A US teen is claiming he managed to hack the email account of CIA director John Brennan and make off with sensitive government files.
The unnamed High School student, who is said to be behind the Twitter account @phphax, told the New York Post that he socially engineered call center workers at AOL parent company Verizon into resetting Brennan’s password.
That gave him access not only to the CIA man’s emails but over 40 secret attached documents, including a letter from Congress complaining about the agency’s interrogation torture methods, Brennan’s application for security clearance and the records of some agency staffers.
Some of these were posted to Twitter and other sites.
The teen even claims to have prank called Brennan, once reciting his Social Security number to him. And he told the paper that he managed to hack the Comcast account of Homeland Security chief Jeh Johnson and listened to his voicemails.
He is said to have been motivated by an opposition to US foreign policy, especially in Palestine.
If true, the revelations will be a huge embarrassment to the Obama administration, coming as they do months after former Secretary of State Hillary Clinton was found to have been using her private email account for official government business.
The repercussions of that are still being felt and may even harm Clinton’s chances of reaching the White House.
“[The] problem with these older-generation guys is that they don’t know anything about cybersecurity, and as you can see, it can be problematic,” one source told the Post.
The CIA, meanwhile, released the following statement:
“We are aware of the reports that have surfaced on social media and have referred the matter to the appropriate authorities.”
The person behind @phphax still appears to be tweeting as of the time of writing, but it can’t be long before he’s tracked down and held by the authorities.
Ed Cabrera, vice president of cybersecurity strategy at Trend Micro, argued that the case was a perfect example of why personal and professional email systems should be kept completely separate.
“While we don't know what the exact attack was here, social engineering it is a common means to target webmail accounts,” he explained.
“To remain as safe as possible, users should use two-factor authentication where they can and select security questions that can't be answered based on easy-to-find information.”