CIA Director's Personal Email Account Breached By Hackers… Who Find Official Documents Stored In It

from the FWD:FWD:FWD:-classified-data-[KEEP-SAFE!] dept

LOL. Cybersecurity.

The Central Intelligence Agency will make one of the biggest overhauls in its nearly 70-year history, aimed in part at sharpening its focus on cyber operations and incorporating digital innovations, CIA director John Brennan said.

Brennan said he is creating new units within the CIA, called “mission centers,” intended to concentrate the agency’s focus on specific challenges or geographic areas, such as weapons proliferation or Africa.

The CIA director said he also is establishing a new “Directorate of Digital Innovation” to lead efforts to track and take advantage of advances in cyber technology to gather intelligence.


A hacker who claims to have broken into the AOL account of CIA Director John Brennan says he obtained access by posing as a Verizon worker to trick another employee into revealing the spy chief’s personal information.

Using information like the four digits of Brennan’s bank card, which Verizon easily relinquished, the hacker and his associates were able to reset the password on Brennan’s AOL account repeatedly as the spy chief fought to regain control of it.

Brennan: leading from the rear. “Digital innovations,” “cyber operations,” and a CIA director who forwards work email to his AOL account.

Now, there is very little anyone can do to prevent hacking via social engineering. There are too many weak links, many of which will probably be attending some mandatory training classes on account security in the near future. Not that it will help. As long as nearly every company uses the same list of personal info for identity verification, social engineering will continue to crack open secured accounts.

The hackers posed as Verizon techs. After producing a fabricated “Vcode” (an identifier that “verifies” a person as a Verizon employee), Verizon gave up the information the hackers needed to gain control of Brennan’s AOL account: PIN, backup phone number, email address and last four digits of his credit card.

They then called AOL to tell them they were locked out of “their” account. The information handed over by Verizon answered all of AOL’s verification questions. And in they went, uncovering — among other things — the SF-86 application Brennan had filled out to apply for security clearances. They also discovered — and posted — screenshots of a spreadsheet apparently listing names and social security numbers of intelligence officials.

There’s been no document dump, so it’s unclear at this point how many work emails and documents Brennan forwarded to himself or if he used his AOL account to conduct official business. The thing is, Brennan should have known this was a terrible idea, no matter how convenient it was for him to peruse CIA docs from an email account he could access anywhere. He may not have been able to prevent the social engineering attack, but he could have ensured his personal email account only contained personal email. And I’m pretty sure the CIA frowns on taking official documents off-site, even if “Forward email” is used rather than an attache case.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “CIA Director's Personal Email Account Breached By Hackers… Who Find Official Documents Stored In It”

Subscribe: RSS Leave a comment
pixelpusher220 (profile) says:

*His* SF-86

This is not a security violation. It’s his personal info in his personal email account. Granted it has info on people he’s offering up to interview for his clearance, but they gave it to him willingly. Little different than an app asking for access to your contacts on your phone.

Stupid to have it just sitting there, but as a fellow cleared person, it is sometimes handy to have reference to that data. A thumb drive would be a better choice, but then I suppose that would be against policy too; bringing in personal thumb drives…

Whoever says:

Re: *His* SF-86

This is not a security violation. It’s his personal info in his personal email account.

Did you not even read the summary?

They also discovered — and posted — screenshots of a spreadsheet apparently listing names and social security numbers of intelligence officials.

I am pretty sure that a list of intelligence officials is not his personal information.

tom (profile) says:

Re: He failed question #1...

Nothing wrong with having an AOL or yahoo type email account for your Personal, non-secure crap. His mistake was using it IN ANY FASHION for work related info. The whole point of most web-mail based systems is to allow the provider to data mine all of the user’s emails for information.

Sending that spreadsheet full of PII should result in the CIA having to send out data breach notifications and the resulting liability for possible identity theft. Plus a review of that person’s suitability for his job. Didn’t he hear about that small ruckus over Hillary’s email server? What kind of intelligence gathering ability does the CIA have anyway? This failure to connect the dots doesn’t fill me with great confidence.

Anonymous Coward says:

That’s not really hacking. More like phishing. I remember AOL instant messages used to always have a warning that says AOL staff will never ask you for your password. Despite this I always got random instant messages from random people claiming to work for AOL and needing my password. Apparently enough people fell for it at the time to encourage all these phishers to keep asking for personal information. I thought phishing was a dead art. Didn’t think people still fell for that.

Rich Kulawiec (profile) says:

Yet another example of meta-risks in data collection

There has been (and will continue to be) copious discussion of the risks of allowing governments and corporations to collect private data on individuals. But one of the often-overlooked aspects of that issue is that disclosure and abuse is possible not just by the collectors themselves, but by anyone clever enough to hack them.

Consider this case: if it’s really true that the people who pulled this off were teenagers, then (a) does anyone think they’re the first ones to succeed? and (b) if they weren’t the first ones, who were the others?

The massive data collections being assembled every day are touted by their proponent as weapons (against terror, the bogeyman du jour) or as tools. And perhaps, if we take a very generous view of them, they are. But they’re also enormous, extremely tempting targets. And when the people at top of the food chain provide textbook demonstrations of worst practices in security, we know they’re vulnerable targets.

And that’s the meta-risk: indirect acquisition and exploitation by third parties. In this case, it appears to have been someone with a point to make. But what if it’s not, this time or the next time?

hij (profile) says:

Like A Personal Email Server

At least he was not using his own personal email server. Oh wait… I think that Secretary Clinton screwed up with the email server and have been dismayed by her inability to come clean (but not surprised). If the US Congress is going to spend millions of dollars on her situation then they should be crawling up this guy’s back side as well. What he did is just as bad if not worse.

DannyB (profile) says:

Re: Like A Personal Email Server

As you say it may be reasonable that this guy be investigated as much as Hillary.

The reality is, regardless of political party, congress only spends millions of dollars on an investigation, such as Hillary, when one party makes congress begin the investigation, and the action is against someone of an opposing party, or somehow considered an enemy.

Anonymous Coward says:

Re: Re:

You have utterly failed with your comment, unless your goal was to include as many factual errors as possible.

And Hillary is the bad guy here ,

Hillary is widely acknowledged as being female, even by Trump.

when the government can’t seem to keep their shit locked down ,

This story is specifically about abuse of non-government e-mail, not about containment of government owned fecal matter. For more information on that topic, you may review any of the recent stories about Congress.

seems she’s the only one that was secure.

Hillarys e-mail was only considered secure by Hillary.

That Anonymous Coward (profile) says:

Imagine the unthinkable…
We are at war half way around the globe because someone’s AOL account got hacked, and to cover up all of the secrets they had ex-filtrated they came up with a giant distraction.

Perhaps it is time to find people who have a fucking clue to come in and clean up this giant mess of people to stupid to have power have created. They pay out money to corporations who have the evidence of the stupidity and keep it quiet as long as the contracts keep coming, and they pay a little to keep their idiot buddy in power because they will fuck up again and they will gain more influence.

The terrifying thought hitting you right now, is I could be right.

john may says:

Let me begin by asserting that I am not responsible for this, and I support the USA. The Internet tough guys in this thread, however, gave me a good laugh, and I invite them to pretend it was me, and give me their worst. lol Where are those billions the Obama admin has spent for cyber security gone? Fed hackers and investigators are always simple for me to identify, in 2 minutes maximum. They always have million dollar toys, yet lack the skills to properly utilize them. This is actually a blessing in disguise because their target selection is often incredibly misguided.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...