795 Hungarian Government Passwords Found in Stealer Logs — Including 'Password' and 'Adolf'

The Passwords: A Master Class in What Not to Do

Any cybersecurity story that includes an examination of the actual passwords found in the leaked credentials is going to be simultaneously grimly predictable and genuinely alarming, and the Hungarian government credentials deliver on both counts. Among the passwords documented by Bellingcat's analysis: "Snoopy," "Adolf," "Password," "linkedinlinkedin," "FrankLampard," and "porsche911."

To be clear about what each of these represents as a security failure: "Password" is literally the most commonly used password in every analysis of credential dumps ever conducted. "linkedinlinkedin" suggests the user was either reusing their LinkedIn password or chose a password inspired directly by the platform they were registering on, which is perhaps even worse. "FrankLampard" and "porsche911" are the kind of passwords that security awareness training has been advising against for two decades, passwords based on a famous person's name or a well-known product model number that appear in every dictionary attack wordlist ever assembled. "Snoopy" would be cracked in seconds by any modern password-cracking tool.

"Adolf" is a different category of concern. It could be explained as a family name or other personal reference, but in the context of senior Hungarian government officials, including those with sensitive security functions, a password choice that would attract immediate attention in any credential review is not a reassuring signal about the security culture of the institutions involved.

Ministry-by-Ministry Breakdown: Interior and Finance Worst Hit

The distribution of compromised credentials across ministries reveals which parts of the Hungarian government were most heavily affected. Bellingcat's analysis identified 170 compromised accounts at the Interior Ministry, 145 at the Finance Ministry, 120 at the Defense Ministry, 107 at the Foreign Affairs Ministry, and 99 at the National Economy Ministry. Those five ministries account for the majority of the 795 total exposed credentials, and they are not peripheral departments. They are the core of a national government: internal security, public finances, military affairs, diplomatic relations, and economic policy.

The Interior Ministry exposure is particularly significant in the Hungarian context. The ministry oversees the national police, border security, and disaster management. In Orban's Hungary, it has been one of the most politically consequential departments, overseeing both domestic security services and the implementation of the government's migration and border control policies. Credentials for Interior Ministry accounts could provide access to law enforcement databases, personnel files, or communications relating to sensitive internal security operations.

The Defense Ministry credentials are significant for obvious reasons. Military personnel files, operational planning documents, and procurement records are exactly the kind of data that foreign intelligence services seek access to. That 97 machines across these accounts showed evidence of active stealer malware infection, with logs dating from as recently as the month before publication, suggests the exposure was not a historical relic. Some of these credentials were live at the time of the Bellingcat investigation.

High-Value Targets: The Counter-Terror Coordinator and Hybrid Threat Analyst

Among the 795 compromised accounts, Bellingcat identified several with roles that make their exposure particularly consequential. A senior military officer, whose rank and specific assignment were not detailed in the public reporting, is one category of high-value target. Military officers at senior levels typically have access to classified systems, operational planning documents, and personnel records for the units they command. Their email credentials may also provide access to communications that contain classified information transmitted in violation of data handling procedures, a common problem in institutional email environments where classification enforcement is inconsistent.

The counter-terrorism coordinator is perhaps the most sensitive role identified in the exposed credentials. Counter-terrorism coordinators in EU member states typically have visibility into ongoing operations, protected source identities, liaison relationships with foreign intelligence services, and threat assessments that contain information provided in confidence by partner services. If a foreign intelligence service gained access to a counter-terrorism coordinator's email and maintained that access over time, the potential for intelligence collection would extend far beyond anything available in the credential log itself.

The hybrid threat identifier is a role that requires some explanation for readers unfamiliar with EU security architecture. Following Russia's 2014 interference operations and the broader recognition of hybrid warfare as a distinct threat category, European governments created institutional positions specifically tasked with identifying and countering influence operations, disinformation campaigns, and gray-zone activities by foreign state actors. In Hungary, where the Orban government's relationship with Russia has been a persistent source of tension with EU partners, a hybrid threat identifier occupies a particularly sensitive position. Their access to intelligence on foreign interference operations, combined with their institutional context in a government with close ties to Moscow, makes their credential exposure a significant concern for both Hungarian national security and EU-wide intelligence sharing.

The 2022 Russian Hack of Hungary's Foreign Ministry

The current credential exposure is not Hungary's first significant government cybersecurity incident of recent years. In 2022, reporting confirmed that Russian intelligence services had penetrated Hungary's Foreign Affairs Ministry, gaining access to diplomatic communications. That incident was significant both for its direct intelligence value to Moscow and for what it revealed about the security posture of a government that had been publicly skeptical of anti-Russian positions within the EU and NATO.

