Almost 800 Hungarian government email addresses and associated passwords are circulating online, revealing basic vulnerabilities in the security protocols of ministries involved in classified and sensitive work.
A Bellingcat analysis of breach data shows that 12 out of the government’s 13 ministries have been affected, which in some cases have exposed the confidential information of military personnel and civil servants posted abroad.
Among those affected were a senior military officer responsible for information security, a counter terrorism coordinator in the foreign affairs department, and an employee whose role was to identify hybrid threats against the country.
The revelations come as Hungarians head to the polls this Sunday to decide if Viktor Orbán, leader of the right-wing populist party Fidesz and the country’s longest-serving prime minister, will be elected to a fifth consecutive term.
This is not the first time that deficiencies in the Hungarian government’s IT security have been revealed. In 2022, ahead of Hungary’s last election, Direkt36 reported that Russia’s intelligence services had gained access to the computer network of the Hungarian foreign ministry, including its internal communications channels.
It said Russian cyber attacks against the Hungarian government had been occurring for at least a decade and extended to the foreign ministry’s encrypted network for transmitting classified data and confidential diplomatic documents.
At the time, the foreign ministry denied it had been hacked. But in 2024, news outlet 444 published a letter that had been sent from Hungary’s National Security Service to the foreign ministry six months before the cyberattack was first reported. The letter linked the attacks to Russia and described more than 4,000 workstations and 930 servers as “unreliable”.
As part of this new analysis, Bellingcat identified a total of 795 unique email and password combinations among thousands of search results for Hungarian government domains in breach databases. Key departments that handle the country’s governance, defence, foreign affairs and finances were the worst affected.
The analysis does not include central government agencies that operate under the government’s official ministries and use separate domains, such as the tax and customs administration or the police – meaning breaches affecting government employees could be even more widespread.
The findings are not evidence of high-tech infiltration of Hungarian government systems. Instead, our analysis indicates that the breaches are more likely the result of poor digital hygiene. In many cases, staff used simple passwords along with their government email addresses for what appear to be non-work-related matters, such as signing up to dating, music, sport and food websites.
Some government workers used easy-to-guess passwords such as variations of the word “Password” or the number sequence “1234567”. One employee whose credentials were exposed in the 2012 LinkedIn hack used the password “linkedinlinkedin”. Another, in the defence ministry, used their surname. One leaked password from an employee in the foreign affairs ministry was “embassy13hungary”.
Multiple breaches also contained phone numbers, addresses, dates of birth, usernames and IP addresses – data that, when exposed, could pose security risks.
Additionally, a search of breach databases showed instances where computers have been infected with malware designed to steal login credentials. These records show that 97 machines across Hungarian government departments had been compromised, with stealer logs from as recently as last month found in the data.
Bellingcat contacted the Hungarian government’s spokesperson and the Prime Minister’s office, but did not receive a response.
The Weakest Link: Searching Breach Data
Breach databases are large collections of credentials harvested from previous cyber incidents. These databases can be searched by domain to identify email addresses belonging to a specific organisation, company or government.
Darkside allows users to search a repository of breach data from the clear and dark web.
Bellingcat used Darkside, a paid service by District 4 Labs, to search the main email domains assigned to each of the Hungarian government’s 13 ministries.
In total, 795 breaches containing government emails and associated passwords were identified. But most – 641 breaches – were linked to just four central institutions.
In the examples detailed below, staff have been anonymised. However, Bellingcat has confirmed these accounts are genuine by cross-checking the employees named in the breaches against media reports and online profiles, such as LinkedIn.
Ministry of Interior – this “super-ministry” oversees everything from health and education to the police, immigration, disaster management and local government
Bellingcat identified 170 sets of emails and passwords linked to the domain used by the ministry in charge of domestic affairs. Passwords used by staff in this department included “Arsenal” and “Paprika”. Some used passwords that contained only three or four letters. We traced these accounts to professional profiles and government web pages listing both junior and senior staff.
One senior official in the prison service used the password “adolf”. After it appeared in breach databases the password was changed twice – first to a five-digit number and then to what appeared to be the name for a pet dog. The passwords were subsequently breached again. Bellingcat identified this employee through several instances of their name and email address being listed on public-facing documentation, including a press release celebrating an award for outstanding professional work.
