Hackers may be sitting on a massive trove of government credentials — including emails and passwords tied to the White House, State Department, Department of Defense, and U.S. Army — according to new research from NordVPN’s affiliate companies, NordPass and NordStellar.
The study found more than 53,000 passwords belonging to U.S. government employees exposed in publicly accessible databases and dark-web forums since early 2024. Among the most affected institutions include:
- Department of State – 15,272 exposed passwords
- Department of War (Defense) – 1,897 exposed passwords
- U.S. Army – 1,706 exposed passwords
- White House – Seven compromised passwords
One of the most commonly found passwords was “April@4142.” Researchers said it was the most widespread credential used by American civil servants.
“Exposure of sensitive data, including passwords of civil servants, is particularly dangerous,” Karolis Arbačiauskas, head of product at NordPass, said in a press release. “Such incidents may also pose serious risks to a country’s strategic interests.”
Leaked Passwords Reveal Wider Vulnerability
The research used NordStellar’s threat exposure management platform to analyze data from more than 5,500 government and municipal organizations across six countries, including the U.S., U.K., and Germany. It found that federal and local agencies alike remain vulnerable — from the Department of Veterans Affairs to state and city governments such as Illinois, Michigan, Utah, and Virginia Beach.
In total, NordPass identified 2,241 unique passwords among the 53,070 records, suggesting that many were reused across multiple accounts—or by multiple users—a known cybersecurity red flag.
“You can have state-of-the-art firewalls and zero-trust systems,” Marijus Briedis, chief technology officer at NordVPN, told Military.com. “But if employees reuse passwords, it defeats the purpose.”
The research also found passwords linked to NASA, the CIA, and the Government of the District of Columbia, further underscoring the exposure of government-affiliated credentials beyond traditional defense and diplomatic agencies.
U.S. Agencies Respond
A Department of State official told Military.com that the department has no record of receiving a notification from NordVPN regarding the reported exposure.
However, a State Department spokesperson said, “State is committed to cybersecurity across the department and we have instituted MFA (multi-factor authentication) and regularly rotate credentials to strengthen our safeguards against potential threats.”
A Department of Defense spokesperson referred Military.com to the U.S. Department of the Army for comment.
Military.com reached out to the Army as well as the White House for comment.
Nord Security’s Broader Findings
NordPass emphasized that the number of leaked passwords doesn’t necessarily equate to weak internal defenses.
“Larger organizations, with more employees, naturally have a bigger digital footprint,” Arbačiauskas said. “Sometimes a single malware infection on a personal device or the compromise of a popular third-party site can expose dozens of accounts.”
The company added that many of the breaches did not originate from government servers, but rather from employees using work emails to register on external websites—such as retail or cloud services—which were later breached.
NordPass Recommendations
To help mitigate risks, NordPass outlined several security recommendations for public agencies.
They include using long, unique passwords (of at least 20 characters, or multi-word passphrases); never reusing credentials between personal and professional accounts; implementing organization-wide password policies and breach scanners; and enforcing MFA for all internal and external systems.
The Password Problem Money Can’t Fix
Even as federal agencies invest billions in zero-trust architecture and advanced cyber defenses, researchers say one of the biggest weaknesses remains human behavior.
Every reused password or neglected update provides an opening for threat actors, and even one compromised credential can cascade into a high-level breach.
“You may not always defend against an attacker’s tools,” Briedis said, “but you can defend against your own mistakes.”
Story Continues
Read the full article here