Last Thursday, it was first reported that the Gmail account of John Podesta (Hillary Clinton’s campaign chairman) was hacked in March through a “phishing” email, or the type of scam that tries to trick you into giving your login credentials to hackers. The hackers who got into Podesta’s emails then archived the account and sent it to Wikileaks. On Friday, the latest daily batch of emails from Wikileaks included a chain starting with the phishing email, in which Clinton’s tech support help desk actually told Podesta that it was a genuine Gmail communication.
It all started when Sara Latham, Podesta’s chief of staff, forwarded the phishing email to Charles Delavan, an IT staffer from the campaign’s help desk. Superficially, the email looked real:
However, hovering the cursor over the “CHANGE PASSWORD” button would have revealed that the target was a link using the bit.ly link shortening service, something Google wouldn’t use. Someone operating a phishing scheme, however, would use one to hide the non-Google URL. Delavan didn’t scrutinize it to that degree, however, and sent this reply to Latham:
This is a legitimate email. John needs to change his password immediately, and ensure that two-factor authentication is turned on his account.
He can go to this link: https://myaccount.google.com/security to do both. It is absolutely imperative that this is done ASAP.
If you or he has any questions, please reach out to me at [number removed]
In fairness to Delavan, he doesn’t tell Podesta to click the link in the phishing email. Instead, he instructs the chairman to go directly to Google’s official page for password resets and turn on extra security measures as well. Two factor authentication makes it so that anyone trying to log into your account from a new device needs a code that is sent to your phone via text message. However, he never actually told Podesta NOT to click the link in the original email. That was his biggest mistake.
Delavan’s vote of confidence led to Latham forwarding the whole chain to Podesta and Milia Fisher (Clinton’s “special assistant”) with this message at the top:
The gmail one is REAL
Milia, can you change – does JDP have the 2 step verification or do we need to do with him on the phone? Don’t want to lock him out of his in box!
Sent from my iPhone
It’s implied here that Fisher would be the one who actually ended up clicking the phishing link, since she is who Latham asked to change to password, but we can’t know that for sure. Again, note that with Delavan not making it more clear that whoever changes the password go to https://myaccount.google.com/security, the real password reset page, it makes sense that someone would click on the original phishing link.
It may make even more sense if it was Fisher. She was only added to the chain in Latham’s last email, so she could have just read Latham’s final message, which reads like it’s just confirming Delavan’s contributions.