Somebody broke into the email account of John Podesta, chairman of Hillary Clinton’s presidential campaign, earlier this week, stealing a bevvy of emails and posting them on WikiLeaks.
Here’s some salt for that wound: Podesta’s Twitter account was hijacked briefly on Wednesday, to boot.
The tweet has since been removed, but here’s an image.
I’ve switched teams. Vote Trump 2016. Hi pol.
The Clinton campaign confirmed what it called a “hack.”
Nick Merrill, Clinton’s traveling press secretary:
We can confirm that John’s Twitter account was hacked, which would explain that message. And we are working on fixing it.
“Hi pol” is apparently a reference to 4Chan’s Politically Incorrect thread, /pol/.
That cheeky little greeting doesn’t mean that anybody on 4Chan is necessarily responsible for either the email attack or the Twitter takeover.
Podesta’s Twitter account wasn’t exactly hacked, mind you: his Apple ID and password were included in the WikiLeaks email dump.
…in an email with the subject header of “Re: Apple ID.”
It’s been suggested that Podesta might not have been using two-factor authentication:
— Christopher Soghoian (@csoghoian) October 13, 2016
…and/or that he was reusing his password.
Besides his iCloud credentials, somebody also found and tried out Podesta’s Outlook credentials.
While 4Chan users may not necessarily have been responsible for the initial email thievery, they reportedly have tried out the credentials on Podesta’s Twitter and Outlook accounts.
By the way, don’t do that! It’s illegal to access accounts without authorization, even if the password’s published by WikiLeaks, pinned to a bulletin board, scribbled on a highway sign or skywritten for all to see!
Podesta has been ridiculed for not changing his passwords after WikiLeaks began to publish his emails on Monday.
According to a Reddit thread, the intruders wiped Podesta’s iPad and phone, changed details in his iTunes account, and tracked his location via his phone’s GPS.
Anonymous has claimed to have gotten into his new email as well, posting a screen capture dated 12 October of what looks like Podesta’s Outlook account:
— 🐸King Robbo 🐸 (@realkingrobbo) October 12, 2016
Would 2FA have saved Podesta this embarrassment?
Well, we know of one Twitter hijacking victim for whom 2FA didn’t work, but it’s still a good safety guard to implement.
Would using unique, difficult to guess passwords for all his accounts have spared Podesta this doxxing?
Not if every single one of those difficult to guess, unique passwords were tucked away in a trove of stolen emails (helpfully labelled as passwords!), but otherwise, it’s a strong security protection. For all the reasons why, here’s a detailed explanation of the dangers of password reuse.
John Podesta, after you please, please change all your passwords to unique, hefty brutes, may we suggest you consider using a password manager?