When John Podesta forgot his Apple iCloud password last spring, he asked an aide to remind him — so she emailed it to him. And that set the stage for trouble for Hillary Clinton’s campaign chairman.
First, a WikiLeaks dump last week of Podesta’s alleged Gmail messages revealed the password — “Runner4567" — to the world. Then someone hijacked Podesta’s Twitter account, possibly using the same password, and blasted out the tweet: “I’ve switched teams. Vote Trump 2015.” The next morning, a security researcher found evidence that digital pranksters had used the password to remotely erase all the contents from Podesta’s Apple devices.
The cascade of woes, which Clinton’s campaign has not confirmed, appears to make Podesta just the latest Washington power player to join an inglorious club — the roster of senior government officials and political operatives who, like tens of millions of other Americans, have failed to take basic protections for their sensitive data. Others in the elite group include Director of National Intelligence James Clapper, CIA Director John Brennan and 2012 Republican presidential nominee Mitt Romney, whose personal emails have all suffered assault from digital intruders.
Podesta’s saga is both an object lesson and a warning that D.C. needs to up its cyber game, security experts said.
"This one has it all,” said Joe Siegrist, CEO of the password-management company LastPass, which offers people an encrypted app to house their login credentials. “An absolutely terrible password. Assistants emailing the password. Passwords being re-used for a bunch of different sites. Pretty much all the classic mistakes that everybody who has zero care about this makes.
“When you do everything wrong, you’re bound to fail,” Siegrist added.
While ordinary Americans routinely make many of the same mistakes, some cyber experts say such weaknesses are especially damaging when they involve big players like Podesta, whose emails were targeted by hackers in what U.S. intelligence agencies allege is an attempt by Russia to meddle in the U.S. presidential election.
“Podesta’s hack affects the rest of us,” said Christopher Soghoian, the chief technologist at the American Civil Liberties Union. “If the hacking of his emails influences the election, that’s a big problem.”
And the experts said U.S. cyber policy has an even more gaping flaw: High-ranking officials’ private email accounts are not treated as the valuable trove of intelligence they are. “These are not average people,” Soghoian said. “Their communications are being targeted by nation-states and they need to be protected.”
He said Podesta’s hack could be the tipping point by sparking “a conversation about whether the personal accounts of policymakers and those involved in the political process should be getting help to protect themselves.” That help could come from an agency like the Secret Service, which is already a player in the digital realm and provides personal physical protection to top-level federal officials and campaign VIPs.
But until then, experts believe senior officials will continue to bungle their personal digital security.
Podesta’s place in the Cybersecurity Hall of Shame came about thanks to this month’s WikiLeaks dumps of emails allegedly hacked from his personal Gmail account, one of which revealed that he had openly shared his easy-to-crack Apple iCloud password. And even worse, they indicate, he may have used it for multiple accounts, including Twitter.
An email from May 16 shows Podesta asking Eryn Sepp, his former special assistant at the White House, whether she knew his Apple ID, which would grant access to his Apple accounts and devices. “I do,” she responded, pasting his password into the email, a practice security specialists highly discourage.
Screenshots of the email quickly made the rounds on the internet. Within hours, a hacker had taken over Podesta’s Twitter account and sent out the pro-Trump tweet. The incident led to speculation that Podesta may have employed the “Runner4567” password for his Twitter account, and that he hadn’t turned on a security feature called “two-factor authentication,” which requires users to enter a one-time code sent to their cellphone in addition to the regular password.
The next morning, digital security researcher Matt Tait, chief executive of the United Kingdom-based firm Capital Alpha Security, captured screenshots from digital activists indicating they had remotely erased all the content from Podesta’s Apple devices. If true, that would mean Podesta probably hadn’t changed his iCloud password since it had appeared in the WikiLeaks dump.
The Clinton campaign has not confirmed the digital wipe. It has also refused to verify or dispute the authenticity of many of the WikiLeaks emails, including the one that revealed Podesta’s iCloud password. Still, the incidents have served as yet another distraction for the campaign amid the daily WikiLeaks releases, which were already generating headaches.
Security researchers said Thursday that they believe that hackers linked to Russian intelligence had committed the original breach of Podesta’s Gmail account, using another all-too-common exploit: In March, the hackers sent him a bogus alert that appeared to come from Google, warning Podesta that “someone has your password.” That apparently prompted Podesta to click a link that redirected him to a fake Google login page, where he entered his credentials. (The site Motherboard initially reported the researchers’ conclusions.)
Podesta, a former senior White House official in the Obama and Bill Clinton administrations, is far from the first prominent political figure to fall victim to basic security lapses.
