US politicians’ sensitive data discovered online

From the same folks who brought you ‘Signalgate’

Image:
Even the basics of cybersecurity seem to be beyond the current US administration



Phone numbers, emails and passwords belonging to top US officials has been found online by reporters for German newspaper Der Spiegel.

Information belonging to national security advisor Mike Waltz, director of national intelligence Tulsi Gabbard and secretary of defence Pete Hegseth, was discovered in publicly available online data sources using basic search techniques.

These same officials were among those implicated in ‘Signalgate’ this week, leaking a conversation concerning a military strike on Yemen to Atlantic editor Jeffrey Goldberg by inadvertently including him in a Signal conversation.

Some of the contact information was discovered in commercial databases and password leak sites. Hegseth’s mobile number and email address were provided by a third-party marketing and recruitment consultancy by searching online details associated with his LinkedIn profile. This led the reporters to a WhatsApp account, recently deleted, which included a photo of Hegseth.

The same consultancy also found Walz’s email and phone number, and his email appeared in several leaked databases, along with some passwords, according to Der Spiegel. “The information also led to Waltz’s profiles for Microsoft Teams, LinkedIn, WhatsApp and Signal.”

Meanwhile Gabbard’s email address was discovered on Reddit and Wikileaks and “is available in more than 10 leaks.”

According to Der Spiegel, most of the phone numbers and email addresses discovered are current, actively used, and associated with Dropbox accounts, social media and WhatsApp profiles.

This latest revelation adds to a picture of a US administration that ignores basic cybersecurity and communications rules. Numerous experts have pointed out that Signal is not an appropriate tool for confidential - and likely classified - government communications. Indeed, according to the Pentagon’s own rules, messaging apps "are not authorised to access, transmit, process non-public DoD information". There are also questions about conversations on such apps being unavailable for the public record. Predictably, Trump has described the whole matter as “a hoax.”

The ready availability of officials’ contact information poses numerous risks, from use in phishing attacks and social engineering, to allowing attackers access to networks and services, to enabling the installation of malware and spyware to monitor the politicians’ communications.

If journalists can find this information with ease, it’s hard to imagine that the US’s nation state adversaries would not already be in possession of it, and presumably much more besides.

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.