Proton
European politicians and a smartphone showing data protected from the dark web.

The email addresses and other sensitive information of 4,364 British, Danish, Dutch, EU, French, Italian, Luxembourgish, and Spanish politicians and US political staffers have been leaked to dark web marketplaces where data is illegally bought and sold. As part of our initial investigation with Constella Intelligence(new window) in May 2024, we searched the dark web for 2,280 official government email addresses from the British Parliament, European Parliament, and French Parliament. We found that around 40% had been exposed, along with passwords, birth dates, and more.

In September 2024, we expanded this investigation to examine how many US political staffers’ email addresses are on the dark web. (We did not include the email addresses of US politicians, as they’re not always publicly available.) We searched for over 16,000 staffers’ emails.

In October, we added Italy and Spain to our investigation, searching for the official email addresses of 609 members of the Italian parliament and 615 members of the Spanish parliament. In November, we added Denmark, with its 179-member parliament; Luxembourg, with its 60-member parliament; and the Netherlands, with its 225-member parliament. 

Ranked from highest to lowest, here are the percentages of members of various nations’ parliaments (or staffers, in the case of the USA) whose official email addresses were found at least once in our search of the dark web.

Chart showing percentage of politicians or staffers with exposed data

The fact that these emails, which are publicly available on government websites, are on the dark web isn’t a security failure by itself. Nor is it evidence of a hack of the British, Danish, Dutch, European, French, Italian, Luxembourgish, or Spanish parliaments or the US Congress. Instead, it shows that politicians and staffers used their official email addresses to set up accounts on third-party websites (which were later hacked or suffered a breach), putting themselves and the information they’re entrusted to keep safe needlessly at risk.

Even more concerning is that these email addresses were matched with 2,881 passwords in plaintext across all the researched regions. (Proton informed every affected politician and staffer that they had sensitive data exposed on the internet before publishing this article). If a politician or staffer reused one of these exposed passwords to protect their official email account, it could also be at risk.

Politicians’ and staffers’ data exposed

In our investigation, we unfortunately found all kinds of sensitive information linked to politicians’ emails, including their date of birth, the address of their residences, and social media accounts. Taken together, this information gives attackers plenty of details to make convincing phishing attacks.

Number of email addresses searchedNumber of breached email addressesNumber of passwords exposedNumber of passwords exposed in plaintext
EU Parliament705309195161
British Parliament650443284216
French Parliament925166322320
US political staffers16,5433,1912,9751,848
Italian Parliament60991195188
Spanish Parliament61539149
Danish Parliament179749369
Dutch Parliament225413532
Luxembourgish Parliament60104338
France leaks visualization

French politicians outperform other elected officials

As previously mentioned, only 18% of the French politicians’ emails we searched for appeared in dark web exchanges. However, these breaches aren’t evenly distributed. In the French Senate, 115 of the 348 (33%) senators’ emails we searched for were exposed, compared to only 51 out of 577 (roughly 9%) for deputies in the National Assembly. 

If a French politician was breached, their information appeared in an average of 7.8 breaches. If this number seems high, it’s undoubtedly because France is home to the single politician who suffered the most breaches of their email address (137) and had the most passwords exposed in plaintext (133). 

France is also home to an example of the worst-case scenario actually happening. In November 2023, journalists discovered that an attacker stole the username and password to a member of Parliament’s email address and sold access to their official inbox on the dark web(new window). Perhaps the most surprising aspect of this story is that the asking price was only $150 (€138). 

Just over a month before the Paris Olympics begin, these results highlight concerns around politicians’ cybersecurity practices, where just one breach could be a serious national security threat.

UK leaks visualization

Most British politicians have been breached

According to our findings, British MPs are fortunate not to have suffered a major scandal involving account takeovers, as 68% of searched email addresses were found on the dark web, including senior figures both in the government and the opposition. MPs’ email addresses were exposed a total of 2,110 times on the dark web, with the most frequently targeted MP experiencing up to 30 breaches. They also showed up repeatedly, with the average breached MP having their details show up in 4.7 breaches. 

The UK has repeatedly been targeted by state-backed cyberattacks, including from Russia. In December 2023, the UK government accused Russia(new window) of a “years-long cyberattack” on British academics, politicians, and policymakers. It claimed Russia’s FSB was attempting to phish these individuals to spy on their private emails.

With the upcoming general election taking place in the UK, it’s vital that new MPs take their personal — and national — cybersecurity seriously and adhere to strict security processes and protocols for official accounts.  

