Proton
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone

In the latest installment of our investigation with Constella Intelligence(nouvelle fenêtre) into the cybersecurity risks politicians face, we found that 41% of Danish members of parliament have had their official email address exposed on the dark web, one of the highest percentages in the EU. We also looked at the Dutch and Luxembourgish parliaments, which had 18% and 16% of their members’ email addresses exposed, respectively.   

Read the original report, which has all our findings to date

The email addresses of Danish, Dutch, and Luxembourgish politicians are available publicly (this is how we found them), so the fact that we found them in dark marketplaces where info is illegally bought and sold isn’t, in itself, a security failure. We’re also not suggesting these parliaments suffered a cyberattack or that this information was stolen. In the vast majority of cases, these official email addresses ended up on the dark web as part of a data breach by a common service provider, like Adobe, Dailymotion, Dropbox, LinkedIn, or news services. 

However, these politicians should never have used their official email addresses to create such an account. This makes it easy for attackers to quickly identify politicians’ accounts. Next, they can check if any passwords are associated with these email addresses. Between the Danish, Dutch, and Luxembourgish politicians we looked at, we found 139 passwords in plaintext. That’s potentially 139 compromised accounts — and it could be many more if any of these politicians reused exposed passwords elsewhere.

We explore the Danish, Dutch, and Luxembourgish leaks in greater detail below and explain why politicians must take their cybersecurity seriously. 

Politicians’ data exposed

We found much more than just emails and passwords during this investigation. While we’re not sharing any identifying information for obvious reasons, sensitive information like dates of birth, residence addresses, and social media accounts were linked to these politicians’ email addresses. (We also informed every affected politician that they had sensitive data exposed on the internet before publishing this article.) 

Attackers can easily buy this information and use it to create convincing phishing campaigns or social engineering attacks.

Number of email addresses searchedNumber of breached email addressesNumber of passwords exposedNumber of passwords exposed in plaintext
Danish Parliament179749369
Dutch Parliament225413532
Luxembourgish Parliament60104338
Chart showing 41% of Danish politicians have personal data exposed on dark web

Over 40% of Danish politicians have email addresses leaked

At 41%, Danish politicians have one of the highest rates of email address breaches in Europe. The email addresses of 74 of the 179 members of the Danish parliament appear a total of 555 times on the dark web. One politician had their email address exposed in 25 separate breaches, along with eight passwords exposed in plaintext. This should be a major concern as Danish politicians and infrastructure have been the target of significant cyberattacks. 

In June 2024, the Danish Center for Cyber Security(nouvelle fenêtre) raised the threat level for cyberattacks to “Medium”, or three out of five, specifying that this was largely due to the threats from Russia. This follows an attack in May 2023 where the Russian hacker group NoName057(16) took the Danish Parliament’s website offline(nouvelle fenêtre) with a DDoS attack. Immediately after this attack, another hacking group exploited a zero-day vulnerability in un-updated firewalls to attack 22 organizations that operate and oversee Denmark’s energy infrastructure(nouvelle fenêtre) in the largest cyberattack in Denmark’s history. The main suspect is Sandworm (also known as Voodoo Bear and Seashell Blizzard), a hacking group affiliated with Russia’s intelligence service that performed similar attacks on Ukraine’s energy infrastructure.

Chart showing 18% of Netherlands politicians have personal data exposed on the dark web

The Netherlands’ lower house of parliament has three times as many breaches as the upper house

While Dutch politicians had relatively few email addresses exposed on the dark web overall (18%), there is a major discrepancy between the lower house (Tweede Kamer) and the upper house (Eerste Kamer). We searched for all 150 Tweede Kamer members’ email addresses and found 36 of them, or 24%. Meanwhile, out of the 75 members of the Eerste Kamer, we found the official email addresses for only five, roughly 6.7%. It’s the second largest disparity between houses we’ve seen in our investigation — only France has a higher one. There, 8.8% of the National Assembly had their email address exposed compared to 33% of the Senate.

