When you hear that the director of the CIA's email has been broken into, it may conjure visions of international cybercrime syndicates using sophisticated techniques to access state secrets. But in the case of John Brennan's breached AOL account, the real story looks more like a bunch of teenagers pretending to be grownups calling a customer service hotline -- or so the hackers say.
The person claiming to be responsible for this week's hack of the email accounts of CIA Director Brennan and Homeland Security Secretary Jeh Johnson says he's just a teenager and revealed in an interview with Wired the amazingly simple steps he took to pull off his scheme. If what he described is to be believed, the attack was not a demonstration of technological prowess, but a shrewd trick played on an AOL customer service rep.
With the help of a few other people, the hacker told Wired, he used a reverse phone number lookup to determine that Brennan has a Verizon Wireless account. He called the company, posing as a technician whose "tools were down" to get details on the mobile phone account, including Brennan's AOL email address.
Then, he called AOL and told the representative he was locked out of his account. Using details gleaned from Verizon, he got AOL to reset the password. This allowed the group to access Brennan's email on October 12, where they uncovered, among another things, a spreadsheet of people, including senior intelligence officials, along with their Social Security numbers that is believed to date back to at least 2009.
Nothing here requires major computer hacking skills. (Which is not to say it wasn't extremely clever.) The technical term for what the purported attacker pulled off is "social engineering," which essentially boils down to exploiting human weaknesses, not weaknesses in network security. Any motivated actor can conceivably do it. With all the information we share daily on social media, and all the information we may not realize we're sharing -- such as phone numbers and the geotags on Instagram photos -- it's relatively easy to mine useful information about people and put this information to work to gather more.
Could anyone be a victim? Absolutely. But of course, not everyone is as obvious a target as the head of the CIA. If there's one lesson to be learned here, it's to be extra careful with the information you expose online and thoughtful about the passwords and security questions you use to protect your accounts. (If there's a second lesson, it might be that people in power really, really shouldn't keep sensitive documents in their personal email accounts, but that's a whole 'nother story all together.)