuals. Compounding these risks is the fact that 560 passwords were discovered in plaintext: With a plaintext password, hackers can access personal accounts belonging to legislators and potentially work their way into official governmental accounts.

No identifying information is shared in our reporting and we’ve notified every politician affected.

Exposures stem from human error, not external attacks

Rather than targeted attacks from nations in conflict with the United States, these exposures are driven by legislators using their official government emails to sign up for services such as Linkedin, Adobe and Dropbox. These third-party services have been affected by data breaches, leading to exposures for government officials.

Unfortunately, this blurring of boundaries between personal and business accounts is commonplace in modern workplaces. It can have serious ramifications for businesses of any size in any industry, but politicians with access to sensitive governmental services and data have a much higher threat model than an average citizen.

“The data shows that this is less about isolated incidents and more about how digital risk accumulates over time,” said Eamonn Maguire, Head of Account Security at Proton. “Even normal, everyday use of online services can create long-term exposure. When official email addresses are involved, that risk extends beyond the individual to the institutions they represent.”

President Trump’s Cyber Strategy for America(nova janela), released March 2026, notes that the US government “will act swiftly, deliberately, and proactively to disable cyber threats to America.” It seems that this effort may be undermined by its own legislators, who are leaving themselves vulnerable to cyberattacks.

Online behavior is inconsistent among states

It appears that online security practices are not consistent across governments in different states. Our investigation revealed a broad range of behavior across 49 states:

  • 100% of legislators in Arizona and Oklahoma appeared in breach datasets at least once
  • Massachusetts recorded the highest total breaches (816), impacting 84% of officials
  • New Hampshire had the highest number of leaked passwords (81)
  • Maryland was the only state with no recorded breaches
  • Only four states had less than 50% exposure: Florida, Kentucky, Maryland, and New Hampshire

The fact that 100% of legislators in two states appeared in breach datasets at least once is deeply concerning. If any legislator across a whole state has been made vulnerable in a data breach, this could have serious ramifications for citizens and their public infrastructure. The US government is regularly targeted in attacks launched by the Russian Foreign Intelligence Service(nova janela) (SVR) and the Chinese government(nova janela). The State Department has launched a new entity (nova janela)to identify and respond to threats launched by Iran, China, Russia, North Korea, and foreign terrorist organizations.

If cybersecurity standards aren’t being adequately across the US government, this leaves US citizens unfairly impacted by the behavior of their legislators. No one should be more vulnerable to the consequences of a cyberattack that could deny them essential government services simply because of where they live. Legislators in Maryland, the only state with no recorded breaches, may be best positioned to advocate for higher standards within the government.

Meeting modern threats with modern online security

Taking more care online isn’t just for politically exposed people. Anyone can be affected by a data breach, and a data breach can have disastrous consequences no matter who you are. The key is to anticipate breaches and plan accordingly, starting with your email address.

An email address is essentially an online passport. It’s linked to everything you do online, like your online accounts, your purchase history, your address, your governmental ID, and more. Using your email address, it’s easy to identify you and target you with phishing scams that could see you affected by financial loss and identity fraud. Your data can also be sold to data brokers for a profit, leading to even more cybercriminals gaining access to it.

Instead of going off-grid, which isn’t a feasible solution in today’s world, you can instead choose to protect your personal information and limit the places where you give it out.

  • Email aliases hide your personal email address, allowing you create accounts and even send or receive emails without giving away any personal information. If an email alias appears in a data breach, it’s not connected to you so it can’t be used to gain more data about you. It can simply be deactivated, causing you no harm. Email aliases are an excellent solution for those looking to protect their email addresses, so US state legislators could benefit from considering them.
  • Password managers are an ideal solution for creating, storing, and autofilling passwords. An end-to-end encrypted password manager ensures that your personal data can’t be accessed by anyone but you, not even your password manager provider. It’s also possible to securely share credentials if you need to, eliminating unsafe sharing practices that increase risk.
  • Dark web monitoring alerts you automatically if your personal information appears on the dark web, and can also identify account weaknesses such as inactive two-factor authentication (2FA) and weak or reused passwords.

All of these services and more are available with Proton Pass. Designed by the team behind a privacy-first ecosystem including Proton Mail and Proton VPN, Proton Pass is a secure password manager that’s suitable for any level of tech experience and any security requirement.

Whether you’re a citizen or a legislator, consider signing up for a Proton Pass Plus account.