Ministry of Defence – responsible for national defence policy and directing the country’s defence forces
The credentials of staff working for the Ministry of Defence were found in 120 compromised records. This includes a 2023 breach of NATO’s eLearning services which resulted in 42 records containing emails, passwords and phone numbers becoming public.
The breaches peaked in 2021 but continued up to 2026. Included in the data were stealer logs, indicating that machines within the department may have been infected.
Military personnel from junior ranks to command positions were identified. A Brigadier General used a common six letter nickname, based on his own, to sign up to a film festival. A Colonel specialising in “information security” took inspiration from an English football manager for his password: “FrankLampard”. A district director used the password “123456aA”, while a high-ranking member of Hungary’s delegation to NATO used a password that translates in English to “cute”.
Ministry of Foreign Affairs and Trade – responsible for international relations, Hungarian embassies and consulates operate under the direction of the department
The credentials of current and former foreign affairs personnel have been exposed in dozens of data breaches from 2011 to February 2026. In total, there were 107 email and password combinations linked to this government ministry.
Among the staff affected was a deputy head of mission, consuls, diplomats and communications personnel posted in Europe, the Americas and the Middle East. These include a counter terrorism coordinator, an EU spokesperson, and an individual whose role was to identify hybrid threats to Hungary.
Although the breaches peaked in 2020, with emails being found in 42 separate breaches indexed by Darkside, MFA emails have been circulated, often with passwords, in 36 separate breaches since the beginning of 2024. The most recent breaches were in 2026.
Simple passwords appear to have left Hungary’s foreign affairs ministry vulnerable. In some cases, employees used a password that consisted of their own name and a two digit number. Others appeared to take inspiration from pop culture: “porsche911”, “frogger” and “Batman2013” are examples of real passwords used by staff.
Ministry of National Economy – oversees economic policy and financial strategy, including budget preparation and reducing national debt
Bellingcat’s analysis shows that staff in the Ministry for National Economy suffered 99 breaches. The Ministry of Finance, which was merged into this department in 2025, had suffered 145 breaches.
Among the breached data were the credentials of a deputy state secretary, who used the password “snoopy”. Other staff members used their date of birth or the word “Jelszo” – the Hungarian word for password.
A senior advisor who currently works in the ministry had their credentials breached four times using four different passwords, including “Kurvaanyad1” (roughly translated to “your mother is a wh**e”).
Cybersecurity Not Taken Seriously
Szabolcs Dull , a political analyst and the former editor-in-chief of the independent Hungarian news websites Index and Telex, said the government had failed to prioritise data security.
“It’s clear from the data breaches that have come to light that government agencies did not take data security seriously,” he said.
“This suspicion arose even when Russian hackers breached the foreign ministry’s IT system. That is why I believe Hungarian politicians and the public will interpret this new information as a continuation and confirmation of the Russian hacking story.”
Dull added that he was not aware of any investigation having been launched following the 2022 revelations of the Russian hack.
Kata Kincső Bárdos, a cybersecurity expert in Hungary, said it was difficult to understand why stricter controls would not be consistently enforced in government environments handling sensitive data.
She said governments should not only apply baseline rules for passwords – such as that staff use long, unique passwords and multi-factor authentication (MFA) – but also continuously monitor for compromised credentials and suspicious access patterns.
“Without MFA, systems become significantly more vulnerable to common attack methods such as phishing and credential stuffing,” she said. “A single compromised password can provide immediate access to internal systems.”
Bárdos added that unauthorised access to government systems should automatically trigger incident response procedures, investigation and containment measures.
“It is also important to note that targeting lower-level employees is a well-documented and common tactic,” she said. “Attackers frequently gain initial access through phishing or weak credentials and then move laterally within systems.”
Bellingcat’s Ross Higgins and investigative journalist Eva Vajda contributed to this article.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here . You can also subscribe to our Patreon channel here . Subscribe to our Newsletter and follow us on Bluesky here , Instagram here , Reddit here and YouTube here .