EU leaks visualization

The EU is also a target

While members of the European Parliament suffered fewer breaches than their British peers, nearly half of the emails we searched for appeared on the dark web. Of the 309 MEPs exposed, 92 were caught up in 10 or more leaks. Politicians in Brussels had their email addresses exposed 2,311 times, along with 161 passwords in plaintext. This is a red alert, as the European Parliament has increasingly become a target of sophisticated attacks and has admitted it’s not prepared.

When Politico(new window) asked about the security of the European Parliament and upcoming elections, an anonymous staffer (who wished to remain nameless due to the sensitivity of the issue) said, “We’re standing with our bare bottoms out and if anyone wants to hack us, like any Chinese threat actor or any state actor, they can”. 

The threats are real. In February, two members and a staffer of the European Parliament’s security and defense subcommittee found spyware on their smartphones(new window). And in March, it was revealed that APT31 (also known as Judgment Panda), a hacking group with ties to Chinese intelligence agencies, was the likely suspect behind an attempted hack of every European Union member(new window) of the Inter-Parliamentary Alliance on China, a coalition of lawmakers critical of the Chinese government.

USA leaks visualization

Thousands of US politicians’ staffers are exposed

We performed the same dark web monitoring for the staffers of US politicians as we did for European politicians (we did not include politicians themselves as their emails aren’t always made public). These staffers have access to reams of sensitive information, and some hold security clearances(new window) to access confidential information. 

While roughly 20% of the 16,543 email addresses we searched for appeared on the dark web, that still means that 3,191 staffers for US representatives and senators have accounts at risk. We also found 1,848 passwords in plaintext alongside these email addresses, representing an incredible number of accounts that could be compromised. 

Nearly 300 congressional staffers had their details exposed in more than 10 leaks, and one of these individuals had 31 passwords in exposed plaintext on the dark web (the most we found among US political staffers). At the very least, these compromised accounts could provide attackers with plenty of information for convincing social engineering attacks.

This is concerning because Washington DC has been one the main targets for attackers around the globe for over a decade. Earlier this year, an unknown attacker attempted to phish dozens of senators(new window) with text messages purporting to be from the White House and Senate Majority Leader Chuck Schumer. In 2023, the Washington Post(new window) reported on Vietnamese state actors attempting to compromise Congressional devices with malicious links shared on X (formerly Twitter). In 2018, the Russian hackers known as “Fancy Bear” were accused of attempting to gain access to at least three congressional candidates’ messages and emails(new window). And of course, Hillary Clinton’s campaign chief, John Podesta, had his email hacked(new window) during the 2016 presidential election. 

The fact that so many US political staffers’ login information is available on the dark web coupled with the volume of attacks they face makes it likely that at least some of these accounts have been compromised. As the USA approaches another contentious election cycle, US political staffers’ cybersecurity practices are a matter of national security. 

Even if you’re not a politician, having your email address leaked can put your accounts and data at risk. Email aliases are an easy solution. Keep your real email private, obscure who you are, and turn off aliases that are compromised with a single click. Get a Proton Pass Plus plan to get unlimited email aliases.

Table of figures showing how much of Italian politicians' sensitive data is exposed on the dark web

Italian politicians’ email addresses may be safe, but their passwords are not. 

A total of 402 instances of email exposure for Italian politicians were found on the dark web, including multiple occurrences of the same addresses. In comparison, British MPs had their emails exposed 2,110 times — over five times more — despite the British House of Commons and the Italian Parliament having a similar number of members.

As in previous investigations, a notable difference in breaches was observed between the two houses of the Italian Parliament. At least one email address was found for 73 of the 400 members of the Assembly (18.2%) but only for 18 of the 209 Senators (8.6%). This contradicts the trend seen in the French Parliament, where 8.8% of the National Assembly had an email address exposed, compared to 33% of the Senate.

Italian politicians also had the most plaintext passwords exposed in Europe (188), despite having only 195 total password exposures. This, combined with the small size of the Italian Parliament, indicates some politicians may be using outdated or unreliable websites.

These exposed email addresses and passwords present significant vulnerabilities that attackers can exploit. The internet has become a key battleground in geopolitics, with Italian politicians and government agencies repeatedly targeted by Russian state-sponsored actors. In May 2023, the pro-Russian group Killnet claimed responsibility for DDoS attacks(new window) on Italy’s parliament, military, National Institute of Health, and other government sites. By August 2023, another pro-Russian group, NoName057(16), attacked(new window) several major Italian banks, and in May 2024, it targeted the websites of Prime Minister Giorgia Meloni(new window) and the Ministries of Infrastructure and Enterprise.

