Nearly 800 Hungarian authorities e mail addresses and related passwords are circulating on-line, revealing fundamental vulnerabilities within the safety protocols of ministries concerned in categorised and delicate work.
A Bellingcat evaluation of breach information reveals that 12 out of the federal government’s 13 ministries have been affected, which in some circumstances have uncovered the confidential info of army personnel and civil servants posted overseas.
Amongst these affected had been a senior army officer chargeable for info safety, a counter terrorism coordinator within the overseas affairs division, and an worker whose position was to establish hybrid threats towards the nation.
The revelations come as Hungarians head to the polls this Sunday to determine if Viktor Orbán, chief of the right-wing populist social gathering Fidesz and the nation’s longest-serving prime minister, will probably be elected to a fifth consecutive time period.
This isn’t the primary time that deficiencies within the Hungarian authorities’s IT safety have been revealed. In 2022, forward of Hungary’s final election, Direkt36 reported that Russia’s intelligence companies had gained entry to the pc community of the Hungarian overseas ministry, together with its inner communications channels.
It mentioned Russian cyber assaults towards the Hungarian authorities had been occurring for a minimum of a decade and prolonged to the overseas ministry’s encrypted community for transmitting categorised information and confidential diplomatic paperwork.
On the time, the overseas ministry denied it had been hacked. However in 2024, information outlet 444 printed a letter that had been despatched from Hungary’s Nationwide Safety Service to the overseas ministry six months earlier than the cyberattack was first reported. The letter linked the assaults to Russia and described greater than 4,000 workstations and 930 servers as “unreliable”.
As a part of this new evaluation, Bellingcat recognized a complete of 795 distinctive e mail and password mixtures amongst hundreds of search outcomes for Hungarian authorities domains in breach databases. Key departments that deal with the nation’s governance, defence, overseas affairs and funds had been the worst affected.
The evaluation doesn’t embody central authorities businesses that function beneath the federal government’s official ministries and use separate domains, such because the tax and customs administration or the police – that means breaches affecting authorities workers may very well be much more widespread.
The findings will not be proof of high-tech infiltration of Hungarian authorities programs. As an alternative, our evaluation signifies that the breaches are extra doubtless the results of poor digital hygiene. In lots of circumstances, employees used easy passwords together with their authorities e mail addresses for what seem like non-work-related issues, reminiscent of signing as much as courting, music, sport and meals web sites.
Some authorities staff used easy-to-guess passwords reminiscent of variations of the phrase “Password” or the quantity sequence “1234567”. One worker whose credentials had been uncovered within the 2012 LinkedIn hack used the password “linkedinlinkedin”. One other, within the defence ministry, used their surname. One leaked password from an worker within the overseas affairs ministry was “embassy13hungary”.
A number of breaches additionally contained telephone numbers, addresses, dates of beginning, usernames and IP addresses – information that, when uncovered, may pose safety dangers.
Moreover, a search of breach databases confirmed situations the place computer systems have been contaminated with malware designed to steal login credentials. These information present that 97 machines throughout Hungarian authorities departments had been compromised, with stealer logs from as just lately as final month discovered within the information.
Bellingcat contacted the Hungarian authorities’s spokesperson and the Prime Minister’s workplace, however didn’t obtain a response.
The Weakest Hyperlink: Looking Breach Information
Breach databases are giant collections of credentials harvested from earlier cyber incidents. These databases could be searched by area to establish e mail addresses belonging to a selected organisation, firm or authorities.
Bellingcat used Darkside, a paid service by District 4 Labs, to go looking the principle e mail domains assigned to every of the Hungarian authorities’s 13 ministries.
In whole, 795 breaches containing authorities emails and related passwords had been recognized. However most – 641 breaches – had been linked to simply 4 central establishments.
Within the examples detailed under, employees have been anonymised. Nevertheless, Bellingcat has confirmed these accounts are real by cross-checking the staff named within the breaches towards media stories and on-line profiles, reminiscent of LinkedIn.
Ministry of Inside – this “super-ministry” oversees every little thing from well being and training to the police, immigration, catastrophe administration and native authorities
Bellingcat recognized 170 units of emails and passwords linked to the area utilized by the ministry answerable for home affairs. Passwords utilized by employees on this division included “Arsenal” and “Paprika”. Some used passwords that contained solely three or 4 letters. We traced these accounts to skilled profiles and authorities net pages itemizing each junior and senior employees.
One senior official within the jail service used the password “adolf”. After it appeared in breach databases the password was modified twice – first to a five-digit quantity after which to what gave the impression to be the title for a pet canine. The passwords had been subsequently breached once more. Bellingcat recognized this worker via a number of situations of their title and e mail deal with being listed on public-facing documentation, together with a press launch celebrating an award for excellent skilled work.