In 2012, Gawker reported that hackers had broken into Romney’s personal Hotmail account after correctly answering his backup security question: “What is your favorite pet?” Though reporters never confirmed speculation that the pet was Seamus — the Irish setter that Romney had famously transported on the roof of his car — these type of questions are easy for digital intruders to research and answer when they involve famous people. (The culprit who took credit for the intrusion claimed to have not taken any information.)
During the 2008 election, a University of Tennessee student used a similar technique to break into the Yahoo email account of Republican vice presidential nominee Sarah Palin, then disclose some of her messages to WikiLeaks. The student was later sentenced to a year in federal custody.
And just last month, a federal judge sentenced Marcel Lazar — a Romanian hacker who went by the alias “Guccifer” — for infiltrating the emails of several Bush family members. The intrusion brought to light images of former President George W. Bush’s paintings, including a self-portrait of him in the shower.
Even top intelligence officials have had their own digital fumbles. Within the last two years, intruders compromised the personal email accounts of both Clapper, the director of national intelligence, and Brennan, the CIA chief.
In Brennan’s case, hackers penetrated his AOL account by posing as Verizon employees and getting AOL to reset his password. While a strong password would not have prevented this, turning on two-step authentication could have stymied the hackers.
But Brennan had no such security installed, allowing the digital pranksters to steal and publish the spy chief’s application for a security clearance, a document that included exhaustive amounts of personal information in addition to sensitive details such as Brennan’s Social Security number. Authorities recently arrested two North Carolina men on charges of committing the break-in.
Washington’s problems with passwords are so well-known it’s reached the point of self-parody. President Barack Obama joked about it last year during the White House’s much-hyped cybersecurity conference at Stanford University.
“It’s just too easy for hackers to figure out usernames and passwords, like ‘password,’” he said. “Or ‘12345 — 7.’
“Those are some of my previous passwords,” Obama added, to laughter. “I’ve changed them since then.”
The issue is more than a punchline, though.
Siegrist estimated that the sloppy personal cyber habits of top-level officials are creating a threat to national security that he pegged “probably at 8” on a scale of 1 to 10. That’s because it’s “highly likely that a similar pattern that someone uses at home is used at work as well,” he said.
The White House has acknowledged that the password is an inherently flawed security measure and is funding efforts to eliminate it altogether. Through a program known as the National Strategy for Trusted Identities in Cyberspace, the administration has doled out grants to pilot projects that would allow people to access their accounts using other identifiers that are harder for hackers to compromise. Since 2012, the initiative has injected money into password alternatives that let people authenticate their identity online using mobile devices, digital rings and even bracelets.
But this process is going to take “quite a number of years,” cautioned Emmanuel Schalit, CEO of Dashlane, another password-management company.
So in the meantime, the Obama administration is also trying to nudge both the public and federal agencies into better password practices.
After last year’s bruising cyberattack at the Office of Personnel Management — which exposed over 20 million federal workers’ personnel files and security clearance forms — the White House directed all federal agencies to rapidly boost multifactor authentication for the vast majority of their network users. Earlier this year, the White House’s issued a wide-ranging cybersecurity plan that included an October public-awareness campaign to encourage multifactor authentication.
The changes the administration is touting are desperately needed.
A recent annual data breach report from Verizon found that 63 percent of confirmed intrusions involved hackers exploiting weak, default or stolen passwords. Dashlane estimates that more than 2 billion people use passwords to gain access to accounts, but only 50 million use software that generates random, unique passwords for each login. And the average American has 130 online accounts registered to a single email address, a figure expected to double every five years.
Developing a password alternative “could have been easy to fix 25 years ago when the internet was created,” but “today the internet has become big enough and global enough you can’t really make a mandate to individuals or to digital service providers to have them use some other system,” Schalit told POLITICO.
Jeffrey Goldberg, a product security officer at AgileBits, expressed some sympathy for people who fail to keep up with latest security techniques. While it’s “easy to blame and laugh at people for picking weak and guessable passwords or, worse, for reusing the same password for multiple sites and services,” he said, “I don’t think that it is generally fair to do so.”
“The world has built a system that requires extraordinary effort and diligence to use security and then go and blame people for not using the system securely,” added Goldberg, whose company makes the password manager 1Password.
But for those in the highest reaches of government, it is imperative that they are forced to at least take the basic steps, experts conceded.
Siegrist compared the latest high-profile stumbles to someone who buys a house that hundreds of people have rented and then neglects to change the locks.
“Yeah, you can probably get away with it for a while,” he said, “but if you had valuable things behind your doors, you need to think a little more about it or about how else you’re going to secure it.”