A new cybersecurity study has uncovered something concerning. More than 3,500 official email addresses belonging to US state legislators have been found on the dark web. In some cases, these leaks even included passwords.
At first, this might sound like just another data breach. However, experts say it could pose a serious national security risk.
Researchers from Proton examined publicly available government email addresses and checked whether they appeared in known data breaches.
They discovered that around 67 percent of US state legislators had their email exposed at least once. Many of these records were linked to personal data, and in some cases passwords were stored in plain text.
In certain states, the issue was especially widespread. Some regions had nearly every legislator’s email appear in breach data at some point.
This was not the result of a direct attack on government systems.
Instead, the issue came from a common habit. Many officials used their government email addresses to sign up for everyday online services.
When those services were later breached, the email addresses and sometimes passwords were exposed.
So rather than a single major hack, this was the result of multiple smaller breaches adding up over time.
On its own, an email leak might not seem critical. But in this situation, it creates real opportunities for attackers.
With access to official email addresses and related data, attackers can send highly targeted phishing messages, attempt to access accounts, or even impersonate officials.
In some cases, this kind of information can also be used for manipulation or blackmail.
Because these individuals are involved in government work, the impact of an attack could go far beyond a single account.
This situation highlights a wider issue. Even people in high level positions are still vulnerable to simple cybersecurity mistakes.
It also shows how modern cyber threats often work. Attackers do not always need to break into secure systems directly. They can take advantage of weak habits and indirect exposure instead.
This is not just a problem for politicians. It applies to everyone.
If something as simple as reusing an email or password can expose thousands of officials, it shows how important basic security habits are.
Using unique passwords, avoiding using work emails for personal accounts, and adding extra layers of security can make a significant difference. Many governments already use two factor or multi factor authentication along with passwords, so the question we now have to ask ourselves is; what more could we be doing to protect ourselves?
How to strengthen your email security
If you want to avoid the same risks, there are a few simple steps that make a big difference. Start by using a strong and unique password for your email account, since it acts as the gateway to almost everything else you use online. Turn on two factor authentication so that even if your password is exposed, your account is still protected.
It is also a good idea to avoid using your main email address for every sign up. Consider creating a separate email for less important accounts or newsletters. This reduces the impact if one service is breached.
Take time to review your account security settings as well. Check for unfamiliar login activity, remove any devices you do not recognise, and update recovery options like backup emails or phone numbers.
Finally, stay alert when checking your inbox. Be cautious of unexpected links, attachments, or urgent messages asking for personal information. Many attacks start with a simple email that looks convincing.
Building these habits does not take long, but they can significantly reduce your risk and help keep your personal information secure if you have more concerns and a little time, below are some more things you can do to strengthen your email security.
1. Use an authenticator app instead of SMS
SMS authentication are better than nothing however, Apps like Google Authenticator or Microsoft Authenticator are much safer than text messages.
Why: SIM swapping attacks can let someone intercept SMS codes, but app based codes stay on your device.
2. Check your email account activity regularly
Most email providers show recent logins and device history.
What to do:
- Look for unknown locations or devices
- Sign out of anything suspicious
- Change your password immediately if something looks off
Why: Early detection can stop an attack before damage is done.
3. Secure your recovery options
Your backup email and phone number can be a weak point.
What to do:
- Make sure recovery emails are also secured with strong passwords and 2FA
- Remove outdated phone numbers or emails
Why: Attackers often target recovery methods to bypass security.
4. Use email aliases
Some providers let you create multiple versions of your email.
What to do:
- Use different aliases for different services
- Keep your main email private
Why: If one alias is leaked, your main account stays protected.
5. Turn off automatic email forwarding
Check your settings to ensure no unknown forwarding rules exist.
Why: Hackers sometimes set up forwarding to secretly receive your emails even after losing access.
6. Be cautious with third party app access
Over time, you may have given apps access to your inbox.
What to do:
- Review connected apps in your email settings
- Remove anything you do not use or trust
Why: Compromised apps can act as a backdoor into your account.
7. Use a dedicated email for important accounts
Create one email address just for:
- Banking
- Work
- Critical logins
Why: Keeping it separate reduces exposure and makes it harder to target.
8. Encrypt sensitive emails when possible
Some services like Proton Mail offer built in encryption.
Why: Even if emails are intercepted, the contents remain unreadable.
9. Watch out for subtle phishing attempts
Modern phishing is very convincing.
What to look for:
- Slightly misspelled domains
- Urgent or threatening language
- Requests for login details
Why: Most breaches start with a single successful phishing email.
10. Log out on shared or public devices
Always sign out fully, not just close the browser.
Why: Sessions can remain active and allow others to access your account.
finally if you are still interested in learning more about good cyber security practices, check out this free course https://cyberheroes.co.uk/courses/the-internet-cyber-security-and-privacy/
and if you’d like to stay up to date with us be sure to follow us on linkedin https://www.linkedin.com/company/cyberheroes-uk/