These attacks demonstrate that Russian actors will continue to test Italian officials as long as they support Ukraine.

Table of figures showing how much of Spanish politicians' sensitive data is exposed on the dark web

Spanish politicians have the fewest data leaks we’ve found so far 

Only 6.3% of Spain’s politicians had their information exposed on the dark web, the lowest percentage we’ve seen in our investigations so far. Specifically, 29 of the 350 members of the Spanish Congress and 10 of the 265 members of the Senate had their details leaked. Remarkably, only nine passwords were found in plaintext.

We found Spanish politicians’ outlier performance hard to explain, so we reached out to Ainoa Guillén Gonzalez, a cybersecurity expert based in Madrid and the co-founder of SyndiK8, a cybercrime and threat intelligence research firm. She was slightly surprised by the results, but thinks labor and social movements and how they organize online influenced Spanish politicians’ approach to cybersecurity. “In the early 2010s in Spain, many strikes and protests were organized using Twitter, using social media, using email. Spanish politicians saw this and they also saw how the police and companies monitored social media in an attempt to control these movements. This taught the politicians very quickly the importance of good cybersecurity. And then later on, the Pegasus hacking scandal(new window) reinforced these lessons all over again.”

In 2022, cybersecurity experts detected Pegaus spyware(new window) on the devices of 63 individuals involved in the Catalan independence movement, including then-president of Catalonia Pere Aragonès. Shortly after, the Spanish government revealed that both the prime minister and defense minister had devices infected with Pegasus malware. It was later revealed that this surveillance had taken place over several years, from 2017 to 2020, with at least 18 Catalan figures being monitored with judicial approval. As a consequence, the head of Spanish intelligence resigned(new window). Although the investigation was closed(new window) in 2023 due to a lack of cooperation from Israel, Spain’s highest court ordered prosecutors to reopen the case(new window) in 2024 after receiving new information from French authorities (including claims that French President Emmanuel Macron had also been targeted).

While these events had to have influenced Spanish politician’s attitudes toward cybersecurity, they’re hardly unique. French politicians, to name just one group, likely saw authorities monitor protestors organizing on social media, and they suffered far more breaches. US political staffers lived through the hack of John Podesta’s emails(new window), the campaign manager for Hillary Clinton during the 2016 presidential election, one of the most infamous hacks of recent times, and 20% of their email addresses still appeared on the dark web. 

Chart showing 41% of Danish politicians have personal data exposed on dark web

Over 40% of Danish politicians have email addresses breached

Danish politicians suffered one of the highest rates of having their email addresses breached in Europe, with 41% affected. Data reveals that 74 of the 179 members of the Danish parliament have had their email addresses exposed a total of 555 times on the dark web. One parliamentarian had their address appear 25 times and eight plaintext passwords revealed. This issue is critical as Denmark’s political figures and infrastructure are frequent cyberattack targets.

In June 2024, Denmark’s Center for Cyber Security raised the national cyberthreat level to “Medium”(new window), citing increased risks from Russia. This increase followed a May 2023 incident in which the Russian hacking group NoName057(16) used a DDoS attack(new window) to bring down the Danish Parliament’s website. Shortly after, another group exploited a zero-day firewall vulnerability, compromising 22 organizations overseeing Denmark’s energy infrastructure(new window) — the most extensive cyberattack Denmark has faced. The primary suspect, Sandworm (also called Voodoo Bear and Seashell Blizzard), is affiliated with Russian intelligence and has similarly targeted Ukraine’s energy systems.

Chart showing 18% of Netherlands politicians have personal data exposed on the dark web

Dutch lower house of parliament has higher breach rate than upper house

While the overall exposure rate of Dutch political email addresses on the dark web remains low at 18.2%, a notable difference exists between the two houses of parliament. Out of the 150 members of the Tweede Kamer (lower house), 36 had their emails exposed (24%). Comparatively, only five of the Eerste Kamer’s 75 members (around 6.7%) had their email addresses leaked. This gap is among the largest in Europe, second only to France, where a notable disparity exists between breaches in the National Assembly (8.8%) and the Senate (33%).

The Netherlands has seen repeated attacks on critical networks. In September 2024, all 63,000 members of the Dutch police force had their work-related contacts illegally accessed(new window) by a suspected state actor. In June 2024, Russian hacker group HackNeT launched DDoS attacks(new window), disabling the websites of two political parties during the EU Parliament elections. Additionally, a breach in February 2024 exposed the Dutch military’s network to Chinese hackers(new window). These events underscore the need for stringent cybersecurity measures among Dutch politicians.

