Ministry of Defence password breaches came from weak security

New research has revealed that more than 3,000 passwords belonging to UK civil servants have been publicly exposed since the start of 2024. Institutions that were among the most affected are the Ministry of Defence (MoD), the Ministry of Justice, Department for Work and Pensions, and the UK Parliament.

NordPass, in collaboration with the cybersecurity platform NordStellar, published the findings. They show the MoD among the top three government departments with compromised credentials.

The Ministry of Defence can’t even defend itself

Researchers discovered 111 passwords linked to the Ministry of Defence in publicly available or dark-web databases. This is the same department that claims to safeguard the nation’s most sensitive military data.

This is not a hostile foreign power infiltrating Britain. It is Britain’s own bureaucracy shooting itself in the foot.

Every week, government ministers flock to the despatch box with the same script. Time and time again, these same phrases echo from ministers week after week: “security threats”, “safeguards” and “national defence”. The narrative is clear: there are dangerous outsiders who threaten the safety of the British people, and the state must remain vigilant.

But these new revelations force a different question. How can a government that can’t secure its own logins claim to secure an entire nation?

111 leaked passwords might sound minor, but in the world of defence networks, one breach is enough to compromise an entire system.

Hollow rhetoric

Karolis Arbačiauskas, head of product at NordPass, said:

Exposure of sensitive data, including passwords, of civil servants is particularly dangerous. Compromised passwords can affect not only organizations and their employees but also large numbers of citizens.

Researchers found that many of these passwords were weak, recycled or linked to multiple accounts. Some had been circulating for months. The study warns that such exposures pose a “serious risk to a country’s strategic interests”, especially when tied to official email domains.

Espionage doesn’t happen, in today’s age, by secret agents stealing briefcases from a secret safe somewhere. It happens through forgotten logins, poor credential management and lazy IT systems.

What adds insult to injury is that the NordPass study revealed that many of these breaches originated not from sophisticated hacks but from basic user error. Things like officials registering work emails on third-party sites or reusing passwords across platforms.

Despite all the rhetoric about strength and defiance, the UK’s digital defences look alarmingly hollow. The Ministry of Defence has effectively left 111 doors open online, yet it is ordinary people who face the full force of the law for exposing state failures.

The state goes after the good Samaritans who dare to expose power instead.

When Palestine Action breached a Ministry of Defence (MoD) airbase earlier this year to protest Britain’s arms exports to Israel, the government didn’t call it civil disobedience, whistleblowing, or protest. It called it terrorism. Their actions were condemned as a grave security risk, an ‘attack on the nation’.

And yet, at the very same time, the Ministry itself was caught leaking passwords into the public domain. If trespassing on an airbase makes you a terrorist, what does it make a government department that leaves its virtual front gate unlocked?

Featured image via British Army/YouTube screenshot