“This is the tip of the iceberg from what appears to be a massive data breach of government credentials, Australia-wide, by a third party.
“We will need to work to verify and investigate this thoroughly.”
A spokesman for the Australian Cybersecurity Centre said it “does not comment on operational and intelligence matters”
Australian government systems were not hacked to retrieve the login details, the firm said. Rather, usernames and passwords had been collected from people who had used government logins to access websites around the internet.
For example, hackers may have stolen the credentials of an Australian government employee who used their departmental email to log in to another service like Netflix or Twitter. That means thousands of the usernames and passwords found in the database appear to be government email addresses, and the passwords may not be ones used for accessing government websites.
Shield Corporate Security said the hacking entity offering to share the database with others on the dark web forum is believed to have been collecting the data since at least 2020.
It comes a few weeks after a security researcher said more than 200 million emails had been stolen from Twitter users, with fears there would be a rise in efforts to phish and doxx – publicly releasing personally identifiable information – people with the data. Twitter has not commented on the claims reported in a Reuters story on Friday.