[{"data":1,"prerenderedAt":132},["ShallowReactive",2],{"article-slug-majority-of-us-state-legislators-data-exposed-in-breaches":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":37,"sources":38,"events":58,"mitre_techniques":59,"mitre_mitigations":75,"d3fend_countermeasures":98,"iocs":99,"cyber_observables":100,"tags":117,"extract_datetime":122,"article_type":123,"impact_scope":124,"pub_date":42,"reading_time_minutes":131,"createdAt":122,"updatedAt":122},"9f43ba9d-c40d-488f-8638-4a3d8401b49d","majority-of-us-state-legislators-data-exposed-in-breaches","Two-Thirds of US State Legislators Have Had Data Leaked on Dark Web","Investigation Reveals 67% of U.S. State Legislators' Data, Including Plaintext Passwords, Exposed in Third-Party Breaches","A new investigation by privacy company Proton has revealed a startling lack of operational security among U.S. state legislators, with 67% having had their data exposed in past data breaches. The research found over 16,000 breach records linked to the officials' publicly listed email addresses, which were used to sign up for third-party services like LinkedIn, Adobe, and even dating sites that were later hacked. Alarmingly, 560 plaintext passwords were discovered among the leaked data, creating a direct path for attackers to compromise personal and potentially official accounts. The findings highlight a significant national security risk, as this exposed data could be used by foreign adversaries for espionage, blackmail, or targeted influence campaigns.","## Executive Summary\nAn investigation by **[Proton](https://proton.me/)** and Constella Intelligence has uncovered that the majority of U.S. state legislators (67%) have had their personal information exposed in data breaches. The data, linked to their official government email addresses, was found in breach compilations circulating on the dark web. The exposures are not the result of direct attacks on government systems but rather stem from legislators using their work emails for personal services. The investigation found over 16,000 breach instances across 49 states, including more than 12,000 cases of exposed Personally Identifiable Information (PII) and, most critically, 560 passwords in plaintext. This widespread exposure represents a significant counterintelligence and security risk, providing adversaries with ample material for targeted phishing, account takeover, and blackmail operations against American policymakers.\n\n---\n\n## Threat Overview\nThe threat is not a single, coordinated attack but a systemic issue of poor operational security and the inevitable fallout from countless third-party data breaches over many years. When legislators use their official email addresses (e.g., `legislator@statesenate.gov`) to register for commercial services like **[LinkedIn](https://www.linkedin.com/)**, Adobe, or Dropbox, that email becomes tied to the security of that third-party service. When the third party is breached, the legislator's email, password hash (or plaintext password), and other PII become part of the breach data that is sold or shared on the dark web.\n\nThis creates a massive risk profile:\n*   **Credential Stuffing:** Attackers can take the leaked passwords and try them against other services, including personal email, social media, or even government portals ([`T1110.003 - Password Spraying`](https://attack.mitre.org/techniques/T1110/003/)).\n*   **Targeted Phishing:** Knowing a legislator's email and the services they use allows adversaries to craft highly convincing spear-phishing emails ([`T1566.002 - Spearphishing Link`](https://attack.mitre.org/techniques/T1566/002/)).\n*   **Blackmail and Influence:** Information about accounts on sensitive sites (e.g., dating websites) could be used for blackmail or to exert influence over a politician.\n\n## Technical Analysis\nThe research involved correlating publicly available email addresses of 7,377 state legislators with massive datasets of breached information. The findings were stark:\n*   **Overall Exposure:** 67% of legislators were found in at least one breach.\n*   **State-by-State Variation:** In Arizona and Oklahoma, 100% of legislators were affected. Maryland was the only state with zero exposure.\n*   **Plaintext Passwords:** 560 passwords were found in clear text, meaning no hacking is required to read them. New Hampshire had the most with 81.\n*   **High-Profile Breaches:** The data came from well-known breaches at companies like LinkedIn, Adobe, Dropbox, and many others.\n\nThis is a classic example of how a compromised identity on one platform can create a cascading risk across a person's entire digital life. For a public official, this personal risk translates directly into a risk for their government institution and constituents.\n\n## Impact Assessment\n*   **National Security Risk:** Foreign intelligence agencies are known to collect and analyze breach data to build profiles on persons of interest, including government officials. This data provides a rich source for espionage and targeted cyberattacks.\n*   **Risk to Government Systems:** A compromised legislator's account could be used as an initial access point into state government networks, potentially leading to a larger breach of sensitive legislative or constituent data.\n*   **Erosion of Trust:** This demonstrates a widespread lack of basic cybersecurity hygiene among elected officials, which can erode public trust in their ability to handle sensitive matters.\n*   **Personal Risk to Officials:** Affected legislators are at high personal risk of financial fraud, identity theft, and reputational damage.\n\n## Cyber Observables for Detection\nDetection in this context is about identifying when leaked credentials are being used, not detecting the original third-party breach.