The challenges of conducting open-source research in China are well-documented. Consistently named one of the most digitally oppressive countries in the world, China blocks some of the world’s largest social media platforms, such as Facebook, Google, and YouTube. Those that are still accessible are mostly Chinese-owned, strictly regulated and monitored in real time by AI systems as well as tens of thousands of “internet police”. 

But despite these strict controls, Chinese apps – which boast more than a billion estimated users – remain an information goldmine for investigative journalists covering stories both within and outside China.

Since most foreign sites are banned, Chinese platforms are the largest resource available to journalists and researchers interested in what’s going on in the world’s second-most populous country. Even when a topic is being censored, patterns in the censorship can themselves serve as investigative leads: a 2020 BuzzFeed News investigation, for example, mapped out detention camps in Xinjiang by examining areas that had been blanked out on China’s Baidu Maps.

With millions of Chinese people living overseas, social media activity by members of the diaspora can also turn into global stories.

Serial rapist Zou Zhenhao, a Chinese PhD student, was jailed in London last year after one of his victims posted a warning on Xiaohongshu, also known as Little Red Book or Rednote, an app popular with young Chinese women living abroad. Another woman Zou had raped reached out to the original poster, who put her in touch with the police – leading to the conviction of a man described by police as possibly one of the worst sexual predators in British history.

Founded in 2013 as a Hong Kong shopping guide, Xiaohongshu has evolved into a lifestyle and e-commerce platform that has been compared with Instagram, Pinterest and Amazon. Last year, it reported about 300 million monthly active users, rivalling some of China’s largest social media platforms.

The app’s 600 million daily searches by the end of 2024 also accounted for half of market leader Baidu’s search volume, demonstrating that it is emerging as a critical search and discovery engine, not just a social platform.

Although primarily a Chinese-language app, Xiaohongshu gained attention in the English-speaking world last year, when millions of American TikTok users flocked to the platform in anticipation of a TikTok ban under US President Donald Trump. 

Responding to the surge of international users – sparked by the #TikTokRefugees trend – Xiaohongshu rolled out an AI-powered translation feature, making the app more accessible to non-Chinese audiences. This also meant that journalists without Chinese language skills can more easily communicate on and navigate the platform.

Despite its growing popularity both within and outside China, the app is relatively new and underexplored compared to more well-established platforms such as Weibo. 

This guide aims to provide a starting point for those looking to explore Xiaohongshu for open-source investigations, including an overview of its main user demographics, potential topics to explore and strategic search methods specific to the app. 

User Demographics and Topics

According to Xiaohongshu’s official data, the platform’s demographic profile is mainly young, female and urban. As of 2024, 70 percent of its users were women, with half of all users belonging to Gen Z and living in China’s largest cities. 

As previously mentioned, the app has also gained popularity with the Chinese diaspora. Many Chinese nationals living abroad use it as a search engine for local information, posting and searching for content related to their daily lives, from restaurant recommendations and apartment hunting to navigating foreign bureaucracies and finding community resources. 

This demographic profile makes Xiaohongshu particularly well-suited for investigating stories about consumer fraud and urban livability issues. For example, Chinese outlets like Jiemian have used Xiaohongshu posts to expose the grey-market ecosystem of paid reviews and fake endorsements tied to the platform’s e-commerce model, while in 2022, International Financial News traced a mother-and-baby store scam that defrauded over 400 parents back to product recommendation posts on the platform.

Given its predominantly female user base, Xiaohongshu has also evolved into one of China’s most important spaces for feminist discourse and women’s issues. Academic researchers have used content on the platform to analyse local discussions on menstrual shaming, sexual harassment, and the controversial “divorce cooling-off period” introduced in 2021. As Rest of World reported, women have increasingly congregated on Xiaohongshu, where they outnumber male users and have found ways to trick the app’s recommendation algorithm so their posts are shown mostly to other women.

The Relevance of Censorship

Political content and current affairs about China are largely absent from the app – a result of both active censorship and platform design. 

