Published on 18 Jan 2017 Sections ,

Trump ‘cyber tsar’ Giuliani among swathes of hacked top appointees

Passwords used by Donald Trump’s incoming cyber security advisor Rudy Giuliani and 13 other top staff members have been leaked in mass hacks, a Channel 4 News investigation can reveal.

By Mike Deri Smith

Passwords used by Donald Trump’s incoming cyber security advisor Rudy Giuliani and 13 other top staff members have been leaked in mass hacks, a Channel 4 News investigation can reveal.

Passwords are publicly available for key members of Trump’s cabinet, White House policy directors and aides and some of his most senior advisors, this programme has discovered.

Digital security issues – including allegations of Russian hacking to try to influence the outcome of the US presidential elections – have dominated the headlines as Trump’s team prepares to take command of the world’s most powerful country.

NEW YORK, NY - JANUARY 12: Former New York City Mayor Rudy Giuliani speaks to reporters at Trump Tower, January 12, 2017 in New York City. President-elect Trump continues to hold meetings Trump Tower. (Photo by Drew Angerer/Getty Images)

The appointment of Giuliani, the former mayor of New York City, has been criticised by people in the cyber security community, who have highlighted exploitable security flaws on his own website.

But Giuliani says he has given “over 300 speeches” on digital security, and told Fox News earlier this month: “American corporations and the American government is not paying attention to ubiquitous hacking that is now going on.”

Lt Gen Michael Flynn has also been hacked in the past – and Channel 4 News has seen a number of passwords used by the former military intelligence officer.

He will become President Trump’s national security advisor from Friday; a crucial role stationed inside the White House itself and reporting directly to Trump.

Lt. Gen. Michael Flynn arrives for a meeting with US President-elect Donald Trump at Trump Tower December 12, 2016 in New York. / AFP / TIMOTHY A. CLARY (Photo credit should read TIMOTHY A. CLARY/AFP/Getty Images)

Staff whose accounts also appear to be affected by the hacks in recent years include people who will from Friday at 12pm take roles as:

  • the Secretary for the Interior
  • the Secretary for Labour
  • the Press Secretary
  • the Director of the Domestic Policy Council
  • the Director of the National Trade Council
  • Head of Social Media
  • Chief Trade Negotiator
  • Director of Oval Office operations
  • and many others

Trump’s team have not commented on this story.

2

Mass breaches

The passwords of the appointees were hacked in mass breaches of websites like LinkedIn, MySpace, and others between 2012 and 2016.

Personal data and encrypted passwords for services, such for email addresses for Dropbox, were also leaked.

The passwords are accessible from original leaks of the data, but even more easily accessible from website charging a fee of just $4 (£3.20).

With some staffers using the same simple passwords for multiple sensitive websites, experts say the hacks may have left them vulnerable to further hacks – perhaps by foreign powers.

There is no way to check how widely the hacked passwords have been reused by the incoming government officials without actually logging in and testing them – which is illegal under British law.

3

Hacks of celebrities – for instance of Twitter accounts or explicit photos – sometimes occurred by hackers using precisely this method of reusing passwords that have already been leaked.

Cyber security analyst Troy Hunt, who runs the online service HaveIBeenPwned.com to notify users of data breaches, told Channel 4 News that the leaks could be problematic.

Hunt said: “How many passwords have we got that have been reused in different places and are the same as they were five years ago – even a decade ago. We’ve got a long tail of info that we’ve left on the web now.

“The problem here is that a little bit like all of us, we have this propensity to reuse our passwords.

“And let’s say someone from Trump’s team has data leaked and it appears on a totally unrelated forum somewhere and someone takes those credentials and accesses the individual’s Gmail.

If this is an individual in a position of power or influence they may well have discussions in their personal mail that could be compromising.

Cyber security analyst Troy Hunt

“If this is an individual in a position of power or influence they may well have discussions in their personal mail that could be compromising.

“And if they don’t then the attacker who gains access to that Gmail may then use that account to begin conversation with other people in the contact list, impersonate them, elicit information from other individuals.

“It then just opens up a door to a raft of much bigger problems.”

The revelations come after Trump boasted in a press conference of how the Republicans had better cyber security than the Democrats, saying: “They did a very poor job. They could’ve had hacking defense, which we had.”

Unlike Hillary Clinton’s campaign team, the Trump team officials were not targeted specifically but rather had their details leaked along with many others – but the hack would have made it easier for intruders to take control of their accounts.

The release of hacked emails belonging to Hillary Clinton’s campaign manager occurred just weeks before the US election.

Some pundits say it helped Donald Trump win the race.