Investigation Reveals 67% of U.S. State Legislators' Data, Including Plaintext Passwords, Exposed in Third-Party Breaches

Two-Thirds of US State Legislators Have Had Data Leaked on Dark Web

HIGH
April 1, 2026
5m read
Data BreachPolicy and CompliancePhishing

Related Entities

Organizations

U.S. State LegislaturesAdobe

Other

Proton Constella IntelligenceLinkedIn Dropbox

MITRE ATT&CK Techniques

T1589.002Reconnaissance

Credentials

T1110.003Credential Access

Password Spraying

T1110.004Credential Access

Credential Stuffing

T1566.002Initial Access

Spearphishing Link

Full Report

Executive Summary

An investigation by Proton and Constella Intelligence has uncovered that the majority of U.S. state legislators (67%) have had their personal information exposed in data breaches. The data, linked to their official government email addresses, was found in breach compilations circulating on the dark web. The exposures are not the result of direct attacks on government systems but rather stem from legislators using their work emails for personal services. The investigation found over 16,000 breach instances across 49 states, including more than 12,000 cases of exposed Personally Identifiable Information (PII) and, most critically, 560 passwords in plaintext. This widespread exposure represents a significant counterintelligence and security risk, providing adversaries with ample material for targeted phishing, account takeover, and blackmail operations against American policymakers.

Threat Overview

The threat is not a single, coordinated attack but a systemic issue of poor operational security and the inevitable fallout from countless third-party data breaches over many years. When legislators use their official email addresses (e.g., legislator@statesenate.gov) to register for commercial services like LinkedIn, Adobe, or Dropbox, that email becomes tied to the security of that third-party service. When the third party is breached, the legislator's email, password hash (or plaintext password), and other PII become part of the breach data that is sold or shared on the dark web.

This creates a massive risk profile:

  • Credential Stuffing: Attackers can take the leaked passwords and try them against other services, including personal email, social media, or even government portals (T1110.003 - Password Spraying).
  • Targeted Phishing: Knowing a legislator's email and the services they use allows adversaries to craft highly convincing spear-phishing emails (T1566.002 - Spearphishing Link).
  • Blackmail and Influence: Information about accounts on sensitive sites (e.g., dating websites) could be used for blackmail or to exert influence over a politician.

Technical Analysis

The research involved correlating publicly available email addresses of 7,377 state legislators with massive datasets of breached information. The findings were stark:

  • Overall Exposure: 67% of legislators were found in at least one breach.
  • State-by-State Variation: In Arizona and Oklahoma, 100% of legislators were affected. Maryland was the only state with zero exposure.
  • Plaintext Passwords: 560 passwords were found in clear text, meaning no hacking is required to read them. New Hampshire had the most with 81.
  • High-Profile Breaches: The data came from well-known breaches at companies like LinkedIn, Adobe, Dropbox, and many others.

This is a classic example of how a compromised identity on one platform can create a cascading risk across a person's entire digital life. For a public official, this personal risk translates directly into a risk for their government institution and constituents.

Impact Assessment

  • National Security Risk: Foreign intelligence agencies are known to collect and analyze breach data to build profiles on persons of interest, including government officials. This data provides a rich source for espionage and targeted cyberattacks.
  • Risk to Government Systems: A compromised legislator's account could be used as an initial access point into state government networks, potentially leading to a larger breach of sensitive legislative or constituent data.
  • Erosion of Trust: This demonstrates a widespread lack of basic cybersecurity hygiene among elected officials, which can erode public trust in their ability to handle sensitive matters.
  • Personal Risk to Officials: Affected legislators are at high personal risk of financial fraud, identity theft, and reputational damage.

Cyber Observables for Detection

Detection in this context is about identifying when leaked credentials are being used, not detecting the original third-party breach.

Type
log_source
Value
Authentication Logs
Description
Monitor for impossible travel alerts, where a legislator's account is accessed from two distant geolocations in a short time.
Context
SIEM, Identity Provider logs.
Confidence
high
Type
user_account_pattern
Value
Password Spraying
Description
Detect a high rate of failed login attempts across multiple legislator accounts using a small number of common passwords.
Context
Active Directory logs, SIEM.
Confidence
high
Type
email_address
Value
HaveIBeenPwned
Description
Proactively check official email domains against services like Have I Been Pwned to identify which accounts have appeared in known breaches.
Context
Proactive security monitoring.
Confidence
high

Detection & Response

Proton has notified the affected politicians. For government IT departments, the response should be:

  1. Forced Password Resets: Mandate immediate password resets for all legislators and staff, especially those identified in the research.
  2. MFA Rollout: Aggressively enforce the use of strong, phishing-resistant MFA (like FIDO2 security keys) for all government accounts (M1032 - Multi-factor Authentication).
  3. Credential Monitoring: Subscribe to a dark web monitoring service to receive alerts when official email addresses or domains appear in new breach data.

Mitigation

  • User Training: This is the most critical mitigation. Officials and their staff must be trained on the dangers of password reuse and using official email addresses for personal, non-governmental services (M1017 - User Training).
  • Password Policies: Enforce strong password policies and the use of password managers to ensure unique, complex passwords are used for every service.
  • Policy Enforcement: Implement technical policies that restrict the use of government email for certain categories of external services where possible.
  • Identity Separation: Promote a culture of strict separation between professional and personal digital identities.

Timeline of Events

1
April 1, 2026
This article was published

MITRE ATT&CK Mitigations

User Training

M1017enterprise

Train officials on the importance of operational security, including not using work emails for personal services and the dangers of password reuse.

Multi-factor Authentication

M1032enterprise

Enforce phishing-resistant MFA on all government accounts to mitigate the risk of compromised passwords.

Mapped D3FEND Techniques:

D3-MFA

Password Policies

M1027enterprise

Enforce strong, unique passwords for all accounts and encourage the use of password managers.

Mapped D3FEND Techniques:

D3-SPP

Sources & References

A majority of US state legislators have data leaked on the dark web
Proton (proton.me) April 1, 2026
Leaked: Politicians’ emails and passwords on the dark web
Proton (proton.me) March 31, 2026
Thousands of Capitol Hill staffers’ info spilled across dark web
The Washington Times (washingtontimes.com) March 31, 2026
US Capitol hit by massive dark web cyber attack: Reports
Newsweek (newsweek.com) March 31, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Data BreachDark WebGovernmentPassword SecurityProtonPhishingOperational Security

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.