All Chinese social media platforms, including Xiaohongshu, operate under strict content moderation requirements from the Cyberspace Administration of China. A leaked 143-page internal document published by China Digital Times in 2022 revealed how Xiaohongshu censors respond to government directives in “real-time”, blocking content related to politically sensitive topics such as criticism of the Chinese Communist Party, labour strikes and student suicides. Xiaohongshu’s commercial focus also makes it less likely that these topics would be discussed on the platform: as Rest of World reported, the platform functions less like Weibo – a public square for current events – and more like “a giant mall, where shoppers tell each other what to buy”.

Coverage of international affairs is also tightly controlled: only state-owned or state-controlled news organisations can obtain licences to publish original news content. However, content about life abroad, particularly stories about the cost of living, healthcare, or social problems in Western countries, circulates more freely on platforms including Xiaohongshu, and provide journalists with insight into how Chinese diaspora communities engage with local political systems. 

For example, when the 2025 Miss Finland was accused of making anti-Asian gestures, searching for “芬兰小姐” (Miss Finland) and “投诉” (complaint) on Xiaohongshu revealed a trove of collective action: users shared different complaint pathways, posted templates for filing reports, and documented various outcomes from their complaints. 

For such large-scale public events, Xiaohongshu can be both an organising platform and a rich source for tracking how diaspora communities coordinate responses to discrimination, providing journalists with insight into grassroots activism and transnational advocacy networks.

Getting Started

Xiaohongshu is available for download on both Apple’s App Store and Google Play worldwide, or can be accessed via a web browser. In international app stores, the app appears under the name “RedNote,” but this is the same application as Xiaohongshu – content and accounts are shared across both. The key difference is that RedNote users who register with overseas phone numbers are automatically tagged as international users, which affects the content the algorithm surfaces to them.

For users who download the app outside mainland China, Xiaohongshu automatically detects the device language and location. Upon first login, international users are prompted with an option to automatically translate all content into English (or their device language). If enabled, posts and comments will display with translations by default, and the algorithm will prioritise English-language content and posts created by or for international users, such as expat influencers.

For researchers and journalists seeking to observe the platform as Chinese users experience it, consider disabling automatic translation. This allows you to see content as it natively appears and helps you distinguish between posts created for international audiences versus those created for domestic users – a distinction that matters when assessing how representative your sample is for the relevant topic.

The default home feed, or the “Explore” tab, is where the algorithm surfaces content based on your engagement history, location and user profile. The feed uses a grid layout displaying post thumbnails with titles and like counts.

On the top right corner of the screen, the search bar also allows keyword searches across posts, users and topics. Results can be filtered by content type (e.g. notes, videos, users or products) and sorted by relevance or recency.

Using the Search Bar

Xiaohongshu’s search function is relatively basic. You can search by keywords and filter by time and location, but the options are general: time filters include “past day,” “past week,” or “past six months,” while location filters offer “same city” or “nearby”. 

For example, searching “Canada” returns posts tagged with that keyword, which you can then sort by recency or proximity. 

For breaking news events, try searching location names or names of individuals involved in the incident, filtering for the most recent posts to capture real-time reactions and on-the-ground accounts before they’re censored or deleted.

Xiaohongshu primarily uses algorithms to curate and push content through personalised feeds. For journalists using Xiaohongshu for investigative purposes, it can be useful to actively search for topics of interest to train your algorithm – the more you search and engage with specific content, the more relevant posts the algorithm will surface to you.

However, if you are researching the platform itself – studying what content Xiaohongshu promotes, how censorship operates, or what narratives dominate – you may want to start from a clean slate. In that case, consider periodically turning off personalised recommendations (Settings → Privacy Settings → Personalisation Options), clearing your browsing history, clearing cached data, or using a fresh account to observe what the platform shows to a “neutral” user.

Language and Lingo

During the influx of “TikTok refugees” in January 2025, Xiaohongshu launched a translation feature for users outside mainland China, enabling the automatic translation of comments and posts. 

However, this does not translate search queries. The platform’s search engine is still optimised for Chinese, though there is a “prioritise English” filter for overseas users, and searching in English will return some results.

