MPs and their staff have been warned that hackers who tried to access the parliamentary network last week are cold-calling users in a bid to trick them into divulging their log-ins.
An official statement last Monday claimed hackers were attempting unauthorized access into the accounts of lawmakers and parliamentary staff, with a small number compromised as “a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service”.
It is believed that the attackers used classic “brute force” techniques to crack the credentials.
However, an email sent to parliamentary users on Thursday is said to have warned of follow-on attacks.
It had the following, according to The Telegraph:
"This afternoon we've heard reports of parliamentary users being telephoned and asked for their parliamentary username and password.
"The caller is informing users that they have been employed by the digital service to help with the cyber-attack. These calls are not from the digital service. We will never ask you for your password."
A spokesperson confirmed that only a “small number of parliamentary users” were targeted, with the visher claiming “to be employed by ‘Windows’ on behalf of the Parliamentary Digital Service”.
The incident highlights the need for sound user education in the face of increasingly persistent online miscreants.
In related news, the Government Digital Service (GDS) has forced users to change their passwords after a database of usernames and email addresses was found publicly exposed during a review.
Passwords were hashed, but the GDS forced a reset for data.gov.uk users out of caution.
Users were also urged to change their log-ins on any sites they reused the same passwords, according to the BBC.
There are said to be tens of thousands of users of the data.gov.uk site, which ironically is designed to make government more transparent.
Human error is believed to be the cause of the privacy snafu.