Chart showing 16% of Luxembourgish politicians have personal data exposed on the dark web

One Luxembourg politician drives a high password exposure rate

We found the email addresses of only 10 members of Luxembourg’s parliament on the dark web. Luxembourg’s parliament is small, with only 60 members, but this is still on the lower end of the results we’ve seen. However, exposed passwords are a problem for Luxembourgish politicians. We found 38 passwords exposed in plaintext associated with these email addresses, 29 of which belonged to a single politician. While this individual should take action to change all those passwords, they were not the individual facing the most risk that we found during our investigation — that would be a French politician who had 138 passwords exposed in plaintext (and had their email address appear 137 times).

Like other countries, Luxembourgish government sites have been attacked multiple times by Russian hackers. Between late March and early April 2024, a series of DDoS attacks repeatedly disrupted(new window) websites for the ministries of finance and justice(new window), the official statistics agency, and the national health fund, highlighting ongoing cybersecurity vulnerabilities.

Cybersecurity is national security

In our investigation, the affected politicians generally had their details leaked by service providers, like LinkedIn or Adobe. Even if a hostile takeover of one of these accounts won’t grant an attacker (or foreign government) access to state secrets, it could reveal that politician’s private communications or other sensitive data. Attackers could then use this information to phish or blackmail the politicians.

And this is the best possible scenario. If a breached politician reused a password that was exposed on the dark web on one of their official accounts (and failed to use two-factor authentication(new window)), it could let attackers into government systems. 

Sadly, it only takes one error to put your online information at risk. And for a government, it only takes one set of hacked or leaked login credentials to expose classified secrets.

Simple steps can make us all more secure

The internet creates an almost impossible conundrum: It’s almost impossible to go through your day-to-day life without being online, but maintaining your security online is just as difficult. And politicians are just humans like the rest of us. They make mistakes too. And sometimes, even if you do everything right, your information can still end up in hacker databases.

Large companies clearly also deserve a large portion of the blame. As the endless(new window) onslaught(new window) of data(new window) breaches(new window) demonstrates(new window), they must take better care of the account information they collect. However, government officials, especially lawmakers with access to sensitive government information, must have a more robust threat model than the average person. This applies to any public figure — whether an academic, journalist, business executive, etc.

To begin with, no one should use their professional email to create online accounts, especially government officials who have access to secret information. Your email address is your online identity, something that allows Big Tech, advertisers, and sometimes even malicious attackers to follow you around the internet. Using your official government email address for accounts is like shouting, “I am a valuable target”, every time you walk into a room. 

Here are some simple steps that everyone, but especially politicians and anyone else under public scrutiny, should adopt if they’re serious about increasing their account security:

  • Use email aliases – Email aliases obscure who an account belongs to (at least if the alias is exposed in a breach). You can also easily delete an alias that has clearly been leaked or fallen into the wrong hands without affecting your real email address or other aliases. 
  • Use a password manager – A password manager may not prevent services from leaking passwords in plaintext, but it can ensure that each of your accounts is protected with a strong, random, unique password. A good password manager should also make sharing and managing passwords easy, making it less likely you’ll expose a password by writing it down.
  • Use dark web monitoring services – You can do everything correctly and still have your information exposed online by a careless company’s data breach. But if you have dark web monitoring, you’ll be informed the moment your information is detected, letting you change your email address (or, ideally, your email alias) and password before attackers can use it. 

Proton Pass can solve all of these problems. If you choose our Proton Pass Plus plan, you get:

  • Unlimited hide-my-email aliases 
  • A password generator
  • Support for passkeys
  • A built-in two-factor authentication code generator
  • Pass Monitor, which alerts you if your Proton Mail email addresses or aliases appear on the dark web
  • Proton Sentinel, which defends your Proton Account against takeover attacks

Take control of your account security (and, if you’re a parliamentarian, help avert a national scandal) by signing up for a Proton Pass Plus plan today.

Related articles

The cover image for a Proton Pass blog comparing SAML and OAuth as protocols for business protection
SAML and OAuth help your workers access your network securely, but what's the difference? Here's what you need to know.
Proton Lifetime Fundraiser 7th edition
Learn how to join our 2024 Lifetime Account Charity Fundraiser, your chance to win our most exclusive plan and fight for a better internet.
The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.