But the language you search in shapes far more than just your results – it determines which version of the platform you see. When you search in English or use an international account, the algorithm treats you as a foreign user and surfaces content accordingly: influencers explaining why they love living in China, comparisons showing Chinese life favourably against the West. 

This isn’t a neutral cross-section of the platform – it is a curated bubble. To access what Chinese users actually discuss among themselves, it would be more effective to search in simplified Chinese and, ideally, use a China-registered account if you have access to one. If you don’t read Chinese, you can also consider using a translation tool (Google Translate, DeepL, or an AI assistant) to convert your search terms into simplified Chinese before entering them.

Despite such tools and the in-app translation feature, it is always useful when researching using Chinese platforms to work with a native speaker familiar with the local context. They can flag when an innocuous-seeming term actually carries hidden meaning, and help identify coded conversations about a censored topic.

On Xiaohongshu specifically, this coded language extends beyond political topics to include anything the platform’s algorithm might flag as “vulgar” or promotional. For example, users substitute fruits and neutral terms for body parts or sexual content to avoid being flagged as inappropriate – the peach emoji for buttocks, or 炒菜 (“cooking”) for explicit material. They may also use abbreviations and emojis for commercial terms to evade anti-marketing filters, such as “vx” (the abbreviation of how WeChat is pronounced in Chinese) or “绿” (“plus green”, apparently referring to WeChat’s green logo) for WeChat, or “米” (rice) or the moneybag emoji for money.

Advanced Search Strategies

For more sophisticated searching, consider using third-party marketing analytics tools like Xinhong and Qiangu, which can show trending topics, popular posts and engagement metrics, as well as identify key content creators posting about specific subjects. 

For example, on Xinhong, when you search for “Canada” in Chinese, it also shows show trending related searches such as “加拿大总理” (Canadian Prime Minister). Clicking through these suggestions leads to recent posts—for example, posts about Mark Carney’s latest statements at Davos, along with user comments and reactions.

While these tools are designed for marketers, they provide journalists with valuable capabilities: tracking how topics evolve, identifying influential voices in specific communities, and discovering related hashtags or discussions that might not surface through basic platform search. These tools often require paid subscriptions but can significantly enhance research efficiency for long-term investigations.

Another valuable feature is Xiaohongshu’s group chat function, where users gather around shared keywords and topics—from city-specific communities to niche interests. These groups are often highly active and provide access to candid community discussions that don’t appear in public posts. To find relevant groups, go to Messages → Group Square, where you can browse categories or search by keyword and request to join.

Monitoring active group chats related to relevant topics, whether that’s a specific city, industry, or issue, can help journalists and researchers stay updated on emerging issues and detect potential story leads before they become widely visible on public feeds.

Preserving the Evidence

Chinese social media content can disappear quickly and without warning due to censorship, making immediate preservation critical. 

Always take two preservation steps immediately upon discovering relevant content:

First, screenshot the entire post, including the URL, timestamp, username, like/comment counts, and location tags. These metrics establish context and authenticity. Use tools that capture full-page screenshots rather than just visible portions, as posts can be long and comments extensive. Second, archive the web page using services like archive.today or Wayback Machine. Note that these services capture only static content – comments and engagement metrics may not be fully preserved and should be screenshotted separately.

For Xiaohongshu specifically, always preserve the user’s unique ID found in their profile URL when viewed on a browser, which follows the format “user/profile/[unique ID]”. Users can change their display names, but this unique identifier remains constant, allowing you to track accounts over time even after name changes. This is critical for long-term investigations or when monitoring specific sources.

Xiaohongshu operates under the same legal and censorship constraints as all Chinese social media platforms, and researchers should approach it with appropriate caution. Content moderation is extensive: users who post about sensitive subjects risk having their content removed or their accounts suspended, and the platform is required to comply with government data requests. For researchers, this means the information you find represents only what has survived the censorship process.

