Pity poor John Brennan, director of the United States Central Intelligence Agency (CIA).
A hacker, who describes himself as an American high school student, has breached the CIA boss’s AOL email account – and found a host of sensitive government files that one assumes a government official shouldn’t be sending to his personal email address.
I’m not sure what’s more embarrassing. Being hacked or having an AOL email account.
The hacker, whose Twitter account @phphax is still active at the time of writing, has posted what is purported to be the CIA director’s contacts list, as well as call logs of Deputy National Security Advisor Avril Haines, amongst other information.
Access to the AOL account was disabled on Friday…
…but only after a certain amount of toing and froing between the hacker and the CIA, as they attempted to wrestle control of the account from each other.
A CIA spokesperson has told the media that they are aware of the reported security breach:
“We are aware of the reports that have surfaced on social media and have referred the matter to the appropriate authorities.”
Questions clearly need to be asked, similar to the current Hillary Clinton controversy, as to why a personal email address was being used for sensitive communications.
Meanwhile, AOL should probably take a long hard look at itself and ask whether it is doing enough to secure its members’ accounts.
For a long time now, net users have wondered out loud when AOL will offer even simple security measures such as two-factor authentication, which just about every other major webmail service provides today.
Maybe this is evidence of evolution in process. If you’re canny enough to be looking for an email account secured by 2FA, then you’re probably also not going to still be using the email account you set up in 1994 when AOL sent you a CD through the mail.
I don’t know if two-factor authentication would have helped in this case, or whether Verizon staff would have been socially-engineered into letting a high school kid break into the CIA director’s email account regardless… but it certainly wouldn’t have hurt.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.