1 person's needlessly at risk is another persons essential work.
UK members of Parliament are very active in their local community, their parliamentary email address is the normal one to be using for this type of work and may involve needing to sign up for things with an email address.
When they are following best practices and using a unique password then they aren't really putting anyone's information at risk.
They are at risk from phishing attacks simply by having such an email address which is publicly available, but that is an accepted and managed risk and definitely not needless.
> The fact that these emails, which are publicly available on government websites, are on the dark web isn’t a security failure by itself. [...] Instead, it shows that politicians used their official email addresses to set up accounts on third-party websites (which were later hacked or suffered a breach), putting themselves and the information they’re entrusted to keep safe needlessly at risk.
People look at this and think "dumb politicians" but that's not the right conclusion. The security teams responsible for protecting them are to blame, yes, even for poor password choices and drarkweb leaks.
Politicians don’t have electronic security teams. In a political campaign office, a politician will be very lucky to have one volunteer who understands computer security who is then responsible for herding a dozen staff and a couple hundred volunteers who don’t understand why they should care about security.
Ah yes, the people in charge of passing new cybersecurity laws also sign up for new services with their official email addresses and passwords like abc12345!