That said, Xiaohongshu remains a remarkably rich resource for open-source research. Its strength lies precisely in its apolitical, lifestyle-oriented identity: while political discussion is suppressed, candid conversations about everyday life flourish. For journalists willing to invest in learning the platform’s rhythms, building Chinese-language search skills, and understanding its coded vocabularies, Xiaohongshu offers a window into how ordinary Chinese people talk among themselves – an area that remains largely untapped by international media.

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Mining China’s ‘Little Red Book’ for Open Source Gold appeared first on bellingcat.

This article is the result of a collaboration with Indian media outlet Newslaundry. You can find Newslaundry’s editorially independent coverage here.

Indian companies have shipped more than 320 million synthetic opioid pills to West Africa – where they have not been approved by regulators – over the past three years, a Bellingcat investigation has found.

Export records from trade data provider 52wmb show that more than 1,400 consignments of tapentadol worth almost USD $130 million were sent from India to West Africa between January 2023 and December 2025.

Tapentadol, a painkiller two to three times more potent than tramadol, has not been approved for use in most West African countries, where some nations are grappling with an escalating opioid abuse epidemic.

However, this investigation shows that dozens of Indian suppliers have flooded the region with tapentadol over the past three years. Where dosages were listed, more than half the pills were in powerful strengths of 200mg or more – dosages that are not even approved in India.

The exports, cross-checked against records provided by trade data aggregator ImportGenius, show most tapentadol pills sent between 2023 and 2025 had the coastal nations of Sierra Leone and Ghana listed as their declared destinations.

The two West African countries were collectively marked as the destination for more than 80 per cent of the total value of tapentadol sent to the region.

Experts have documented how drug traffickers adapt quickly to international regulations and law enforcement efforts. In 2018, India tightened export controls around the opioid tramadol, one of the most trafficked synthetic drugs to West Africa.

In 2021, the International Narcotics Control Board (INCB) said large-scale tapentadol trafficking had been identified, particularly in consignments destined for Africa. It had previously noted that India’s strengthened tramadol controls could lead traffickers to substitute the drug with other potent synthetic opioids.

A BBC investigation last year revealed that Indian company Aveo Pharmaceuticals was illegally exporting tablets containing a mix of tapentadol and the muscle relaxant carisoprodol to West Africa. This led India’s drug regulator, the Central Drugs Standard Control Organisation (CDSCO), to ban the manufacture and export of all combinations of the two drugs.

Bellingcat’s investigation, in collaboration with Indian publishing partner Newslaundry, reveals that the supply of tapentadol pills from India to West Africa has surged in recent years.

Export data from 52wmb shows the value of tapentadol sent to the region has risen from about USD $27 million in the three year period from 2020 to 2022, to almost USD $130 million from 2023 to 2025.

Julius Maada Bio, Sierra Leone’s president, in 2024 declared a national emergency over rampant drug abuse and branded kush – a toxic blend of psychoactive substances including cannabis and synthetic opioids – a “death trap”.

Authorities in Sierra Leone have intercepted illegal tapentadol, including last July when the National Revenue Authority (NRA) said it thwarted a smuggling operation near its north-west border with Guinea.

The NRA and other agencies including the Transnational Organised Crime Unit, National Drug Law Enforcement Agency, and the Pharmacy Board of Sierra Leone did not respond to Bellingcat’s requests for comment.

Ghana’s Narcotics Control Commission (NACOC) said the illegal importation of tapentadol was first recorded in 2022 after international efforts to curb the tramadol crisis resulted in criminal networks shifting production to other pharmaceutical opioids including tapentadol, tafrodol and carisoprodol.

The agency has recorded a “steady rise” in tapentadol trafficking over the past three years, with authorities seizing more than 3.7 million tablets (250mg strength). Most were traced back to India, it said.

“NACOC investigations confirm that the bulk of tapentadol is trafficked into Ghana through seaports and by air, via express courier services,” a spokesperson said. “At the ports, the drug is concealed in containerized cargo falsely declared as pharmaceuticals, electrical materials or household goods. Express courier services are used for smaller, high-value quantities, often packed alongside legitimate consignments to avoid detection.”

