Some of the passwords that Defense Secretary Pete Hegseth used to register for websites were exposed in cyberattacks on those sites and are available on the internet, raising new questions about his use of personal devices to communicate military information.

At least one password appears to have been used multiple times for different personal email accounts maintained by Hegseth. If hackers gain access to email accounts, they can often reset other passwords.

Hegseth appears to have reused passwords to remember them more easily. At least one of them is, or was, a simple, lowercase alphanumeric combination of letters followed by numbers, potentially representing initials and a date. The same password was leaked in two separate breaches of personal email accounts, one in 2017 and another in 2018.

It is not clear whether he has updated the compromised passwords or if he did so before he used his personal phone in March to share sensitive information about planned U.S. strikes on Houthi militia targets in Yemen.

Hegseth’s digital practices and security have been under scrutiny since he discussed the precise timing of those airstrikes in at least two chats on Signal, a free, encrypted messaging app. At least one of the chats took place on his personal phone. That information could have endangered U.S. pilots if an adversarial power had intercepted it.