Somebody broke into the email account of John Podesta, chairman of Hillary Clinton’s presidential campaign, earlier this week, stealing a bevvy of emails and posting them on WikiLeaks.
Here’s some salt for that wound: Podesta’s Twitter account was hijacked briefly on Wednesday, to boot.
The tweet has since been removed, but here’s an image.
It read:
I’ve switched teams. Vote Trump 2016. Hi pol.
The Clinton campaign confirmed what it called a “hack.”
Nick Merrill, Clinton’s traveling press secretary:
We can confirm that John’s Twitter account was hacked, which would explain that message. And we are working on fixing it.
“Hi pol” is apparently a reference to 4Chan’s Politically Incorrect thread, /pol/.
That cheeky little greeting doesn’t mean that anybody on 4Chan is necessarily responsible for either the email attack or the Twitter takeover.
Podesta’s Twitter account wasn’t exactly hacked, mind you: his Apple ID and password were included in the WikiLeaks email dump.
…in an email with the subject header of “Re: Apple ID.”
It’s been suggested that Podesta might not have been using two-factor authentication:
Probably safe to assume @johnpodesta didn't have two-factor authentication enabled on his Twitter account. Don't make the same mistake! pic.twitter.com/SzLYbJSIa8
— Christopher Soghoian (@csoghoian) October 13, 2016
…and/or that he was reusing his password.
Besides his iCloud credentials, somebody also found and tried out Podesta’s Outlook credentials.
While 4Chan users may not necessarily have been responsible for the initial email thievery, they reportedly have tried out the credentials on Podesta’s Twitter and Outlook accounts.
By the way, don’t do that! It’s illegal to access accounts without authorization, even if the password’s published by WikiLeaks, pinned to a bulletin board, scribbled on a highway sign or skywritten for all to see!
Podesta has been ridiculed for not changing his passwords after WikiLeaks began to publish his emails on Monday.
According to a Reddit thread, the intruders wiped Podesta’s iPad and phone, changed details in his iTunes account, and tracked his location via his phone’s GPS.
Anonymous has claimed to have gotten into his new email as well, posting a screen capture dated 12 October of what looks like Podesta’s Outlook account:
Anon claims to have gotten into Podesta’s email. Take with a massive sack of salt until proven. #TrumpTrain #Trump2… pic.twitter.com/9e3v6zXOLZ
— 🐸King Robbo 🐸 (@realkingrobbo) October 12, 2016
Would 2FA have saved Podesta this embarrassment?
Well, we know of one Twitter hijacking victim for whom 2FA didn’t work, but it’s still a good safety guard to implement.
Would using unique, difficult to guess passwords for all his accounts have spared Podesta this doxxing?
Not if every single one of those difficult to guess, unique passwords were tucked away in a trove of stolen emails (helpfully labelled as passwords!), but otherwise, it’s a strong security protection. For all the reasons why, here’s a detailed explanation of the dangers of password reuse.
John Podesta, after you please, please change all your passwords to unique, hefty brutes, may we suggest you consider using a password manager?
Image of Hillary Clinton courtesy of JStone / Shutterstock.com
Kyle Saia
It’s funny whenever I suggest a password manager people tell me that they are afraid that it will get comprised, then they use the same password for everything……..
Mark
And of course it defeats the object if your unique passwords are just a series or variations on a single favourite password. Dilbert1, Dilbert2, Dilbert3 etc. :)
Anonymous
Man, sooner or later the gov will actually care about system security. Obviously they do not understand what it takes yet. I mean China stole the newest F series plans and built a plane on it. This guy is representing the next president who got her email hacked and still has not taken it seriously enough to even change his password?? Fire that chump.