NACOC said Ghana had emerged as both a destination and transit hub for tapentadol, with the majority of intercepted consignments bound for Niger, Mali, Burkina Faso and Nigeria. When sold domestically, it said the street drug was promoted as a tramadol substitute.

Ghana’s Food and Drugs Authority (FDA) said last year that the abuse of pharmaceutical opioids such as tapentadol — commonly known on the street as “Red” — was on the rise.

The FDA told Bellingcat it had “never issued any permit” for the manufacture or importation of tapentadol, in any strength, to any importer or to any country. It said any tapentadol shipments to Ghana were for “trans-shipment to neighbouring country”.

Import data for Ghana shows that no tapentadol entered the country between 2023 and 2025, which supports NACOC’s position that the drugs are being concealed and falsely declared. Import data for Sierra Leone was not available through 52wmb.

India’s drug and pharmaceutical exports have grown to more than $30 billion a year, according to the Pharmaceuticals Export Promotion Council of India (Pharmexcil), a division of the ministry of commerce and industry.

While tapentadol is available in India on prescription in strengths of up to 100mg (immediate release) and 200mg (extended release), authorities are aware of its risk of misuse. Last year, the Indian drug regulator’s Technical Advisory Board said the Department of Revenue may be requested to schedule the painkiller under the Narcotic Drugs and Psychotropic Substances Act, which would tighten rules around its export.

To export pharmaceutical products at strengths that are not approved in India, exporters are required to obtain an export “no objection certificate” (NOC) from the CDSCO, for which they have to submit proof of the drug’s approval in the importing country. Publicly available information shows tapentadol is not approved for use in any of the West African nations identified as part of this investigation.

The CDSCO did not respond to questions from Bellingcat or our publishing partner, Newslaundry.

In response to “Right to Information” requests submitted by Newslaundry, the CDSCO said only two companies had been granted authorisation to manufacture tapentadol for export between 2019 and 2024. However, the trade data analysed by Bellingcat did not list either company as an exporter of tapentadol to West Africa.

The CDSCO also said it had issued export NOCs for tapentadol to 51 companies since 2024, but that these were not for export to West African countries.

Meanwhile, Bellingcat’s analysis of trade data shows that more than 60 Indian suppliers have exported tapentadol to West Africa since 2023. The exporters are mostly pharmaceutical companies but also include smaller operations, such as one company owned by a Nigerian man who sent more than US $4 million of tapentadol to Niger and Ghana.

Dinesh Thakur, co-author of the book Truth Pill, told Newslaundry there were gaps in India’s drug regulatory framework that made it possible for potentially unsafe medicines to be manufactured and exported without proper oversight.

“There is no regulatory framework which checks a genuine importer and counterfeit importer between countries,” said Thakur, a former pharmaceutical executive who now works as a public health activist.

Mohammed Adinoyi Usman, a consultant anaesthetist at Rasheed Shekoni Federal University Teaching Hospital in Nigeria, said tackling Africa’s opioid crisis was complicated by a lack of resources across the region, weak government responses, and inaction by law enforcement agencies.

He said more collaboration and intelligence sharing was needed, especially across West African countries, to combat the problem. “We see so many opioids coming into our region because of a range of factors including under-funded institutions like customs and drug agencies, weak border controls and corruption,” he said.

“Africa is different. Even southern Africa is different from western Africa – each region has its peculiarities. In Nigeria, we don’t have well-functioning institutions to help control it. But our government is trying.”

Dr Usman said access to prescription opioids in Africa was inadequate, and pointed to research showing the disparity in distribution of legal opioids to low-income countries compared to high-income nations that consume the bulk of the world’s pain relief medication. He said opioid abuse was linked to crime and negative health outcomes.

“Sadly, access to prescription opioids is very limited in Africa,” Dr Usman said, “but the costs of illegal use are high.”

---

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post Painkiller Pipeline: 300 Million Tapentadol Pills Sent from India to West Africa appeared first on bellingcat.

Almost 800 Hungarian government email addresses and associated passwords are circulating online, revealing basic vulnerabilities in the security protocols of ministries involved in classified and sensitive work.

