When John Podesta forgot his Apple iCloud password last spring, he asked an aide to remind him so she emailed it to him. And that set the stage for trouble for Hillary Clinton’s campaign chairman.
First, a WikiLeaks dump last week of Podesta’s alleged Gmail messages revealed the password “Runner4567″ to the world. Then someone hijacked Podesta’s Twitter account, possibly using the same password, and blasted out the tweet: “I’ve switched teams. Vote Trump 2015.” The next morning, a security researcher found evidence that digital pranksters had used the password to remotely erase all the contents from Podesta’s Apple devices.
The cascade of woes, which Clinton’s campaign has not confirmed, appears to make Podesta just the latest Washington power player to join an inglorious club the roster of senior government officials and political operatives who, like tens of millions of other Americans, have failed to take basic protections for their sensitive data. Others in the elite group include Director of National Intelligence James Clapper, CIA Director John Brennan and 2012 Republican presidential nominee Mitt Romney, whose personal emails have all suffered assault from digital intruders.
Podesta’s saga is both an object lesson and a warning that D.C. needs to up its cyber game, security experts said.
“This one has it all,” said Joe Siegrist, CEO of the password-management company LastPass, which offers people an encrypted app to house their login credentials. “An absolutely terrible password. Assistants emailing the password. Passwords being re-used for a bunch of different sites. Pretty much all the classic mistakes that everybody who has zero care about this makes.
“When you do everything wrong, you’re bound to fail,” Siegrist added.
While ordinary Americans routinely make many of the same mistakes, some cyber experts say such weaknesses are especially damaging when they involve big players like Podesta, whose emails were targeted by hackers in what U.S. intelligence agencies allege is an attempt by Russia to meddle in the U.S. presidential election.
“Podesta’s hack affects the rest of us,” said Christopher Soghoian, the chief technologist at the American Civil Liberties Union. “If the hacking of his emails influences the election, that’s a big problem.”
And the experts said U.S. cyber policy has an even more gaping flaw: High-ranking officials’ private email accounts are not treated as the valuable trove of intelligence they are. “These are not average people,” Soghoian said. “Their communications are being targeted by nation-states and they need to be protected.”
He said Podesta’s hack could be the tipping point by sparking “a conversation about whether the personal accounts of policymakers and those involved in the political process should be getting help to protect themselves.” That help could come from an agency like the Secret Service, which is already a player in the digital realm and provides personal physical protection to top-level federal officials and campaign VIPs.
But until then, experts believe senior officials will continue to bungle their personal digital security.
Podesta’s place in the Cybersecurity Hall of Shame came about thanks to this month’s WikiLeaks dumps of emails allegedly hacked from his personal Gmail account, one of which revealed that he had openly shared his easy-to-crack Apple iCloud password. And even worse, they indicate, he may have used it for multiple accounts, including Twitter.
An email from May 16 shows Podesta asking Eryn Sepp, his former special assistant at the White House, whether she knew his Apple ID, which would grant access to his Apple accounts and devices. “I do,” she responded, pasting his password into the email, a practice security specialists highly discourage.
Screenshots of the email quickly made the rounds on the internet. Within hours, a hacker had taken over Podesta’s Twitter account and sent out the pro-Trump tweet. The incident led to speculation that Podesta may have employed the “Runner4567” password for his Twitter account, and that he hadn’t turned on a security feature called “two-factor authentication,” which requires users to enter a one-time code sent to their cellphone in addition to the regular password.
Podesta unwittingly gave hackers access to his account by clicking a Bitly link that redirected him to a fake Google login page, where he entered his credentials.
Russian hackers infiltrated Podesta’s email, security firm says
The next morning, digital security researcher Matt Tait, chief executive of the United Kingdom-based firm Capital Alpha Security, captured screenshots from digital activists indicating they had remotely erased all the content from Podesta’s Apple devices. If true, that would mean Podesta probably hadn’t changed his iCloud password since it had appeared in the WikiLeaks dump.
The Clinton campaign has not confirmed the digital wipe. It has also refused to verify or dispute the authenticity of many of the WikiLeaks emails, including the one that revealed Podesta’s iCloud password. Still, the incidents have served as yet another distraction for the campaign amid the daily WikiLeaks releases, which were already generating headaches.
Security researchers said Thursday that they believe that hackers linked to Russian intelligence had committed the original breach of Podesta’s Gmail account, using another all-too-common exploit: In March, the hackers sent him a bogus alert that appeared to come from Google, warning Podesta that “someone has your password.” That apparently prompted Podesta to click a link that redirected him to a fake Google login page, where he entered his credentials. (The site Motherboard initially reported the researchers’ conclusions.)
Podesta, a former senior White House official in the Obama and Bill Clinton administrations, is far from the first prominent political figure to fall victim to basic security lapses.
In 2012, Gawker reported that hackers had broken into Romney’s personal Hotmail account after correctly answering his backup security question: “What is your favorite pet?” Though reporters never confirmed speculation that the pet was Seamus the Irish setter that Romney had famously transported on the roof of his car these type of questions are easy for digital intruders to research and answer when they involve famous people. (The culprit who took credit for the intrusion claimed to have not taken any information.)
During the 2008 election, a University of Tennessee student used a similar technique to break into the Yahoo email account of Republican vice presidential nominee Sarah Palin, then disclose some of her messages to WikiLeaks. The student was later sentenced to a year in federal custody.
And just last month, a federal judge sentenced Marcel Lazar a Romanian hacker who went by the alias “Guccifer” for infiltrating the emails of several Bush family members. The intrusion brought to light images of former President George W. Bush’s paintings, including a self-portrait of him in the shower.
Even top intelligence officials have had their own digital fumbles. Within the last two years, intruders compromised the personal email accounts of both Clapper, the director of national intelligence, and Brennan, the CIA chief.
In Brennan’s case, hackers penetrated his AOL account by posing as Verizon employees and getting AOL to reset his password. While a strong password would not have prevented this, turning on two-step authentication could have stymied the hackers.
But Brennan had no such security installed, allowing the digital pranksters to steal and publish the spy chief’s application for a security clearance, a document that included exhaustive amounts of personal information in addition to sensitive details such as Brennan’s Social Security number. Authorities recently arrested two North Carolina men on charges of committing the break-in.
Washington’s problems with passwords are so well-known it’s reached the point of self-parody. President Barack Obama joked about it last year during the White House’s much-hyped cybersecurity conference at Stanford University.