Some security advice for Colin Powell to better protect his Gmail account

“I have no idea whose account was leaked or hacked… Oh, damn!”

Graham Cluley
Graham Cluley
@[email protected]

Colin Powell

As the New York Times and others report, former US Secretary of State Colin Powell has had his personal Gmail account hacked.

26 months worth of Powell’s private email conversations, dating from June 2014 to last month have been posted online by a group calling themselves DC Leaks.

Amongst other things, the leaked emails show that Powell is not a fan of Donald Trump and has some scornful words for Hillary Clinton too.

Sign up to our free newsletter.
Security news, advice, and tips.

Of course, the emails aren’t just embarrassing and damaging for the privacy of Colin Powell – they are also potentially humiliating for the people he was corresponding with, who have had their own private conversations exposed to the world.

And then I found it somewhat ironic, when flicking through some of the leaked emails, to stumble across an email Colin Powell sent Lee Fang at The Intercept, after the journalist asked if he had any idea how an email conversation between Powell and General Phil Breedlove had leaked.

Colin powell email leak

“I have no idea whose account was leaked or hacked.”

Well, I guess he has more of an idea now…

So, here is my advice for Colin Powell and anyone else concerned about the security of their webmail accounts:

  • Make sure that you are not using the same password on your webmail account as any other online account. Reusing passwords is as much of a sin (if not worse) than choosing an easy-to-guess password, or one that is easy to crack. If you can’t remember all of your different passwords (trust me – you can’t) then get a password manager to do the remembering for you, and protect that with a strong, hard-to-crack password.
  • Enable two-step verification (2SV) on your webmail account. Here is how you do that for Google and Yahoo and Outlook. Once you have 2SV in place, hackers will need more than just your password to log into your account.
  • Check that your webmail account is not forwarding messages to another account, unless you specifically asked it to.
  • Check that your webmail account has not been configured to delegate access to another person who can read your emails.
  • Be on the look out for phishing emails which attempt to trick you into handing over your password, and run an anti-virus to protect your PC against spyware.
  • Finally, don’t tell anyone else your webmail password.

We don’t know precisely how Colin Powell’s Gmail account was hacked, but it seems likely that he was careless with his password in some fashion, and failed to have additional security measures (like 2SV) in place to prevent unauthorised parties from accessing his messages.

Read more about two-step verification:

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

6 comments on “Some security advice for Colin Powell to better protect his Gmail account”

  1. David L

    Well, I think the biggest problem is, that people have no idea how to use technology safely, because they have not spent the time and hard work learning. Technology has overtaken millions upon millions of users who are absolutely clueless. Even I, was a very late starter. I was still using a flip phone in 2010-11. When the iPhone 4 came out, the kid got one (because my iPod broke) so I told him I get his old device, an HTC touch pro 2 running windows 6.5 os. I used that for a couple years, then switched to Android and was forced to learn another new system. I have always been a fast learner, but back then, I barely knew the vocabulary. When I got the mom in law a galaxy s4 , she was in tears after a week, and wants to switch back to her flip phone. But, she hung in there, and now uses it in multitudes of ways. But, she is clueless about security, and the youngsters are equally clueless as are everyone in between. Maybe people need to pass a test before they are allowed to use tech, just like operating a motor vehicle. Both can be dangerous to themselves and others, if used incorrectly.

  2. Tim Scully

    Why do you keep perpetuating the stigma the a cyber security breach is "embarrassing"? No individual is immune from such breaches – if hacker has the capability and intent to breach your email, he/she will. It can happen to anyone. Not everyone is an expert in cyber security, nor should they be.

    Claiming it is embarrassing for the victim only creates a situation where people and organisation will not report breaches and they will try cover up their security failings online. It also just feeds the media's deceitful tendency to try and catch people out as in Colin Powell's case, that is, 'gotcha' journalism.

    It has been reported that, over the last three months in the US, 622 breaches resulted in 27,639,088 records being stolen – and those are just the ones that were reported. The reason many are not reported is because you and other 'experts' refer to the breaches as "embarrassing". It is not embarrassing, it is a fact of life online. And the sooner our 'experts' recognize this, and stop feeding parasitical journalists thirst for 'gotcha' moments, maybe there will be more willingness to report breaches and share information and data so you experts can help fix the problem.

    1. Graham CluleyGraham Cluley · in reply to Tim Scully

      I was thinking more that he would be embarrassed by the contents of his private email conversations being revealed, particularly those where he expresses private opinions about people that he wouldn't want them to necessarily hear.

      1. Tim Scully · in reply to Graham Cluley

        I appreciate that, Graham. Nonetheless it perpetuates the stigma surrounding breaches. Where can someone express their private thoughts online? We all should have an expectation of privacy when we use email or other direct forms of communications; the fact the we can't have that expectation is due to the failure of the cyber security industry to get on top of the problem and the media to be a vehicle for exposing online users' personal indiscretions rather than a medium for education on cyber security. I know that is an altruistic hope to think it could be otherwise.

  3. Jody

    Well my situation was far more worse than Mr Powell's i'm an aspiring model and i met these guys on Facebook promising a modeling contract and i should send nude collages ,I was hesitant but then took the pictures and hid them in my email and i asked them for leverage, they said they were gonna provide me with something and that they were legit and they sent me documents but also they hacked my email because i was not satisfied with their proof. they released pictures without my consent. i had a lot of work to do finding them and i could not do it myself. I informed gmail of the breach they were of little help because i did not have 2 factor authenticator. then i contacted some dude on wickrme app username onetimehacker who got their real identity and i was able to contain things before it got out of hand.

  4. MattH

    Or, you know, enable two factor authentication on your email account.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.