A Bellingcat analysis of breach data shows that 12 out of the government’s 13 ministries have been affected, which in some cases have exposed the confidential information of military personnel and civil servants posted abroad. 

Among those affected were a senior military officer responsible for information security, a counter terrorism coordinator in the foreign affairs department, and an employee whose role was to identify hybrid threats against the country.

The revelations come as Hungarians head to the polls this Sunday to decide if Viktor Orbán, leader of the right-wing populist party Fidesz and the country’s longest-serving prime minister, will be elected to a fifth consecutive term.

This is not the first time that deficiencies in the Hungarian government’s IT security have been revealed. In 2022, ahead of Hungary’s last election, Direkt36 reported that Russia’s intelligence services had gained access to the computer network of the Hungarian foreign ministry, including its internal communications channels.

It said Russian cyber attacks against the Hungarian government had been occurring for at least a decade and extended to the foreign ministry’s encrypted network for transmitting classified data and confidential diplomatic documents.

At the time, the foreign ministry denied it had been hacked. But in 2024, news outlet 444 published a letter that had been sent from Hungary’s National Security Service to the foreign ministry six months before the cyberattack was first reported. The letter linked the attacks to Russia and described more than 4,000 workstations and 930 servers as “unreliable”.

As part of this new analysis, Bellingcat identified a total of 795 unique email and password combinations among thousands of search results for Hungarian government domains in breach databases. Key departments that handle the country’s governance, defence, foreign affairs and finances were the worst affected.

The analysis does not include central government agencies that operate under the government’s official ministries and use separate domains, such as the tax and customs administration or the police – meaning breaches affecting government employees could be even more widespread.

The findings are not evidence of high-tech infiltration of Hungarian government systems. Instead, our analysis indicates that the breaches are more likely the result of poor digital hygiene. In many cases, staff used simple passwords along with their government email addresses for what appear to be non-work-related matters, such as signing up to dating, music, sport and food websites.

Some government workers used easy-to-guess passwords such as variations of the word “Password” or the number sequence “1234567”. One employee whose credentials were exposed in the 2012 LinkedIn hack used the password “linkedinlinkedin”. Another, in the defence ministry, used their surname. One leaked password from an employee in the foreign affairs ministry was “embassy13hungary”. 

Multiple breaches also contained phone numbers, addresses, dates of birth, usernames and IP addresses – data that, when exposed, could pose security risks.  

Additionally, a search of breach databases showed instances where computers have been infected with malware designed to steal login credentials. These records show that 97 machines across Hungarian government departments had been compromised, with stealer logs from as recently as last month found in the data.

Bellingcat contacted the Hungarian government’s spokesperson and the Prime Minister’s office, but did not receive a response.

The Weakest Link: Searching Breach Data

Breach databases are large collections of credentials harvested from previous cyber incidents. These databases can be searched by domain to identify email addresses belonging to a specific organisation, company or government. 

Bellingcat used Darkside, a paid service by District 4 Labs, to search the main email domains assigned to each of the Hungarian government’s 13 ministries. 

In total, 795 breaches containing government emails and associated passwords were identified. But most – 641 breaches – were linked to just four central institutions. 

In the examples detailed below, staff have been anonymised. However, Bellingcat has confirmed these accounts are genuine by cross-checking the employees named in the breaches against media reports and online profiles, such as LinkedIn.  

Ministry of Interior – this “super-ministry” oversees everything from health and education to the police, immigration, disaster management and local government 

Bellingcat identified 170 sets of emails and passwords linked to the domain used by the ministry in charge of domestic affairs. Passwords used by staff in this department included “Arsenal” and “Paprika”. Some used passwords that contained only three or four letters. We traced these accounts to professional profiles and government web pages listing both junior and senior staff.

One senior official in the prison service used the password “adolf”. After it appeared in breach databases the password was changed twice – first to a five-digit number and then to what appeared to be the name for a pet dog. The passwords were subsequently breached again. Bellingcat identified this employee through several instances of their name and email address being listed on public-facing documentation, including a press release celebrating an award for outstanding professional work.  

