CIA boss has his personal email account hacked… and yes, it’s on AOL

John BrennanPity poor John Brennan, director of the United States Central Intelligence Agency (CIA).

A hacker, who describes himself as an American high school student, has breached the CIA boss’s AOL email account – and found a host of sensitive government files that one assumes a government official shouldn’t be sending to his personal email address.

I’m not sure what’s more embarrassing. Being hacked or having an AOL email account.

The hacker, whose Twitter account @phphax is still active at the time of writing, has posted what is purported to be the CIA director’s contacts list, as well as call logs of Deputy National Security Advisor Avril Haines, amongst other information.

Sign up to our free newsletter.
Security news, advice, and tips.

Access to the AOL account was disabled on Friday…

Aol cancelled account

…but only after a certain amount of toing and froing between the hacker and the CIA, as they attempted to wrestle control of the account from each other.

Tweet by hacker

A CIA spokesperson has told the media that they are aware of the reported security breach:

“We are aware of the reports that have surfaced on social media and have referred the matter to the appropriate authorities.”

Questions clearly need to be asked, similar to the current Hillary Clinton controversy, as to why a personal email address was being used for sensitive communications.

Meanwhile, AOL should probably take a long hard look at itself and ask whether it is doing enough to secure its members’ accounts.

For a long time now, net users have wondered out loud when AOL will offer even simple security measures such as two-factor authentication, which just about every other major webmail service provides today.

Maybe this is evidence of evolution in process. If you’re canny enough to be looking for an email account secured by 2FA, then you’re probably also not going to still be using the email account you set up in 1994 when AOL sent you a CD through the mail.

I don’t know if two-factor authentication would have helped in this case, or whether Verizon staff would have been socially-engineered into letting a high school kid break into the CIA director’s email account regardless… but it certainly wouldn’t have hurt.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

11 comments on “CIA boss has his personal email account hacked… and yes, it’s on AOL”

  1. Techno

    "why a personal email address was being used for sensitive communications."

    It does make sense from their point of view because of the principle of "hiding in plain sight". A dedicated secure system would be more obvious and attract more attacks, whereas using personal email uses "security through obscurity", although these stories show the weakness in this practice.

    The question is, was this hacker tipped off and so knew exactly where to concentrate his efforts straightaway, or did he try lots of accounts in the name of John Brennan, or – even worse – simply stumble across it by accident when accessing lots of email accounts.

    1. Andy · in reply to Techno

      It's also a clear violation of dozens of U.S. laws. It would seem they are doing this to try and stay out of the reach of open records laws and agency inspector generals. Until someone, hopefully Hillary, goes to jail for doing this – it's going to just keep magically being an accident that no one can explain.

      1. coyote · in reply to Andy

        Remember that those seeking power are corrupt, and those that are in power because they sought it, become more corrupt. Any claim to the contrary is being naive and/or gullible. This isn't specific to the US.

        Or: I'm sorry to break it to you, but US government officials have a long history (the word is relevant) of breaking laws, and in fact, there is this concept known as 'diplomatic immunity' (granted congressmen aren't the same but that's not my point; for instance, the laws that congressmen are able to break with impunity). This goes no matter what party is in power and the same goes for law breaking. Laws have loopholes for a reason. And unless I'm sorely mistaken, laws aren't written to penalise a certain party (race, gender, other things, is another matter entirely). At least not in 'the west'. Of course, bias is always there which makes it possible.

        Furthermore, it isn't a matter of no one being able to explain it. Just ask yourself who creates the laws[1] and who enforces the laws (or relevant laws) and you have the answer to the problem (my understanding is it is illegal to deliberately seek out something someone might have done illegally but I know that US politicians are far too moral and ethical to have done something like that…). That's the beauty of corruption, see? If the law isn't what you want, change for your own gain.

        [1] It is my understanding that the US constitution is what gives congressmen so much immunity to things no one else gets away with, for example. I can't imagine it any other way but I would watch paint dry long before I would read the US constitution (and/or other rubbish).

    2. David L · in reply to Techno

      He probably found it in a list on the dark web. There have been so many hacks of all kinds, and this idiot probably used it to register at Target or Homedepot. The arrogance and stupidity of this administration and it's appointees is the gift that just, keeps on giving!

      1. coyote · in reply to David L

        "of this administration"

        Not that there isn't any brilliance in the US (there is, the predecessor to the Internet was created (that is, the predecessor to it) during the tensions of the Cold War, by the US ARPA – what is now DARPA, the defence[1] advance research project agency) but 'this administration' isn't the problem. The problem is US government in general (actually, to be fair, all governments in general – it's just the US is particularly proud of demonstrating their ineptness to the world). And besides that, it isn't like the White House (I presume that is what you mean by 'administration') is responsible for all positions, all actions and everything in general. Using a select few as a reason that X has happened in such a large country with a horribly convoluted government, is a fallacy (the US is not a dictatorship – though it isn't a true democracy, either). Regardless, the entire US government is broken and always has been (many will refute this but they're neglecting certain things – things that I won't bother getting into because it is another topic entirely).

        [1] Technically, it would be 'defense' as that is the American spelling, but America shouldn't have changed spelling in the first place (any more than any other country should change something just so it is 'their way').

      2. coyote · in reply to David L

        Also, David, there is something else to consider. US government networks being compromised goes back decades. The same goes for corporations. This is nothing new – what you see now is just one of many others from years gone. Back in the day when there were mass-defacing[1] of websites (maybe they still happen, I don't know), government computers were often hit – by kids. Kids from all over the world. Many just used canned scripts and they could barely write anything coherent because they didn't really have anything to say other than "I'm doing this to showing off my l33t skillz". It was horrible. I wouldn't be surprised if this still happens, though I would like to believe otherwise. That's after the web was created, so post early 90s. But it goes back further.

        [1] The mass- implies that they would compromise one host (the provider of their original target – when they had one; otherwise those that they happened to find that are vulnerable) and then because it was shared hosting they would deface all the websites hosted. It isn't like they exploited each website individually.

  2. Graham Anderson

    To be fair to AOL, it used to offer 2FA via SecurID – I think before even Gmail offered SMS based 2FA (2004-2009 versus 2010). But they withdrew it – most likely due to poor take up and member service hassles with those who did.

    AOL pushed hard on SPF, and scores fine on CheckTLS.com and webmail is secure (finally).

    1. coyote · in reply to Graham Anderson

      Maybe, but SPF is 100% irrelevant to passwords. Whether TLS is or is not (for this case) depends on how it was breached.

      As for why they cancelled it – who knows, but maybe it would be because of having to obtain the card ? I don't buy the theory that those who took advantage of it found it a hassle, because they would know what they're getting into (and if not then they must have been rather confused on what SecurID is).

  3. Richard Steven Hack

    My guess is Brennan wasn't using it for sensitive material. I suspect the hacker got the personnel data he revealed from the OPM hack somewhere and merely married it to the AOL account.

    If Brennan was using an AOL account for CIA purposes, he needs to be removed from his post immediately. In fact, if he was using an AOL account at all, he probably should be fired. :-)

    1. coyote · in reply to Richard Steven Hack

      "In fact, if he was using an AOL account at all, he probably should be fired. :-)"

      True although I imagine many people would prefer he isn't struck off because they could take advantage of him. Then again, government intelligence is an oxymoron, so if it isn't this it will be something else (and/or someone else).

  4. Jim

    Had a vision of Brennan trying to cancel his AOL account then spending a whole day trying to convince AOL customer service that he wasn't interested in there numerous offers to stay with AOL.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.