The 2022 breach prompted promises of security improvements and raised questions about whether sensitive NATO and EU intelligence shared with Hungary was being adequately protected. Those questions have not been definitively answered, and the current Bellingcat findings, which document active stealer malware on government machines and weak passwords on senior official accounts four years later, suggest that the improvements made after 2022 were either insufficient or insufficiently sustained.

The pattern matters beyond Hungary's borders. NATO information security requirements bind member states to minimum standards for handling alliance intelligence. If senior Hungarian officials are operating with passwords like "Password" and "Snoopy" on accounts that handle sensitive communications, the question of whether NATO intelligence shared with Hungary is being adequately protected is a live issue for every other alliance member. Alliance intelligence sharing operates on trust, and that trust is difficult to maintain when documented evidence of baseline security failures accumulates.

Expert Analysis: Without MFA, These Systems Were Effectively Open

Cybersecurity expert Kata Kincso Bardos was direct in her assessment: "Without MFA, systems become significantly more vulnerable." That observation cuts to the technical heart of why 795 credential pairs in stealer logs translates to a serious operational security problem. If any of these accounts lacked multi-factor authentication, possession of the password alone would be sufficient to log in, access email, read documents, or pivot to other connected systems.

MFA is not a perfect defense. Sophisticated attackers can defeat MFA through AiTM phishing attacks that capture both credentials and session cookies simultaneously. But MFA does defeat the most common use case for stolen credentials: an attacker in a different country attempting to log into a web-based portal with a username and password harvested from a stealer log. Without MFA, that attack is trivially easy. With it, the attacker needs to defeat an additional factor, which raises the bar considerably.

Analyst Szabolcs Dull offered a broader institutional critique: "Government agencies did not take data security seriously." That assessment is consistent with what the Bellingcat findings show. The password choices, the lack of MFA evidence, the active stealer malware on 97 machines, and the coverage across 12 of 13 ministries together paint a picture of an institutional security culture that has treated cybersecurity as an afterthought rather than a core operational requirement. That culture is not unique to Hungary. It is a documented problem across many government institutions in EU member states and beyond. But the Bellingcat investigation makes it concrete and specific in a way that is difficult to dismiss.

What the Orban Government Has and Has Not Said

The Hungarian government's response to the Bellingcat findings has been limited in the information provided publicly. In the context of an election period, the political sensitivity of a finding that documents systemic cybersecurity failures across the senior levels of the government is obvious. Acknowledging the findings creates pressure to explain what remediation is planned. Disputing them requires engaging with specific documented evidence from stealer malware logs that are not under the government's control. Neither option is comfortable.

The election backdrop adds a layer of complexity to how the findings are being received domestically and internationally. Orban's government has consistently positioned itself as a strong defender of Hungarian national sovereignty against foreign interference. A finding that documents the credentials of a hybrid threat analyst, a position specifically created to counter foreign interference, circulating in criminal stealer logs creates an ironic contrast that opposition parties and international observers have noted.

For EU partners and NATO allies, the Bellingcat report is a data point in an ongoing assessment of Hungary's reliability as an intelligence partner. The alliance's concern is not partisan. It is structural: if the credentials of officials with access to shared intelligence are being harvested by stealer malware, the chain of custody for alliance-sensitive information becomes impossible to verify.

For further reading on related cybersecurity topics, see the Handala hack of FBI Director Kash Patel's personal Gmail, the Kaplan data breach exposing 1.4 million Social Security numbers, and Anthropic's Project Glasswing AI defense initiative.

What Needs to Happen Next

The minimum necessary response to the Bellingcat findings is an immediate forced password reset for all accounts identified in the credential logs, combined with mandatory MFA enrollment for all government email and system access. Those are not novel recommendations. They are baseline security hygiene that should have been in place before this incident occurred. The fact that they apparently were not is the core finding of the Bellingcat report.

Beyond the immediate remediation, Hungary needs a systematic audit of government device security, focused on identifying and removing stealer malware from the 97 machines confirmed to have been infected and examining other devices for similar infections that may not yet have been documented. Stealer malware typically maintains persistence on infected systems even after the initial credential theft, meaning that devices that were infected months ago may still be active exfiltration points.

The broader lesson from this incident, for Hungary and for every government institution that handles sensitive information, is that credential hygiene and device security are not technical problems that can be delegated entirely to IT departments. They are organizational culture problems that require sustained commitment from senior leadership. Password policies that allow "Password" and "Snoopy" represent a failure not of technical capability but of institutional will to enforce standards that protect both national security information and the safety of individuals whose sensitive personnel information exists in the same systems.