In a story first reported by the New York Post, it appears the personal AOL email account of CIA Director John Brennan has been hacked. The hacker contacted The Post—referring to himself as a high school student and detailing how he orchestrated the attack.
Apparently, Brennan’s private account contained sensitive files, one of which was his 47-page application to obtain top-secret security clearance. Other emails found in Brennan’s personal AOL account contained attachments and spreadsheets with sensitive personal information and Social Security numbers for several top U.S. intelligence officials. One letter that was recovered referenced the use of harsh interrogation techniques.
This comes months after news broke about Hillary Clinton using a private email server and email account to conduct government-related work.
The hacker says that he started the attack by doing a reverse lookup on Brennan’s mobile phone number to find out he’s a Verizon customer. The next step was to call Verizon posing as an employee to fish for information on Brennan’s account. The hacker told Verizon that his tools weren’t working and wasn’t able to access the customer database.
The only thing left to do was give Verizon a made-up employee code and the information was his for the taking. The hacker was able to get Brennan’s account number, the four-digit PIN, the backup phone number for the account, the AOL email address, and the last four digits on his payment card.
The hacker turned his attention to AOL, calling and telling them he was locked out of his account and needed a password reset. The hacker answered the security questions by giving the last four digits of the payment card and verified the account with the name and phone number, then the password was successfully reset.
The hacker posted screenshots of some of the email contents on his Twitter @phphax. Brennan deleted the AOL account after being notified of the breach. But the hacker reports that there were several back and forth attempts to control the account.
This is a classic social engineering attack that shows everyone is vulnerable to having their accounts compromised. Always be careful what is stored and sent via email, and consider whether a personal email account is the proper method to communicate sensitive or work-related information.
For more information about data breaches, ePlace Solutions is hosting a free webinar on the lessons learned from data breaches over the past 10 years on Wednesday, December 9th, at 10:30 AM PT / 1:30 PM ET. Register and share with others in your organization!
- Event ID: 2015
- Event Password: 9870