The UK's Government Digital Service (GDS) is urging users of its data website to change their passwords following a massive security breach that saw the names and email addresses of thousands of people exposed for nearly two years.
A routine security review on 9 May discovered that a file containing the names, email addresses and hashed passwords of registered users who used the Cabinet Office's data.gov.uk had been discovered on a publicly accessible, third-party system since July 2015, The Times reported.
The data.gov.uk website allows registered users to browse information published by various government departments, agencies and local authorities to "learn more about how government works, carry out research or build applications and services".
As a result of the security breach, about 68,216 accounts who signed up on the website on or before 20 June 2015 have been suspended until users' reset their passwords.
A GDS spokeswoman told the BBC that the breach only affected data.gov.uk accounts, noting that people with separate accounts for other government websites were not affected by the intrusion.
In an email sent to users on Thursday (29 June), the GDS advised users to change their passwords as a "precautionary measure" and reset the login details on other websites if they happened to use the same password across different platforms and services.
"It was very recently discovered, and action was taken to notify users, and the information commissioner's office, as soon as possible", a GDS spokesman told The Times. The agency said there is currently no evidence to suggest that any leaked credentials had been misused.
The Information Commissioner's Office (ICO) has also been informed of the leak.
"We are aware of an incident and are making enquiries," an ICO spokesperson told IBTimes UK. We have reached out to the GDS for comment.
The disclosure comes on the heels of a cyberattack targeting the British Parliament, which saw at least 90 MPs' email accounts compromised. Officials blamed the number of successfully breached inboxes on "the use of weak passwords that did not conform to guidance".