The Netherlands has suffered multiple cyberattacks targeting critical networks. In September 2024, an unspecified “state actor” accessed the work-related contact information of all 63,000 members of the Dutch police force(nouvelle fenêtre). Just three months earlier, as the elections for the EU Parliament began in June, the Russian hacker group HackNeT took down two Dutch political parties’ websites(nouvelle fenêtre) using DDoS attacks. And in February 2024, authorities revealed that Chinese hackers had broken into the Dutch military’s network(nouvelle fenêtre). This represents multiple failures to protect sensitive information in the span of a year, underlining why politicians must be careful. 

Chart showing 16% of Luxembourgish politicians have personal data exposed on the dark web

Luxembourg politicians have most passwords exposed per individual

Luxembourg has a relatively small parliament, but we still only found the official email addresses of 10 of its 60 members on the dark web (16%). However, Luxembourgish politicians have had a lot of passwords exposed and in plaintext — 38 to be exact — more than the entire Dutch parliament. However, this seems to be driven by one politician who had 29 of their passwords exposed in plaintext. While this is high and a major security vulnerability — each plaintext password is potentially a compromised account — it’s still nowhere near the worst offender we found in our investigation. That remains the French politician who had 138 passwords appear in plaintext on the dark web (their email appeared 137 times as well). 

Similar to other countries we’ve looked at, Luxembourg has had multiple government websites taken down due to DDoS attacks by Russian hackers. For one two-week stretch in 2024, from the end of March through the beginning of April, Russian hackers attacked websites(nouvelle fenêtre) for the ministries of finance and justice, Luxembourg’s official statistics agency, and its national health fund, taking them offline repeatedly(nouvelle fenêtre)

We all must be more secure online – but especially government officials

As the examples above show, state actors affiliated with China and Russia are persistently probing European countries for any cracks in their cybersecurity. Even if none of these exposed email addresses leaked confidential information, they could be added to attackers’ databases, giving them one more piece of information they can leverage. And if a politician reused an exposed password on an official account (and neglected to use two-factor authentication), that could directly lead to a massive leak. 

We can all learn from this. One of the biggest things to take away is you should never expose any personally identifiable information unnecessarily. Or, in this case, you should never use your professional email to create online accounts, especially if you’re a government official with access to secret information. Breaches happen all the time. If you create accounts using a government email, it’s only a matter of time before one will be leaked in a data breach. Then attackers instantly know they have information on a high-value target. 

Here are some other easy steps that everyone — but especially politicians and other high-profile or public figures — can take to strengthen their account security:

  • Use email aliases: Email aliases hide your real email address while still letting you send and receive emails. If you never share your real email address, it can’t be leaked in a data breach. You can also delete aliases that have been exposed in leaks without needing to reset all your other accounts.
  • Use a password manager: A password manager makes it easy for you to use a strong, random, and unique password for each of your accounts. It should also provide ways to securely share passwords, making it easier to avoid having them fall into the wrong hands. 
  • Use dark web monitoring services: Given how much trust we’re forced to give the companies we create accounts for, everyone should use some form of dark web monitoring to alert you if your information appears in these illegal marketplaces. This at least gives you a chance to update your email (or email alias) and password before anyone can exploit it.

Proton Pass can solve all of these problems. If you choose our Proton Pass Plus plan, you get:

  • Unlimited hide-my-email aliases
  • A password generator
  • Support for passkeys
  • A built-in two-factor authentication code generator
  • Pass Monitor, which alerts you if your Proton Mail email addresses or aliases appear on the dark web
  • Proton Sentinel, which defends your Proton Account against takeover attacks

Take control of your account security (and, if you’re a parliamentarian, help avert a national scandal) by signing up for a Proton Pass Plus plan today.

Protégez vos mots de passe
Créer un compte gratuit

Articles similaires

The cover image for a Proton Pass blog comparing SAML and OAuth as protocols for business protection
en
SAML and OAuth help your workers access your network securely, but what's the difference? Here's what you need to know.
Proton Lifetime Fundraiser 7th edition
en
Learn how to join our 2024 Lifetime Account Charity Fundraiser, your chance to win our most exclusive plan and fight for a better internet.
The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
en
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
en
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
en
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
en
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.