Well, that kind of happened. As reported by WIRED, CIA Director John Brennan had his email broken into by the hacker in question. By posing as a Verizon worker, the hacker was able to gain access to Brennan’s AOL email account. The hacker used a targeted spear phishing tactic, where he posed as a worker to trick real Verizon employees into handing over sensitive information about Brennan’s account. Surprisingly, all they needed were the last four digits of Brennan’s bank card.
Then, to add insult to injury, the hacker and his associates changed the password on Brennan’s account, locking him out of it and gaining access to his inbox. Since this was his personal email account, you’d think things wouldn’t be any different from a normal hack; well, the problem here is that Brennan’s inbox contained secret government documents from Brennan’s work email address, which he forwarded to his personal inbox. You don’t need us to tell you that this was a bad move on Brennan’s part. According to WIRED:
After providing the Verizon employee with a fabricated employee Vcode—a unique code that he says Verizon assigns employees—they got the information they were seeking. This included Brennan’s account number, his four-digit PIN, the backup mobile number on the account, Brennan’s AOL email address and the last four digits on his bank card.
“[A]fter getting that info, we called AOL and said we were locked out of our AOL account,” he said. “They asked security questions like the last 4 on [the bank] card and we got that from Verizon so we told them that and they reset the password.” AOL also asked for the name and phone number associated with the account, all of which the hackers had obtained from Verizon.
The most unnerving part of this entire situation is the fact that Brennan wasn’t necessarily at fault for the hack itself. The only thing he did wrong was send sensitive information from his work email to his private email address. The real issue at hand should be the fact that these hackers easily wound up accessing an important government worker’s email address. Simple security questions aren’t going to be enough to stop hackers from accessing your accounts. If they really want to, they can get whatever information they need.
Therefore, taking advantage of several security layers is the best way to protect your accounts. Part of this is practicing a quality password security protocol. You should be using secure passwords with several different types of characters, including upper and lower case letters, numbers, and symbols. Strong passwords help keep hackers from cracking your login credentials.
Another best practice is to integrate two-factor authentication into your account logins. This type of solution requires a secondary credential in addition to your normal username and password, making it much more difficult for hackers to attack your accounts. These credentials are usually sent to your smartphone in the form of a SMS message, an automated voice message, or even to your secondary email account. In other words, hackers need physical access to your device in order to obtain this credential.
You don’t want to be stuck in an embarrassing (or potentially incriminating) situation like the one the CIA Director is in now. Give Aspire a call at (469) 7-ASPIRE and ask us about how we can improve your business’s network security.