Revealed: Hundreds of passwords linked to government departments leaked on dark web

Hundreds of passwords linked to government departments have been leaked on the dark web,The Independent can reveal.

A report seen exclusively by this publication reveals more than 700 email addresses and corresponding passwords from across nine government domains have been leaked online in the past year – sparking fears that taxpayers’ sensitive data or “critical systems” such as power grids could be targeted by hackers.

There have also been nine attempts to sell classified UK military and NATO-related documents to “bad actors” – which experts warn could “directly undermine national security”.

The report by NordStellar, a threat exposure management platform which monitors the dark web, says the UK government has “dangerous vulnerability gaps” in its cybersecurity strategy, making it “a prime target for cybercriminals” and raising the risk of sensitive information ending up on the dark web.

One cybersecurity expert warned the worst type of governmental data breach on the dark web could look something like “the Afghan lists on steroids” – a reference to the catastrophic Ministry of Defence data breach where the names of details of thousands of applicants to a UK resettlement scheme were leaked online, putting lives at risk.

Among the government departments, the most targeted was the Ministry of Justice, which had 195 passwords leaked on the dark web in the past year. This was followed by the Department of Work and Pensions, which had 122, and the Ministry of Defence with 111 passwords.

The Home Office, Foreign, Commonwealth & Development Office, Department for Transport, UK Parliament, Department of Health and Social Care and HM Revenue & Customs also had log-in details leaked in the past year.

Vakaris Noreika, head of product at NordStellar, said it is unclear whether the leaked details could or had been used to access sensitive resources. But he warned urgent action was needed to fix cybersecurity gaps – adding there is a “growing danger” of major data leaks.

He added that leaked passwords could enable hackers to access critical systems such as police records, databases containing sensitive data of UK citizens, or infrastructural networks such as power grids or water supplies.

Dr Gareth Mott, a cybersecurity fellow at the Royal United Services Institute (RUSI), who made the reference to the Afghan data breach, told The Independent: “If data was leaked of a sufficiently sensitive nature that it jeopardised UK national security, I don't wanna speculate, but then obviously that could impact us.

“The consequences of that exposure can be significant, whether it's political discourse changes or worse trust between the population and the government. Depending on the nature of the data, how it’s leaked, the secondary impacts of that could be quite significant economically or socially.”

He continued: “The hope would be that they are old passwords for old accounts that are no longer active, those individuals have moved on to other roles where they're not using the same passwords... But that's quite a lot of hoping.

“All it takes is for one account to be active still, and that's a potential initial attack vector for an external actor because they’re motivated and know what they're doing.”

This cyber vulnerability comes at a time when a string of official institutions and businesses have fallen victim to cyber attacks, with the UK's data watchdog telling The Independent that it is “urging the government to go further and faster to raise standards”.

On Tuesday, the National Cyber Security Centre said the “significant threat” posed by Chinese and Russian hackers had contributed to a record number of serious online attacks.

The Legal Aid Agency was hit by a cyber attack in April, when a group is believed to have accessed and downloaded a significant amount of personal data from those who applied for legal aid through the organisation’s digital service from 2007 to May 2025. There have been no arrests made but the ShinyHunters cybercrime group reportedly claimed responsibility for the attack on Telegram.

In June, HMRC revealed that scammers stole £47m from the online accounts of 100,000 people after posing as taxpayers in a phishing attack. Thirteen people were arrested as part of the investigation in Romania. A fourteenth man was arrested in Preston.

More recently, two men aged 17 and 22 were arrested by the Metropolitan Police after nursery chain Kido experienced a cyberattack, with thousands of children believed to have had their private data – including names, pictures and addresses – leaked on the dark web.

Meanwhile, a man in his forties was arrested over an alleged cyber attack that caused disruption at Heathrow, among other European airports, last month.

Jaguar Land Rover, M&S, Harrods and the Co-op are also among businesses that have suffered cyber attacks this year. Dark web-based ransomware groups Scattered Spider and DragonForce claimed joint responsibility for the M&S hack, while the latter said they were behind the Co-op attack. The HELLCAT ransomware group claimed responsibility for Jaguar Land Rover.

The National Crime Agency said four people have been arrested in the UK as part of an investigation into the M&S, Co-op and Harrods incidents.

The National Audit Office warned in a report in January that the cyber threat to the UK government was “severe and advancing quickly”. The NAO raised particular concern with the government’s new cyber assurance scheme, GovAssure, after it found “significant gaps in cyber resilience with multiple fundamental system controls at low levels of maturity across departments”.

“The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow,” the head of the NAO Gareth Davies said at the time. “To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.”

An Information Commissioner’s Office spokesperson said: “Cyber attacks are on the rise across all sectors, with the government and the public sector seen as a valuable target. People often don’t have a choice on sharing their personal information with these bodies, so they must trust organisations are doing everything they can to protect their data and prevent incidents before they can happen.

“We expect all organisations to have robust security measures in place, such as strong passwords and multi-factor authentication to protect credentials, and appropriate vulnerability management. Government departments and agencies must uphold the highest standards of security.”

A spokesperson for the Department for Science, Innovation and Technology said: “We have robust defences to protect government systems from cyber criminals, and we are going further. That includes launching a new cyber resilience model for government, providing greater support for departments and strengthening our response to fast-moving cyber incidents.

“We're also responding to the increasing threats facing our country through the Cyber Security and Resilience Bill which will be introduced later this year to protect the essential services like energy and water supplies, and critical national infrastructure the public relies on.”

A UK Parliament spokesperson said: “Parliament takes cyber security extremely seriously. We have robust measures in place, including providing advice to users to make them aware of the risks and how to manage their digital safety - working closely with our partners in the National Cyber Security Centre. We do not comment on specific details of our cyber security controls and policies.”