Austria’s Foreign Ministry (BMEIA) is once again in the spotlight due to a revelation that highlights the security risk caused by the improper use of official email addresses. The current scandal involving a now-recalled ambassador linked to a blog with explicit content is only the tip of the iceberg. As research by Fass ohne Boden (FoB) shows, the private use of official BMEIA emails by officials and envoys has been common practice for years.
The latest exposure surrounding the recalled “Sadomaso Ambassador” has brutally revealed a long-known but apparently ignored security problem in the Foreign Ministry: the use of private email addresses on official laptops and mobile phones, as well as the private use of official email addresses.
An in-depth analysis of data leaks in recent years now shows the true extent of this risky behavior: not just a handful, but of nearly 100 officially checked email addresses, the accounts of 46 BMEIA staff members appeared in 27 compromised data leaks. Some addresses even appeared in six different leaks. The worst case showed up in nine separate leaks.
Methodology of the investigation
First, public sources such as registers and parliamentary inquiries, as well as the darknet, were combed through. This produced a list of over 1,000 entries connected to the BMEIA. Some documents had several dozen pages.
With this list, the editorial team cross-checked each individual address with the renowned service “haveibeenpwned.com.” This online tool, created by Australian security expert Troy Hunt, compares email addresses against a vast public database of known leaks. The check confirmed that the email addresses of a total of 46 BMEIA employees were found in various hacks and collections from recent years.
“Library of Leaks”
The investigation also relied on the “Library of Leaks.” This is a publicly accessible search portal run by the non-profit organization DDoSecrets (Distributed Denial of Secrets). The portal functions as a search engine for a vast collection of hacked and leaked documents from diverse sources. DDoSecrets often makes this data publicly available and it is used by journalists and researchers to verify the authenticity and scope of data breaches.
Chronology of compromise
The private use of BMEIA email addresses has led to their appearance in a wide variety of data leaks spanning from 2011 to 2024. Our research identified a total of 27 different leaks containing official BMEIA email addresses.
Each of these leaks poses a serious threat to national security. Compromised datasets often provide cybercriminals not only with email addresses, but also with passwords, phone numbers, home addresses, and other sensitive personal data.
Particularly alarming is the fact that several officials continued using their official email addresses for private purposes even after the highly publicized cyberattack on the Foreign Ministry in 2019–2020. This raises the pressing question of why the lessons from that attack were apparently not learned and how such practices could continue unchecked even after such a severe security incident.
- Stratfor (2011): One of the earliest leaks in which official email addresses appeared. Here, 860,000 user accounts were compromised, including email addresses and hashed passwords.
- Bitly (2014): This leak exposed 9.3 million email addresses, usernames, and hashed passwords.
- LinkedIn (2016): A massive hack from 2012, made public in 2016, exposed 164 million email addresses and passwords, which were hashed without salt and thus easy to crack.
- Anti Public Combo List & Exploit.In (2016): These two “combo lists” together contained over one billion unique email addresses used for so-called “credential stuffing.” BMEIA addresses may have been affected if employees used their official emails for private accounts with the same passwords.
- Onliner Spambot & River City Media (2017): These leaks, mainly targeting email addresses for spam purposes, together contained over one billion email addresses, many linked with passwords.
- Apollo, Exactis, Netlog & Trik Spam Botnet (2018): 2018 was especially prolific for data leaks. Apollo (126 million email addresses), Exactis (132 million), Netlog (49 million with passwords), and Trik (43 million) may also have contained BMEIA email addresses.
- Verifications.io, Evite & Collection #1 (2019): These leaks exposed gigantic amounts of data: 763 million email addresses at Verifications.io, 101 million at Evite, and 773 million in Collection #1.
- Nitro & Cit0day (2020): Nitro exposed 70 million email addresses and passwords, while Cit0day revealed 226 million.
- LinkedIn Scraped Data (2021): Although not a classic data breach, the scraping exposed 125 million addresses from public LinkedIn profiles, posing a serious security risk for targeted attacks.
- Twitter (2023): Over 200 million email addresses scraped from public Twitter profiles.
- Combolists posted to Telegram (2024): The latest leak included 361 million unique email addresses and passwords.
Senior officials compromised
The BMEIA security dilemma spans all levels of hierarchy. The official email addresses of Foreign Minister Alexander Schallenberg (alexander.schallenberg@bmeia.gv.at) and official Thomas Oberreiter (thomas.oberreiter@bmeia.gv.at) also appeared in leaks. Schallenberg, who was chief of staff at the BMEIA before becoming minister, was found in two leaks: “Data Enrichment Exposure From PDL Customer” and “Verifications.io.” Both resulted from insecure databases that exposed personal data such as names, email addresses, geographic locations, and job titles.
The email address of Thomas Oberreiter, whose case had already been uncovered in an earlier FoB report, was found in the “Cit0day” leak of 2020. This leak comprised a massive collection of over 23,000 compromised websites, with email addresses often revealed in plaintext together with passwords.
What this confirms is that Oberreiter used his official email address on one of the compromised websites. His official email and its associated password were exposed, in many cases even in plaintext.
Consequences and reactions
The commission led by Meinl-Reisinger’s security adviser Thomas Starlinger began its work on August 14, 2025. The team, consisting of IT specialists, representatives of the military intelligence service and other security agencies, as well as internal and external legal experts, is tasked with investigating IT security and internal procedures at the BMEIA. A report with recommendations for improving security measures is expected by October. It appears the commission will have plenty of work ahead.
The sheer number of leaks makes clear that the Foreign Ministry is not dealing with an isolated case but with a systemic problem. The private use of official emails undermines IT security and makes staff, and thus the ministry itself, vulnerable to phishing, credential reuse attacks, and targeted espionage.
The real issue lies not only in the technical compromise but also in the irresponsible behavior of BMEIA employees. Anyone who enters their official email address on LinkedIn, X, or even a public library ignores every basic rule of security and confidentiality. This not only jeopardizes their own privacy but also the integrity of the entire ministry. It is a blatant breach of professional standards, showing that the BMEIA suffers not only from a lack of security awareness but also from a lack of discipline and culture to enforce it.
Source: Editorial team
List of leaks
- Anti Public Combo List
- Apollo
- Bitly
- Cit0day
- Collection #1
- Combolists Posted to Telegram
- Covve
- Data Enrichment Exposure From PDL Customer
- Dropbox
- Evite
- Exactis
- Exploit.In
- Kayo.moe Credential Stuffing List
- Nitro
- LinkedIn Scraped Data (2021)
- Netlog
- Onliner Spambot
- River City Media Spam List
- ShareThis
- Stratfor
- Ticketcounter
- Trik Spam Botnet
- Twitter (200M)
- Verifications.io
- Wiener Büchereien
- You’ve Been Scraped
