67% of US State Legislators Have Data Exposed on the Dark Web, Proton Investigation Reveals
Summary
A new investigation by Proton, published April 1, 2026, found that 67% of US state legislators have had their data leaked on the dark web through breaches linked to their publicly listed email addresses. The investigation uncovered over 16,000 breach records across 49 states, with more than 12,000 involving personally identifiable information (PII) and 560 passwords found in plaintext.
The exposure stems primarily from legislators using official government email addresses to sign up for third-party services like LinkedIn, Adobe, and Dropbox — services that have themselves been breached. Key findings include:
- 100% of legislators in Arizona and Oklahoma appeared in breach datasets
- Massachusetts had the highest total breaches (816), affecting 84% of officials
- New Hampshire had the most leaked passwords (81)
- Maryland was the only state with zero recorded breaches
- Only four states had less than 50% exposure
Sources
Commentary
The numbers here are staggering but unfortunately unsurprising. Government officials routinely use their official emails for everything from signing up for conference Wi-Fi to creating social media accounts — and those credentials inevitably end up in breach datasets when third-party services get compromised. The 560 plaintext passwords are especially concerning: those aren’t just personal accounts at risk, they’re potential entry points into government systems if password reuse is in play (and statistically, it almost certainly is).
This underscores a broader systemic failure in government cybersecurity awareness. These aren’t sophisticated nation-state attacks — they’re the predictable consequence of poor credential hygiene at scale. Every state should be mandating hardware security keys and separate email identities for third-party services. Maryland’s clean record suggests it’s possible; the other 49 states have no excuse.