Ministry of Defence – responsible for national defence policy and directing the country’s defence forces

The credentials of staff working for the Ministry of Defence were found in 120 compromised records. This includes a 2023 breach of NATO’s eLearning services which resulted in 42 records containing emails, passwords and phone numbers becoming public.

The breaches peaked in 2021 but continued up to 2026. Included in the data were stealer logs, indicating that machines within the department may have been infected. 

Military personnel from junior ranks to command positions were identified. A Brigadier General used a common six letter nickname, based on his own, to sign up to a film festival. A Colonel specialising in “information security” took inspiration from an English football manager for his password: “FrankLampard”. A district director used the password “123456aA”, while a high-ranking member of Hungary’s delegation to NATO used a password that translates in English to “cute”. 

Ministry of Foreign Affairs and Trade – responsible for international relations, Hungarian embassies and consulates operate under the direction of the department

The credentials of current and former foreign affairs personnel have been exposed in dozens of data breaches from 2011 to February 2026. In total, there were 107 email and password combinations linked to this government ministry. 

Among the staff affected was a deputy head of mission, consuls, diplomats and communications personnel posted in Europe, the Americas and the Middle East. These include a counter terrorism coordinator, an EU spokesperson, and an individual whose role was to identify hybrid threats to Hungary.

Although the breaches peaked in 2020, with emails being found in 42 separate breaches indexed by Darkside, MFA emails have been circulated, often with passwords, in 36 separate breaches since the beginning of 2024. The most recent breaches were in 2026.  

Simple passwords appear to have left Hungary’s foreign affairs ministry vulnerable. In some cases, employees used a password that consisted of their own name and a two digit number. Others appeared to take inspiration from pop culture: “porsche911”, “frogger” and “Batman2013” are examples of real passwords used by staff.

Ministry of National Economy – oversees economic policy and financial strategy, including budget preparation and reducing national debt

Bellingcat’s analysis shows that staff in the Ministry for National Economy suffered 99 breaches. The Ministry of Finance, which was merged into this department in 2025, had suffered 145 breaches.

Among the breached data were the credentials of a deputy state secretary, who used the password “snoopy”. Other staff members used their date of birth or the word “Jelszo” – the Hungarian word for password.

A senior advisor who currently works in the ministry had their credentials breached four times using four different passwords, including “Kurvaanyad1” (roughly translated to “your mother is a wh**e”).

Cybersecurity Not Taken Seriously

Szabolcs Dull, a political analyst and the former editor-in-chief of the independent Hungarian news websites Index and Telex, said the government had failed to prioritise data security. 

“It’s clear from the data breaches that have come to light that government agencies did not take data security seriously,” he said. 

“This suspicion arose even when Russian hackers breached the foreign ministry’s IT system. That is why I believe Hungarian politicians and the public will interpret this new information as a continuation and confirmation of the Russian hacking story.”

Dull added that he was not aware of any investigation having been launched following the 2022 revelations of the Russian hack.

Kata Kincső Bárdos, a cybersecurity expert in Hungary, said it was difficult to understand why stricter controls would not be consistently enforced in government environments handling sensitive data.

She said governments should not only apply baseline rules for passwords – such as that staff use long, unique passwords and multi-factor authentication (MFA) – but also continuously monitor for compromised credentials and suspicious access patterns.

“Without MFA, systems become significantly more vulnerable to common attack methods such as phishing and credential stuffing,” she said. “A single compromised password can provide immediate access to internal systems.” 

Bárdos added that unauthorised access to government systems should automatically trigger incident response procedures, investigation and containment measures.

“It is also important to note that targeting lower-level employees is a well-documented and common tactic,” she said. “Attackers frequently gain initial access through phishing or weak credentials and then move laterally within systems.”

---

Bellingcat’s Ross Higgins and investigative journalist Eva Vajda contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post ‘Snoopy’, ‘Adolf’ and ‘Password’: The Hungarian Government Passwords Exposed Online appeared first on bellingcat.