John Podesta, the veteran Democratic political operative who has served two different presidents and is chairman of Hillary Clinton’s political campaign, has had a lousy week.
Not only has the anti-secrecy website WikiLeaks been publishing emails pirated from Podesta’s account earlier this year, but hackers penetrated his Twitter account and apparently wiped all the data from his iPhone and iPad.
The breaches brought to the Clinton campaign an abject lesson in the insecurity of modern devices and the consequences of failing to adopt adequate computer security practices.
Matt Tait, chief executive of Capital Alpha Security, a security consultancy based in the United Kingdom, said activists from Anonymous, a loose global network of computer hackers with an anti-authoritarian bent, had bragged of targeting Podesta and wiping his devices remotely.
What allowed the hackers to target Podesta was a single email from the thousands WikiLeaks has published in the past week. In that May 16, 2015, correspondence between Podesta and Eryn Sepp, his former special assistant at the White House, Podesta asked whether Sepp knew his Apple ID, which would allow access to his Apple accounts and devices.
“I do,” she responded, listing his Gmail address and his password: Runner4567.
Within minutes of the posting of that batch of WikiLeaks emails Wednesday, Anonymous activists began exchanging queries. At 5:36 p.m. Germany time, one activist posted: “CAN we DO SOMetHING WITH AN APPLE ID?”
Moments later, another Anonymous hacker with the moniker 4Chan “had found Podesta’s Apple creds and logged in for first time,” Tait tweeted.
Less than two hours later, a hacker with the collective wrote: “GUYS I FUCKING REQUESTED PASSWORD RESET FROM TWITTER FOR JOHN PODESTA.”
Another hacker posted below that, “IF ANYONE IS ACCESSING HIS EMAILS, YOU WILL BE ABLE TO SHITPOST ON HIS TWITTER.”
Later Wednesday evening, as Clinton landed in Las Vegas for a campaign event, a hacker got into Podesta’s Twitter account and tweeted in his name: “I’ve switched teams. Vote Trump 2016. Hi pol.”
Within a short period of time the tweet was deleted. Clinton’s traveling press secretary, Nick Merrill, confirmed the hack, “which would explain that message. And we are working on fixing it.”
Technologists quickly speculated that Podesta used the same password for his Apple account and his Twitter account, which security experts say is a no-no.
“Dollars to donuts, his Twitter account password was Runner4567, like his Gmail account,” tweeted Chris Soghoian, a senior policy analyst on technology for the American Civil Liberties Union.
By Thursday morning, Tait was harvesting screen shots from Anonymous activists showing that they had remotely erased all content from his iPhone and iPad.
“V cruel,” Tait tweeted.
Neither Podesta nor a spokesman for the Clinton campaign, Josh Schwerin, responded to emails asking for confirmation of the data loss.
Podesta, 67, is no innocent when it comes to security matters. A Georgetown University-educated lawyer, he served as the chief of staff to President Bill Clinton in the 1990s and as counselor to President Barack Obama in 2014 and 2015.
Apple allows a user who controls an account to remotely wipe clean any of his or her devices that may have been stolen or fallen into the wrong hands.
The Clinton campaign has protested the hack of some 20,000 internal emails from the Democratic National Committee as the handiwork of Russian government-backed hackers, an accusation that U.S. intelligence agencies supported last Friday. Those emails, along with Podesta’s personal emails, found their way into the hands of WikiLeaks.
But Podesta’s travails Thursday did not come at the hands of sophisticated Russian state hackers. Rather, Podesta himself was apparently lax on basic computer security measures.
Like many computer users, he apparently did not use even minimal measures to thwart hackers, such as employing distinct passwords for different accounts or using two-step authentication, an extra layer of security in which a user receives an additional code as a mobile phone text message or by other means that is required before successfully logging on.
Security experts say reusing passwords facilitates the work of hackers.
“Every time you reuse that password somewhere else, its value drops 50 percent,” said Joe Siegrist, vice president of LastPass, a password management product of Logmein.com, a Boston-headquartered software and cloud management company.