Lots of headlines and news accounts are reporting that the people that hacked the AOL email account of CIA Director John Brennan are high-schoolers or teens, but the Observer could find little reporting on any effort to verify their ages.
Here’s some of the story’s headlines across different outlets:
- “Teen says he hacked CIA director’s AOL account”—New York Post, originally published as “Stoner high school student says he hacked the CIA.”
- “Teens Allegedly Hack CIA Director’s AOL Email, Release Employees’ Personal Data”—Motherboard.
- “Teen Who Hacked CIA Director’s Email Tells How He Did It”—Wired.
- “These are the 7 easy steps a teen used to hack the director of the CIA”—Business Insider.
How do we know the hackers are really that young, other than their word? If a hacker volunteers any facts about his or her identity after a high stakes exploit, the facts should be met with skepticism, because they are likely volunteering falsehoods, with intent.
Hackers are sensitive about doxing, that is, revealing the identity of people online. Hackers know that revealing any clues about an identity at all can be vastly more helpful in unmasking a person than instinct might lead one to think it could be.
For example, the Observer previously reported that almost any three pieces of information about one person can be used to identify him or her. Fredrick Brennan, the founder of 8chan, told Ars Technica that he was doxed with only two pieces of information: his first name and the fact that he sometimes did work on Amazon’s Mechanical Turk. It’s a safe bet that anyone who knows how to run a hack of any sophistication is aware of how little it takes to identify a person.
Naked Security wrote that the hackers various claims could be a “mile-high baloney sandwich,” and Ars Technica, which completed an encrypted text chat with people claiming to be the hackers, wrote that it could not independently verify their assertions about either their identity or the hack itself. The AP distanced itself from the age claim, by reporting it as coming from the Post. Lots of other news outlets, however, are repeating the hackers’ self-reported vintage as a verified or at least believable fact, without adding any skepticism about the point.
The New York Post, Wired and Motherboard all report that they were able to speak to the hackers via telephone, but they don’t report any questions they asked to help verify that they are as young as they say. None of the accounts report on whether or not the people they spoke to sounded like young people, either.
This tweet, for example, from an account alleging to belong to one of the hackers, almost seems to mock anyone who believes the group’s statements about their ages:
Widespread reporting that the hackers are American teens may fit into the hackers’ objectives, either to misdirect law enforcement or to score a public relations win against American intelligence services. When and if the hackers are caught, should they turn out to be well past high school age, that fact is likely to register with far fewer people than the thousands who read an uncorroborated fact repeated in headlines and news accounts as the story develops.
It would be surprising if the hackers behind this breach actually turned out to be high schoolers. Either way, any reports on the individuals should add “claiming to be” in front of facts any of them assert about their identity, at least until those claims can be verified against their actual identity.