According to investigative website Bellingcat, nearly 800 Hungarian government email addresses and their corresponding passwords are circulating on the Internet. The accounts involved cover 12 of the government’s 13 ministries, as well as personnel in sensitive positions such as military personnel stationed abroad and civil servants. Some of these data breaches included personal information such as phone numbers, addresses, dates of birth, usernames and IP addresses.

According to Bellingcat's analysis based on public databases, a total of 795 sets of independent email-password combinations ending with the gov.hu ​​government domain name were found; other government agencies that use their own domain names (such as the tax bureau NAV, police agencies, etc.) were not included in this statistical scope. The report pointed out that those affected include senior military officers responsible for information security, counter-terrorism coordinators within the diplomatic system, and an employee responsible for identifying hybrid threats faced by Hungary and other key positions.

A subsequent review of the Hungarian website 444.hu revealed that a large number of passwords had significant security risks, many of which were weak passwords that were extremely simple and easy to guess. The investigation believes that this reflects, to a certain extent, that some government staff have not received sufficient training in password security and have weak security awareness. Many government email addresses are also used to register accounts on non-work websites, such as dating platforms, music playing websites, sports and food websites, which further amplifies the risk of leakage.

Cybersecurity blog Kiberblog emphasized from another perspective that this did not originate from a centralized intrusion into the government's internal information system, but when government users registered on various external websites, their account data was subsequently leaked on these websites and flowed into the black market or public databases. According to Kiberblog's analysis, what was leaked was not 800 groups, but more than 10,000 different email and password combinations. These email addresses came from 366 government agencies and units, including the Ministry of the Interior, the Ministry of Defense, the Disaster Management Bureau, the Anti-Terrorism Special Police Center (TEK), and the Constitutional Protection Service.

The report also analyzed the risk chain at the technical level: modern browsers generally provide password saving functions and support synchronization between different devices through the cloud. If an office worker saves the login credentials of an enterprise or agency system on his work computer, these data will be synchronized to his home computer; once the home device is infected with a so-called "information stealing" malicious program, these synchronized passwords may be stolen and uploaded to a server controlled by the attacker. Kiberblog pointed out that this type of risk could have been mitigated by disabling password saving and synchronization functions in browser policies at the organizational level, but in reality this control is often absent. Approximately 795 unique users have been confirmed to be directly affected by the information-stealing malware, and similar issues are likely to exist in other large organizations and enterprises.

This incident also brought the outside world's attention once again to the previous cyber attacks suffered by the Hungarian government information system. Back in 2022, investigative website Direkt36 revealed that Russian intelligence agencies launched a large-scale cyber attack on the IT network of the Hungarian Ministry of Foreign Affairs and Foreign Economic Affairs. In 2024, internal documents published by 444.hu not only further confirmed that these attacks had actually occurred, but also showed that the Hungarian Ministry of Foreign Affairs had received a formal notification in advance from the head of the country’s intelligence agency, which detailed the scale of the attacks and identified the attackers.