\n| Type | Value | Description | Context | Confidence |\n|---|---|---|---|---|\n| log_source | `Authentication Logs` | Monitor for impossible travel alerts, where a legislator's account is accessed from two distant geolocations in a short time. | SIEM, Identity Provider logs. | high |\n| user_account_pattern | `Password Spraying` | Detect a high rate of failed login attempts across multiple legislator accounts using a small number of common passwords. | Active Directory logs, SIEM. | high |\n| email_address | `HaveIBeenPwned` | Proactively check official email domains against services like Have I Been Pwned to identify which accounts have appeared in known breaches. | Proactive security monitoring. | high |\n\n## Detection & Response\nProton has notified the affected politicians. For government IT departments, the response should be:\n1.  **Forced Password Resets:** Mandate immediate password resets for all legislators and staff, especially those identified in the research.\n2.  **MFA Rollout:** Aggressively enforce the use of strong, phishing-resistant MFA (like FIDO2 security keys) for all government accounts ([`M1032 - Multi-factor Authentication`](https://attack.mitre.org/mitigations/M1032/)).\n3.  **Credential Monitoring:** Subscribe to a dark web monitoring service to receive alerts when official email addresses or domains appear in new breach data.\n\n## Mitigation\n*   **User Training:** This is the most critical mitigation. Officials and their staff must be trained on the dangers of password reuse and using official email addresses for personal, non-governmental services ([`M1017 - User Training`](https://attack.mitre.org/mitigations/M1017/)).\n*   **Password Policies:** Enforce strong password policies and the use of password managers to ensure unique, complex passwords are used for every service.\n*   **Policy Enforcement:** Implement technical policies that restrict the use of government email for certain categories of external services where possible.\n*   **Identity Separation:** Promote a culture of strict separation between professional and personal digital identities.","A shocking 67% of US state legislators have had their data, including 560 plaintext passwords, exposed on the dark web from 3rd-party breaches. The data is tied to their official work emails. 🏛️ #CyberSecurity #DataBreach #GovSec #Privacy","An investigation by Proton reveals that two-thirds of U.S. state legislators have had their data, including plaintext passwords, exposed in third-party data breaches, creating a significant security risk.",[13,14,15],"Data Breach","Policy and Compliance","Phishing","high",[18,22,24,27,30,34],{"name":19,"type":20,"url":21},"Proton","company","https://proton.me/",{"name":23,"type":20},"Constella Intelligence",{"name":25,"type":26},"U.S. State Legislatures","government_agency",{"name":28,"type":20,"url":29},"LinkedIn","https://www.linkedin.com/",{"name":31,"type":32,"url":33},"Adobe","vendor","https://www.adobe.com/",{"name":35,"type":20,"url":36},"Dropbox","https://www.dropbox.com/",[],[39,44,48,53],{"url":40,"title":41,"date":42,"friendly_name":19,"website":43},"https://proton.me/blog/us-state-legislators-data-breach-dark-web","A majority of US state legislators have data leaked on the dark web","2026-04-01","proton.me",{"url":45,"title":46,"date":47,"friendly_name":19,"website":43},"https://proton.me/blog/leaked-politicians-passwords","Leaked: Politicians’ emails and passwords on the dark web","2026-03-31",{"url":49,"title":50,"date":47,"friendly_name":51,"website":52},"https://www.washingtontimes.com/news/2024/sep/24/thousands-of-capitol-hill-staffers-info-spilled-a/","Thousands of Capitol Hill staffers’ info spilled across dark web","The Washington Times","washingtontimes.com",{"url":54,"title":55,"date":47,"friendly_name":56,"website":57},"https://www.newsweek.com/us-capitol-dark-web-cyber-attack-1956550","US Capitol hit by massive dark web cyber attack: Reports","Newsweek","newsweek.com",[],[60,64,68,71],{"id":61,"name":62,"tactic":63},"T1589.002","Credentials","Reconnaissance",{"id":65,"name":66,"tactic":67},"T1110.003","Password Spraying","Credential Access",{"id":69,"name":70,"tactic":67},"T1110.004","Credential Stuffing",{"id":72,"name":73,"tactic":74},"T1566.002","Spearphishing Link","Initial Access",[76,81,89],{"id":77,"name":78,"description":79,"domain":80},"M1017","User Training","Train officials on the importance of operational security, including not using work emails for personal services and the dangers of password reuse.","enterprise",{"id":82,"name":83,"d3fend_techniques":84,"description":88,"domain":80},"M1032","Multi-factor Authentication",[85],{"id":86,"name":83,"url":87},"D3-MFA","https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication","Enforce phishing-resistant MFA on all government accounts to mitigate the risk of compromised passwords.",{"id":90,"name":91,"d3fend_techniques":92,"description":97,"domain":80},"M1027","Password Policies",[93],{"id":94,"name":95,"url":96},"D3-SPP","Strong Password Policy","https://d3fend.mitre.org/technique/d3f:StrongPasswordPolicy","Enforce strong, unique passwords for all accounts and encourage the use of password managers.",[],[],[101,106,112],{"type":102,"value":103,"description":104,"context":105,"confidence":16},"domain","*.gov","Monitoring for the appearance of .gov email addresses in newly discovered data breach dumps.","Dark web monitoring services, threat intelligence feeds.",{"type":107,"value":108,"description":109,"context":110,"confidence":111},"log_source","Email Gateway Logs","Analyze for incoming emails referencing services that officials were known to use from breach data (e.g., fake 'Dropbox password reset' emails).","Email security gateway, SIEM.","medium",{"type":113,"value":114,"description":115,"context":116,"confidence":16},"user_account_pattern","Impossible Travel","Alerting when a single account is authenticated from geographically distant locations within a short time frame.","Identity and Access Management (IAM) platforms, SIEM.",[13,118,119,120,19,15,121],"Dark Web","Government","Password Security","Operational Security","2026-04-01T15:00:00.000Z","Report",{"geographic_scope":125,"countries_affected":126,"industries_affected":128,"other_affected":129},"national",[127],"United States",[119],[130],"U.S. state legislators",5,1775141535613]