UPDATE: Wikileaks Has Made Its First Release of CIA Director’s Email

The security chief should have used an email provider with two-factor authentication

UPDATE October 21, 2015 at 3:15 PM: Wikileaks has released six documents, allegedly from the email of CIA director John Brennan. It doesn’t show any actual emails yet, but the blog post that came with it says the documents were obtained from his non-government email. Apparently even spies forward work home.

Wikileaks says it has the contents of CIA Chief John Brennan’s email, in a tweet posted today. It doesn’t specify whether the emails are from his personal or professional email addresses.

Motherboard covered an alleged hack of the spy chief’s personal, AOL email yesterday. The group claiming credit goes by “Crackas With Attitude.” The link goes, supposedly, to its Twitter account, though it also appears that Twitter keeps cancelling their accounts (as it did with “Vince,” the Twitter user who claimed responsibility for the Patreon hack).

Representatives from Wikileaks were not immediately available for comment about whether or not the data came from the hacking group or not.

CWA followed the Wikileaks tweet with the following:

In an interview with a member claiming to be part of the hacking group yesterday, Motherboard reported that the team used social engineering to get access to his email. In this case, the hacker claimed the team called Verizon, posing as Verizon staff, and secured Mr. Brennan’s social security number. Then, they went to AOL and requested a password reset, using that social security number.

CIA Director John Brennan. (Photo: Chip Somodevilla/Getty Images)

CIA Director John Brennan used AOL, which doesn’t support two-factor authentication. (Photo: Chip Somodevilla/Getty Images)

The team also gave numerous clues to their identity in the interview (such as being a team of very young people, some of whom know each other from school). These clues are very likely to be designed to confuse investigators, however.

AOL is currently listed as one of the email providers that still does not provide two-factor authentication, on Two Factor Auth. Various news accounts reported that the company was working on it last Fall.

Two-factor authentication is a way to make an account much more secure by, for example, only permitting access after the correct password has been entered and a one-time use code has been texted (as an example) to the user’s mobile.

It’s rather surprising that the nation’s chief intelligence officer isn’t serious about security.