Thousands of civil servants’ passwords exposed since early 2024, report says 

A new report from the password management company NordPass is challenging the idea that federal institutions are more secure than local governments against cybersecurity threats. 

The study, conducted by NordPass and threat exposure management platform NordStellar, found a total of 53,070 passwords belonging to U.S. civil servants were exposed in public sources since the beginning of 2024. 

Of the impacted institutions, NordPass found the Department of Defense had 1,897 total exposed passwords, 222 of which were unique. The State Department had 15,272 total exposed passwords, 190 of which were unique, while the U.S. Army had 1,706 exposed passwords, 167 of them unique. 

The Department of Veterans Affairs also ranked among the top five most-affected institutions, with 1,331 total password exposures, 53 of which were unique. Seven passwords of White House employees were also compromised, according to the study. 

A State Department spokesperson told FedScoop the agency is “committed to cybersecurity across the department.” They said the agency has instituted multi-factor authentication and regularly rotates credentials. 

The VA and Pentagon did not immediately respond to a request for comment.

“Although the majority of exposed credentials were traced back to regional and municipality level institutions like administrations and local governments, the national and federal government weren’t spared by cybercriminals either,” the report stated. 

Other heavily impacted public-sector institutions included the Washington, D.C., government, where 57 unique passwords were exposed, the city of Virginia Beach, Va., with 46 exposed unique passwords, and the Illinois government. 

NordPass noted public-sector employees were more likely to adhere to password standards set by the National Institute of Standards and Technology and more often used complex sequences, mixing letters, numbers and symbols. 

Researchers evaluated more than 5,500 organizations across six countries, including presidential offices, federal, local and regional governments, municipalities and national and regional governments. Analysis spanned credentials exposed from 2024 to 2025, and uncovered thousands of data points, including first and last names, email addresses, phone numbers and other personally identifiable information. 

Combining the six countries examined by NordPass, over 91,000 exposed passwords matched email addresses with public-sector domains. 

“If affected passwords weren’t updated following the related incidents and multi-factor authentication wasn’t switched on, attackers could have potentially accessed these accounts and other sensitive information, creating data security risks,” the report stated. “Even in instances where a password didn’t match an email address, other exposed data points could be exploited for phishing attacks.” 

NordPass, developed by Nord Security, warned that the actual number of compromised credentials may be much higher than the 91,000 identified in the study, as cybercriminals may not immediately share or sell the information. 

This story was updated Oct. 15, 2025, to add comment from the State Department.