Security

Russian hackers are selling British officials' passwords

The massive, illegal trading market among hackers includes passwords of senior British politicians, police officers and diplomats.

russian_hacker.jpg

Aaron Robinson / CNET

Thousands of passwords belonging to British officials are being traded among Russian hackers, according to a report.

As part of an investigation by The Times, the London-based publication found passwords that belonged to 1,000 British members of Parliament and staff, 7,000 police employees and more than 1,000 diplomats. The country's education secretary, Justine Greening, and business secretary, Greg Clark, were also swept up in the breach.

Their passwords were being sold in bulk on the internet underground known as the dark web and on Russian-language hacking websites, according to the report. 

The majority of the passwords come from 2012's LinkedIn breach. So if the victims have changed their login information across all of their accounts in the last five years, they should be fine.

One issue with such leaks comes when people use the same passwords for multiple accounts. So if their LinkedIn password is the same as their Facebook password and it hasn't changed, thieves essentially have a master key to the victims' accounts.

The National Crime and Security Centre in the UK released advice on what to do if you're swept up in the 2012 leak, in response to the Times story.

"This is not a recent attack, it took place in 2012, and does not constitute a strategic threat to national security," the organization said. It issued the same advice in 2012 and again in 2016 when it discovered that LinkedIn credentials were being sold by criminal groups.

Typically when sensitive information is traded on the dark web, the sellers keep the source of it anonymous to hide the hackers' tracks, said Emily Wilson, director of analysis at security company Terbium Labs.

Terbium Labs uses Matchlight, a search engine for the dark web, to look through markets and find who has been compromised. British public officials don't have the luxury of anonymity.

Their titles and government positions actually raise their values. "Sometimes you have data that is valuable intrinsically because of where it came from," Wilson said. "LinkedIn emails and passwords -- people know how to capitalize on that."