Wag the password: Public sector suffers from password exposure

Man with glasses looks at computer with code reflected on his face.

How well do governments handle password security?

For years, NordPass has analyzed exposed passwords belonging to businesses and individuals. For the first time, in 2025, we looked at the passwords used by public sector employees.

Leaks and breaches in the public sector are particularly dangerous. They don’t affect just the organization or its employees but can threaten the security of citizens at large.

Cybersecurity incidents related to public sector passwords may also pose a serious risk to a country’s strategic interests.

Research breakdown

Methodology

Threat exposure management platform NordStellar monitored passwords from public sector institutions in the United States, the United Kingdom, Canada, France, Italy, and Germany, based on their email domains.

5,500 organizations

The research covers over 5,500 organizations in six countries, monitoring national and federal parliaments, presidencies, local and regional governments, municipalities, and other public institutions.

Data exploitation

The analysis covered credentials exposed in 2024-2025 to account for recency, password relevance, and potential use to access civil servants’ accounts.

Overview of data exposure in the public sector

Based on the findings, thousands of data points belonging to public sector employees in six countries, including email addresses, first and last names, phone numbers, and other personally identifiable information, have been exposed since the beginning of 2024.

Country	Number of exposed passwords	Number of unique exposed passwords
United States	53,070	2,241
France	19,538	1,805
Italy	13,613	1,502
United Kingdom	3,014	434
Germany	1,365	150
Canada	506	77

Shield icon with a lightning bolt and text showing 91K account

Among all exposed data points, we identified over 91 thousand passwords matching email addresses with relevant public sector domains.

If affected passwords weren’t updated following the related incidents and multi-factor authentication wasn’t switched on, attackers could have potentially accessed these accounts and other sensitive information, creating serious data security risks.

Even in instances where a password didn’t match an email address, other exposed data points could be exploited for phishing attacks.

Risks lurk at every governing level

Our findings have debunked the common misconception that national and federal institutions are better protected against cybersecurity threats and that local public sector organizations are more susceptible to attacks.

Although the majority of exposed credentials were traced back to regional and municipality level institutions like administrations and local governments, the national and federal government weren’t spared by cybercriminals either.

Passwords and other personally identifiable data can be stolen even without causing major breaches or exploiting organizational vulnerabilities. Cybercriminals can exploit social engineering attacks against individual employees or breach other organizations that handle data related to public sector institutions.

Name	unique / total passwords
U.S. Department of Defense (mail.mil)	222 / 1897
U.S. Department of State (state.gov)	190 / 15272
U.S. Army (army.mil)	167 / 1706
Government of the District of Columbia (dc.gov)	57 / 562
U.S. Department of Veterans Affairs (va.gov)	53 / 1331
City of Virginia Beach (vbgov.com)	46/ 318
Government of Illinois (illinois.gov)	38 /879
U.S. Coast Guard (uscg.mil)	27 /393
Government of Utah (utah.gov)	25 / 514
Government of Michigan (michigan.gov)	23 / 3161

Name	unique / total passwords
City of Paris (paris.fr)	151 / 5,704
Academy of Nantes	109 / 1,021
French Employment Agency	98 / 393
Ministry of Interior (interieur.gouv.fr)	82 / 2,771
Academy of Toulouse (ac-toulouse.fr)	80 / 502
Academy of Reunion (ac-reunion.fr)	70 / 197
Academy of Rennes (ac-rennes.fr)	61 / 264
Academy of Lyon (ac-lyon.fr)	45 / 238
Gendarmerie Nationale (gendarmerie.interieur.gouv.fr	44/ 116
Academy of Reims (ac-reims.fr)	43 / 296

Name	unique / total passwords
Ministry of Education and Merit (istruzione.it)	481 / 7,033
Ministry of Justice (giustizia.it)	176 / 1,379
Ministry of Infrastructure and Transport (mit.gov.it)	85 / 1,020
Region of Sicily (regione.sicilia.it)	70 / 652
Autonomous Region of Sardinia regione.sardegna.it)	64 / 483
Commune of Rome (comune.roma.it)	60 / 282
Commune of Milano (comune.milano.it)	47 / 131
National Agency for New Technologies, Energy and Sustainable Economic Development (enea.it)	36 / 262
National Institute of Statistics (istat.it)	30/ 52
Ministry of the Interior (interno.it)	28/ 90