Ministry of Defence – chargeable for nationwide defence coverage and directing the nation’s defence forces
The credentials of employees working for the Ministry of Defence had been present in 120 compromised information. This features a 2023 breach of NATO’s eLearning companies which resulted in 42 information containing emails, passwords and telephone numbers turning into public.
The breaches peaked in 2021 however continued as much as 2026. Included within the information had been stealer logs, indicating that machines inside the division could have been contaminated.
Navy personnel from junior ranks to command positions had been recognized. A Brigadier Basic used a typical six letter nickname, based mostly on his personal, to enroll to a movie pageant. A Colonel specialising in “info safety” took inspiration from an English soccer supervisor for his password: “FrankLampard”. A district director used the password “123456aA”, whereas a high-ranking member of Hungary’s delegation to NATO used a password that interprets in English to “cute”.
Ministry of International Affairs and Commerce – chargeable for worldwide relations, Hungarian embassies and consulates function beneath the course of the division
The credentials of present and former overseas affairs personnel have been uncovered in dozens of knowledge breaches from 2011 to February 2026. In whole, there have been 107 e mail and password mixtures linked to this authorities ministry.
Among the many employees affected was a deputy head of mission, consuls, diplomats and communications personnel posted in Europe, the Americas and the Center East. These embody a counter terrorism coordinator, an EU spokesperson, and a person whose position was to establish hybrid threats to Hungary.
Though the breaches peaked in 2020, with emails being present in 42 separate breaches listed by Darkside, MFA emails have been circulated, typically with passwords, in 36 separate breaches for the reason that starting of 2024. The newest breaches had been in 2026.
Easy passwords seem to have left Hungary’s overseas affairs ministry weak. In some circumstances, workers used a password that consisted of their very own title and a two digit quantity. Others appeared to take inspiration from popular culture: “porsche911”, “frogger” and “Batman2013” are examples of actual passwords utilized by employees.
Ministry of Nationwide Economic system – oversees financial coverage and monetary technique, together with price range preparation and decreasing nationwide debt
Bellingcat’s evaluation reveals that employees within the Ministry for Nationwide Economic system suffered 99 breaches. The Ministry of Finance, which was merged into this division in 2025, had suffered 145 breaches.
Among the many breached information had been the credentials of a deputy state secretary, who used the password “snoopy”. Different employees members used their date of beginning or the phrase “Jelszo” – the Hungarian phrase for password.
A senior advisor who at present works within the ministry had their credentials breached 4 occasions utilizing 4 totally different passwords, together with “Kurvaanyad1” (roughly translated to “your mom is a wh**e”).
Cybersecurity Not Taken Severely
Szabolcs Uninteresting, a political analyst and the previous editor-in-chief of the unbiased Hungarian information web sites Index and Telex, mentioned the federal government had didn’t prioritise information safety.
“It’s clear from the info breaches which have come to mild that authorities businesses didn’t take information safety critically,” he mentioned.
“This suspicion arose even when Russian hackers breached the overseas ministry’s IT system. That’s the reason I consider Hungarian politicians and the general public will interpret this new info as a continuation and affirmation of the Russian hacking story.”
Uninteresting added that he was not conscious of any investigation having been launched following the 2022 revelations of the Russian hack.
Kata Kincső Bárdos, a cybersecurity skilled in Hungary, mentioned it was obscure why stricter controls wouldn’t be constantly enforced in authorities environments dealing with delicate information.
She mentioned governments mustn’t solely apply baseline guidelines for passwords – reminiscent of that employees use lengthy, distinctive passwords and multi-factor authentication (MFA) – but additionally constantly monitor for compromised credentials and suspicious entry patterns.
“With out MFA, programs grow to be considerably extra weak to frequent assault strategies reminiscent of phishing and credential stuffing,” she mentioned. “A single compromised password can present quick entry to inner programs.”
Bárdos added that unauthorised entry to authorities programs ought to routinely set off incident response procedures, investigation and containment measures.
“It’s also vital to notice that focusing on lower-level workers is a well-documented and customary tactic,” she mentioned. “Attackers incessantly acquire preliminary entry via phishing or weak credentials after which transfer laterally inside programs.”
Bellingcat’s Ross Higgins and investigative journalist Eva Vajda contributed to this text.
Bellingcat is a non-profit and the power to hold out our work depends on the type assist of particular person donors. If you need to assist our work, you are able to do so right here. It’s also possible to subscribe to our Patreon channel right here. Subscribe to our E-newsletter and observe us on Bluesky right here, Instagram right here, Reddit right here and YouTube right here.
