JONATHAN ERNST / REUTERS
An obvious phishing scam and a hasty email allowed hackers into campaign chair John Podesta’s inbox.
One of the worst and most public email hacks in political history began with a typo, a report in The New York Times revealed on Tuesday.
An aide to Hillary Clinton’s campaign chair, John Podesta, saw a warning email in his inbox back in March, claiming to be from Google. Podesta needed to change his Gmail password immediately, the email said.
Most adult internet users know by now never to click a link in emails like this ― phishing is fairly common. Even unsophisticated tech types are hip to the scam. So, before responding, Podesta’s aide showed the email to another staffer, a computer technician.
And, well, what happens next should be a lesson to anyone who types and sends emails and texts without reading them first. (That’s everybody who emails and texts.)
From the Times (bolding is HuffPost’s):
“This is a legitimate email,” Charles Delavan, a Clinton campaign aide, replied to another of Mr. Podesta’s aides, who had noticed the alert. “John needs to change his password immediately.”
With another click, a decade of emails that Mr. Podesta maintained in his Gmail account — a total of about 60,000 — were unlocked for the Russian hackers. Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.
The email hack was a huge distraction at the end of the presidential campaign, serving as fodder for Republican attacks and diverting the attention of key players on Clinton’s team. The Podesta email hack was separate from an equally damaging attack on the Democratic National Committee.
Any journalist who’s ever accidentally published a story on pubic policy (sorry) knows that typos can be cruel. But this was beyond that, obviously. “Most consequential typo in human history?” Sahil Kapur asked on Twitter.
— Sahil Kapur (@sahilkapur) December 13, 2016
Others wondered if this was just someone crying typo instead of owning what is likely the biggest mistake of a career.
If he had meant to type “an illegitimate” email, why did he get the article wrong and write “a legitimate” email, one Twitter conspiracy theorist wondered. Others argued it’s odd that Delevan would advise Podesta to change his password, since the phishing email was obviously bogus.
Still, the advice seems reasonable. If you’re the chair of a U.S. presidential campaign and discover you’re the target of hackers, it seems perfectly rational to immediately change your password. The attackers, after all, could be pursuing multiple ways into your account.
“John needs to change his password” is not what you say when you’re flagging a change-your-password phishing message. pic.twitter.com/ZJbBsemW3T
— Tom Scocca (@tomscocca) December 13, 2016
And the “illegitimate email” line could have been confused by the Times’ phrasing. Delevan could’ve meant to write this is a “legitimate attack.”
Also, he included the correct Gmail address to change a password. If Podesta or his aide had used that, no harm no fowl foul.