Hundreds of passwords linked to government departments leaked on dark web

There have also been nine attempts to sell classified UK military and Nato-related documents to “bad actors” – which experts warn could “directly undermine national security”.

The report by NordStellar, a threat exposure management platform that monitors the dark web, says the UK government has “dangerous vulnerability gaps” in its cybersecurity strategy, making it “a prime target for cyber criminals” and raising the risk of sensitive information ending up on the dark web.

One cybersecurity expert warned that the worst type of governmental data breach on the dark web could look like “the Afghan lists on steroids” – a reference to the catastrophic Ministry of Defence data breach of 2022 in which the details of thousands of applicants to a UK resettlement scheme were leaked online, potentially putting thousands of lives at risk.

Among the government departments, the most targeted was the Ministry of Justice, which had 195 passwords leaked on the dark web in the past year. This was followed by the Department of Work and Pensions, which had 122, and the Ministry of Defence, with 111 passwords.

The Home Office, Foreign, Commonwealth & Development Office, Department for Transport, UK Parliament, Department of Health and Social Care and HM Revenue & Customs also had log-in details leaked in the past year.

Vakaris Noreika, head of product at NordStellar, said it was unclear whether the leaked details could be or had been used to access sensitive resources. But he warned that urgent action was needed to fix cybersecurity gaps, and that there was a “growing danger” of major data leaks.

He added that leaked passwords could allow hackers to access critical systems such as police records, databases containing sensitive data belonging to UK citizens, or infrastructure networks such as power grids or the water supply.

Dr Gareth Mott, a cybersecurity fellow at the Royal United Services Institute, who made the reference to the Afghan data breach, told The Independent: “If data was leaked of a sufficiently sensitive nature that it jeopardised UK national security, I don’t want to speculate but, then obviously, that could impact us.

“The consequences of that exposure can be significant, whether it’s political discourse changes or worse trust between the population and the government. Depending on the nature of the data [and] how it’s leaked, the secondary impacts of that could be quite significant, economically or socially.

“The hope would be that they are old passwords for old accounts that are no longer active; that those individuals have moved on to other roles where they’re not using the same passwords... but that’s quite a lot of hoping.

“All it takes is for one account to be active still, and that’s a potential initial attack vector for an external actor, because they’re motivated and know what they’re doing.”

This cyber vulnerability follows a string of institutions and businesses having fallen victim to cyber attacks. The UK’s data watchdog told The Independent that it is “urging the government to go further and faster to raise standards”.

On Tuesday, the National Cyber Security Centre said a “significant threat” posed by Chinese and Russian hackers had contributed to a record number of serious online attacks.

The Legal Aid Agency was hit by a cyber attack in April, when a group is believed to have accessed and downloaded a significant amount of personal data from those who had applied for legal aid through the organisation’s digital service between 2007 and May 2025. No arrests have been made, but the ShinyHunters cyber crime group reportedly claimed on Telegram that it had been responsible for the attack.

In June, HMRC revealed that scammers had stolen £47m from the online accounts of 100,000 people after posing as taxpayers in a phishing attack. Thirteen people were arrested as part of the investigation in Romania, and a 14th man was arrested in Preston.

More recently, two men aged 17 and 22 were arrested by the Metropolitan Police after the nursery chain Kido experienced a cyber attack, with the private data of thousands of children – including names, pictures and addresses – believed to have been leaked on the dark web.

Last month, a man in his forties was arrested over an alleged cyber attack that caused disruption at Heathrow and other European airports.

Jaguar Land Rover, M&S, Harrods and the Co-op are also among businesses that have suffered cyber attacks this year. The dark web-based ransomware groups Scattered Spider and DragonForce claimed joint responsibility for the M&S hack, and the latter said it was behind the Co-op attack. The Hellcat ransomware group claimed responsibility for the attack on Jaguar Land Rover.

The National Crime Agency said four people had been arrested in the UK as part of an investigation into the M&S, Co-op and Harrods incidents.

The National Audit Office (NAO) warned in a report in January that the cyber threat to the UK government was “severe and advancing quickly”. The NAO raised particular concerns around the government’s new cyber assurance scheme, GovAssure, after it found “significant gaps in cyber resilience with multiple fundamental system controls at low levels of maturity across departments”.

“The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow,” the head of the NAO, Gareth Davies, said at the time. “To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.”

A spokesperson for the Information Commissioner’s Office said: “Cyber attacks are on the rise across all sectors, with the government and the public sector seen as a valuable target. People often don’t have a choice on sharing their personal information with these bodies, so they must trust organisations are doing everything they can to protect their data and prevent incidents before they can happen.

“We expect all organisations to have robust security measures in place, such as strong passwords and multi-factor authentication to protect credentials, and appropriate vulnerability management. Government departments and agencies must uphold the highest standards of security.”

A spokesperson for the Department for Science, Innovation and Technology said: “We have robust defences to protect government systems from cyber criminals, and we are going further. That includes launching a new cyber resilience model for government, providing greater support for departments and strengthening our response to fast-moving cyber incidents.

“We’re also responding to the increasing threats facing our country through the Cyber Security and Resilience Bill, which will be introduced later this year to protect the essential services like energy and water supplies, and critical national infrastructure the public relies on.”

A UK Parliament spokesperson said: “Parliament takes cybersecurity extremely seriously. We have robust measures in place, including providing advice to users to make them aware of the risks and how to manage their digital safety, working closely with our partners in the National Cyber Security Centre. We do not comment on specific details of our cyber security controls and policies.”