Frequently overlooked in the ongoing hullabaloo over Hillary Clinton campaign chair John Podesta’s leaked emails and whether they will have an impact on the U.S. first lady-turned-senator-turned-secretary-of-state-turned-presidential candidate’s chances of being elected is the question of how hackers got their hands on Podesta’s inbox in the first place.
Over at Internet security firm Bitdefender’s news site, Hot for Security, contributor Graham Cluley did some digging and came up with the very first email that compromised Podesta’s account, illustrating a valuable lesson for businesses – and their IT departments – everywhere.
“At first glance the email, sent on March 19 2016, looks like a legitimate communication from Google warning that hackers have used Podesta’s password to log into his Gmail account from Ukraine,” Cluley wrote in the Oct. 31 blog entry.
“Sounds urgent, right? And, sensibly, Podesta forwarded the warning to the Clinton campaign’s IT team asking what action he should take.”
Astonishingly, however, Clinton’s IT team concluded the e-mail was legitimate and urged Podesta to immediately change his password and turn on two-factor authentication.
As Cluley notes, Clinton’s IT team did send Podesta the correct link to review his Google security settings, but it’s likely Podesta clicked on the link in the original message, which led to a fake – but likely convincing – sign-in page that the hackers had hidden behind a bit.ly link.
(In case you’re wondering, the link is broken as of this writing.)
Once Podesta entered his user name and password into the fake link, the hackers were in.
Thus far, whistleblowing non-profit organization Wikileaks has released more than 36,000 of Podesta’s emails, and claims to have at least 14,000 more that will be released by Nov. 8, the date of the U.S. election.
While nobody knows the precise identities of the hackers, or who shared Podesta’s emails with Wikileaks, they “were clearly part of a wave of attacks masterminded by the notorious Fancy Bear hacking group, believed to have close ties to Moscow,” Cluley wrote.
Couched in the Clinton campaign’s embarrassment, however, is an important lesson for companies: If Podesta had already set up two-step verification on his account, learning his password wouldn’t have been enough for the hackers to break in.
Had he checked the link’s URL, he might have noticed that it led to “myaccount.google.com-securitysettingpage.tk” rather than “https://myaccount.google.com/security”.
And if he hadn’t been using the same passwords elsewhere, others wouldn’t have been able to hack into his Twitter and iCloud accounts using information gleaned from the emails.
“The truth is that the breach of the Clinton campaign chief’s email did not require sophisticated hacking skills,” Cluley wrote. “It just depended on the right combination of human error and carelessness.”