Name	unique / total passwords
Ministry of Justice (justice.gov.uk)	36 / 195
Ministry of Defence (mod.gov.uk)	32 / 111
Aberdeen City Council (aberdeencity.gov.uk)	23 / 538
Department for Work and Pensions (dwp.gov.uk)	20 / 122
HM Revenue and Customs (hmrc.gov.uk)	15 / 63
Lancashire County Council (lancashire.gov.uk)	12 / 38
Home Office (homeoffice.gov.uk)	11 / 62
Newham Council (newham.gov.uk)	9 / 73
UK Parliament (parliament.uk)	9/ 70
Southwark Council (southwark.gov.uk)	9 / 42

Name	unique / total passwords
City of Wolfsburg (wolfsburg.de)	31 / 340
City of Hamburg (hamburg.de)	20 / 563
District of Düren (kreis-dueren.de)	6 / 9
Municipal Administration of Göppingen (goeppingen.de)	5 / 63
Federal Institute for Drugs and Medical Devices (bfarm.de)	5 / 21
Bremen State Statistical Office (statistik.bremen.de)	5 / 15
City of Mannheim (mannheim.de)	5 / 14
City of Kassel (kassel.de)	4 / 14
Ministry of Finance (bmf.bund.de)	4 / 8
Regional Welfare Association of Hesse (lwv-hessen.de	3 / 33

Name	unique / total passwords
Department of National Defence (forces.gc.ca)	27 / 120
General Federal Government (canada.ca)	18 / 64
Global Affairs Canada (international.gc.ca)	11 / 128
Parliament (parl.gc.ca)	10 / 140
Canada Revenue Agency (cra-arc.gc.ca)	3 / 22
Public Services and Procurement Canada (tpsgc-pwgsc.gc.ca)	2 / 14
Justice Canada (justice.gc.ca)	2 / 5
Innovation, Science and Economic Development (ised-isde.gc.ca)	2 / 4
Immigration, Refugees and Citizenship Canada (cic.gc.ca)	1 / 7
Environment and Climate Change Canada (ec.gc.ca)	1 / 2

Exposure threatens national institutions

A shield with a lightning bolt icon is overlaid on a grayscale building with columns.

Our analysis focused particularly on passwords used by employees at the national and federal levels — parliaments, governments, ministries, departments, and presidential administrations — across six countries.

The findings are alarming: Even employees working at these critical national institutions can be impacted by password exposure, as seven compromised passwords were linked directly to the White House.

Findings

Institution

Total number of exposed passwords

Key takeaways

Although over 91 thousand exposed passwords were found during the research period, the real number of compromised credentials may far exceed that. Cybercriminals don’t share or sell their loot right away — it may take months or even years for a password compromised today to show up on the dark web or illicit marketplaces.

Man looking at a computer screen with "91K accounts" text overlay.

Although many officials and public sector employees experienced data loss that did not directly impact their passwords, it doesn’t mean their personally identifiable data is safe. The scope of data exposure affected other information, such as names, addresses, phone numbers, autofill data, and cookies — all of which can be leveraged in future attacks, like social engineering.

Public sector employees were more likely to adhere to password usage recommendations set by the National Institute of Standards and Technology (NIST), a US government agency under the Department of Commerce. Compared to personal and business passwords, public sector credentials were more likely to be complex, using a mix of letters, numbers, and special symbols.

Best tips for password safety

Avoid falling victim to cyberattacks due to irresponsible credential management by following the best password management practices recommended by cybersecurity experts at NordPass.

Use strong passwords or passphrases

We recommend using passwords that are at least eight characters long and include a random mix of upper- and lowercase letters, numbers, and special symbols. Similarly, consider using passphrases — a long string of random words that only you know and use to authenticate your identity.

Never reuse passwords

The key rule to account security is using unique passwords for every account. If you reuse the same password for multiple accounts and one of them gets breached, the rest of your accounts with the same login credentials will be at risk of being compromised too.

Set up a password policy for your organization

Create a centralized standard for every employee to help safeguard employee accounts and sensitive data. With a password manager, companies can effectively manage credentials by setting up rules within the organization or specific departments. Some password managers like NordPass include additional security features like Data Breach Scanner and Password Health to alert employees if their data is vulnerable or breached.

Turn on multi-factor authentication (MFA)

Add an extra layer of security to your organization’s accounts. Multi-factor authentication helps maintain more secure access to internal systems and email accounts, keeping cybercriminals out even if a password gets breached.

Woman at a desk using a laptop, with a phone screen showing a two-factor authentication code.