Based on the names mentioned I searched for their email addresses in password dumps and they all match the large 500M+ lists (anti public and exploit.in - covered here[0]) that have been available on some of the credential-stuffing and hacking forums since late last year. They are aggregate lists composed of MySpace, LinkedIn and other breaches.
It appears someone has grepped out parliament.uk emails from those leaks and then published it separately, the earliest mention of such a list that I can find online is from mid-May.
The credential stuffing and darkweb markets are full of such lists as the scammers attempt to make a dollar or two from content that is otherwise publicly available by slicing it in interesting or appealing ways.
I doubt any of the credentials would have worked against the parliament Office 365 login[1] as either the IT admins would have noticed, and/or the list is old enough where it would have been noticed far earlier plus Office 365 even without MFA enabled or enforced will usually require an email or SMS confirmation for a new device login or a login that doesn't match user pattern.
The story mentions they disabled logins, but it appears to still work. This is likely just a precaution from the IT department over what is a relatively minor issue since it is easier to pretend you're doing something rather than having to explain to the media that this is an old issue and not that big a deal.
Yup, completely agree with this. I know I've mentioned it on HN before, but credential stuffing is unfortunately common practice and is a huge reason not to reuse passwords - especially if they've been leaked.
We see credential stuffing attacks regularly - some from folks just trying their luck (using known tools and scripts such as Sentry-MBA). Others are a little more advanced and persistent, looking to gather information from successful logins which they can then re-sell on the various shifty marketplaces.
Sites that have monetary value are particularly high value targets. If you have a site which reveals key personal information such as addresses and credit card info (last 4 etc.), these will likely be scraped.
If you have a site that can order goods, successful accounts will be scraped to see if they have a valid and active card associated with them, allowing them to be sold for a higher price.
If you have a site which collects points (think airlines or hotels), these too will be scraped and sorted, allowing them to market those with higher points for more cash.
Where possible, use 2FA, and always use a different password for each website. Password managers sometimes get a bad name, but they're much better than using the same password everywhere.
Why don't these people use 2 factor auth like a yubikey? And not sms because it can be hacked and redirected. I know the reason, they are not wanting these non-technical foofaws to be slightly inconvenienced. And they'd lose their second factors even if they had them - too bad, you shouldn't be able to get an official email without it. Give everyone a couple of those keys, put one on their keychain, one in their computer at home, one in their work computer. They'd be so much safer.
Constituents can email their MPs and I'd imagine they all share the same few email servers. It's not hard to imagine that someone thought they'd 'have a go' (as was the case during the election period), and the reaction by Parliament has so far been a precautionary one.
FTA:
> stolen data revealed the private login details of 1,000 British members of Parliament and parliamentary staff, 7,000 police employees and more than 1,000 Foreign Office officials.
Not sure how that wouldn’t be treated as a cyberattack. Note, the word used was not ‘hack’ - not all cyberattacks are hacks.
Seems the NYT changed the title to remove the 'hack' insinuation.
> stolen data revealed the private login details of 1,000 British members of Parliament and parliamentary staff, 7,000 police employees and more than 1,000 Foreign Office officials.
That was reported last week. The attacks happened months ago. (Why do I even bother?)
To what extent are our security problems the result of feature creep and an inability to lock down simple protocols? For all the bloviating about national borders and so on, if a country can't secure its own legislature then its institutions are broken.
I wouldn't get too grandiose about saying the institutions are broken. It's just email, why not consider it like postal mail? Definitely not good, definitely needs to be fixed, but also definitely does not mean the legislature entirely is not secured or that institutions are all broken.
It is critical infrastructure. There are two parts: a.) mimic the thing our predecessors created: postal mail was so important that they had a person on a steed ride across barren land for days to deliver a message; b.) how do we adapte the modern equivalent. It's not so hideous for someone to make a copy of the payload on the horse, is it? It's not good to copy it. But it's much worse if the original is compromised: faked message or faked originator or destroyed.
It demonstrably doesn't fulfil that need; GP's point, I think, is that postal mail has (perhaps more obvious, especially outside HN) vulnerabilities that were coped with for millennia.
Not sure why this is downvoted. The main reason systems aren't secure is lack of simplicity.
To put it another way, pentesting is almost always the art of exploiting complexity. It's true that you can have a system that's both simple and broken, but that's the exception.
Some of the most effective security measures actually increase complexity.
Two-factor authentication increases complexity in every measurable way but mitigates against a number of softer attacks.
Adding encryption adds a ton of complexity but effectively removes all man-in-the-middle attacks.
The simplest way of storing passwords is in plaintext.
Privelege separation is far from the simplest way of structuring a daemon, but it effectively prevents exploits in the complex parts from allowing an attacker to gain remote root access.
Perhaps it is more that superfluous complexity is the problem.
I think we're talking past each other. Complexity probably refers to anything beyond essential complexity. In the systems you mention, they all lack complexity by that definition.
> The main reason systems aren't secure is lack of simplicity.
I don't think it's that simple.
There are two ways you can look at simplicity:
1. The lack of needless complexity, which is just another way of saying something is well built
2. Smaller modular components that do less and have clearer interfaces, ie: the unix way.
If you mean the 1st, then sure, the main reason systems aren't secure is lack of being well built.
But if you mean the second, all you're really doing is taking security concerns and spreading them out over more components. This makes them easier to reason about, but also means more entities need to reason about them. Like all things in engineering there are only trade offs, no pure wins.
That's what I was thinking. It seems like fundamental infrastructure should be boring but bulletproof, like mission-critical software in military or surgical applications.
National institutions have indeed begun their long slide into irrelevance. Ray Kurzweil, a big shot at Google, already wrote about that. Anything that existed before the widespread commercialization of the internet cannot remain the same, after. I am waiting for news of the inevitable to break loose. A group of disgruntled people setting up internet infrastructure to literally organize the decimation of state officials. They will end up dying like flies. As soon as the first guys do that, there will be no stopping it. The national state uses force to enforce its views, while they no longer have a credible monopoly on the use of force.
It appears someone has grepped out parliament.uk emails from those leaks and then published it separately, the earliest mention of such a list that I can find online is from mid-May.
The credential stuffing and darkweb markets are full of such lists as the scammers attempt to make a dollar or two from content that is otherwise publicly available by slicing it in interesting or appealing ways.
I doubt any of the credentials would have worked against the parliament Office 365 login[1] as either the IT admins would have noticed, and/or the list is old enough where it would have been noticed far earlier plus Office 365 even without MFA enabled or enforced will usually require an email or SMS confirmation for a new device login or a login that doesn't match user pattern.
The story mentions they disabled logins, but it appears to still work. This is likely just a precaution from the IT department over what is a relatively minor issue since it is easier to pretend you're doing something rather than having to explain to the media that this is an old issue and not that big a deal.
[0] https://www.cert.govt.nz/businesses-and-individuals/recent-t...
[1] https://intranet.parliament.uk