A recent study commissioned by NordPass and conducted with the help of the cybersecurity company NordStellar has revealed a huge leak of government-associated passwords that not only exposes one of the main factors of public sector cybersecurity failure - password reuse - but also discloses the situation in a very large scale. More than 91,000 passwords from the government institutions of six major countries, whose identities were not disclosed, were found in public data leaks since the beginning of the year 2024.

With the biggest number of compromised passwords (53,070), the United States ranked first, and France and Italy were the ones that came next. The study helps to see cybersecurity as a global problem, but the U.S. scale of debacle brings to light the centrality of the problem, which exists in every corner of the country, even federal and state, even local government departments.

Inside the U.S. Leaks

The research has pointed out that among other things, it is the most important U.S. Government departments that these leaks hit badly.

• More than 15,000 user accounts in the State Department were compromised, while the Pentagon had almost 1,900.
• The issue was so severe that even the White House had seven accounts linked to its domains which were part of the leaked datasets.
• The local government entities that experienced leakage include Washington, D.C., and Virginia Beach.

The leaks did not stop at the door of the national institutions. Police departments, school districts, and county offices were also affected, and this shows that the spread of the vulnerabilities is so easy across the interconnected systems.

Password Reuse: The Hidden Weak Link

NordPass came to the conclusion that the main issue was not password complexity but rather, the practice of using the same password for various accounts by users. Among the 53,070 exposures in the U.S., only 2,241 passwords were unique, which showed that most of them were reused across different accounts. This habit of reusing passwords incredibly increases the risk of credential-stuffing attacks, where a hacker uses one leaked password to access multiple systems.

Moreover, the study found that government workers create more difficult passwords than the average user does. However, the protection offered by complexity is very little if the same password is used for both personal and professional areas.

What the Exposed Data Revealed

The breaches were comprehensive as they involved not only passwords but also a variety of sensitive information like usernames, emails, phone numbers, browser autofills, and login cookies. Extra aids can allow hackers to take over accounts or trick users into their phishing scams in a couple of ways.

The figures presented in the report are said by NordPass and NordStellar to be just the tip of the iceberg. The bulk of the stolen credentials gets traded within the criminal underground, making it hard to estimate the real numbers.

Federal Action and the Way Forward

The revelations came hand in hand with cautions of the Cybersecurity and Infrastructure Security Agency (CISA) who in 2024 instructed all government departments to change all passwords after detection of link between a Russian hacker group and the theft of Microsoft email accounts. Since then, the Government Accountability Office (GAO) and NIST have recommended the use of stronger identity authentication and phishing-resistant multi-factor authentication (MFA) due to the federal audits conducted.

Experts are still saying that MFA will not be able to totally eliminate breaches when the assailants use session tokens or backup codes. Hence, the only solid defense will be to always monitor credentials, strictly enforce the usage of unique passwords and always educate employees proactively.