A teenager claims to have hacked the CIA director's AOL email account and laid his hands on sensitive government files within.
The kid bragged he managed to trick staff at AOL parent Verizon into reseting the password to CIA boss John Brennan's personal account, allowing the youngster to hijack it.
After apparently rifling through the inbox and pulling out records on intelligence agency staffers, plus Brennan's own application for top-level security clearance, the teen started posting the sensitive information on Twitter and text-hosting websites.
Said information included what appeared to be the names, dates of birth and social security numbers of national intelligence workers, and the contents of Brennan's address book. The kid also found a letter from US senators asking the CIA to scrap its use of torture in interrogations, it's claimed.
"We are aware of the reports that have surfaced on social media and have referred the matter to the appropriate authorities," a CIA spokesperson told The Register on Monday.
The hacker told the New York Post that he was able to use publicly available information about Brennan to social engineer his way through AOL's password reset system.
Allegedly, the high-schooler and a couple of pals got hold of Brennan's cellphone number, worked out he was a Verizon customer, called Verizon pretending to be employees at the telco, requested the customer's account information, and then called back with that data to get the email account password reset.
The kid was able to access 40 emails with documents attached – including a 47-page security-clearance application for Brennan's current role, it's alleged. It appears no classified information was leaked.
That Brennan, 60, had an active AOL account handling sensitive national security information is surprising, but only a little. “[The] problem with these older-generation guys is that they don’t know anything about cybersecurity, and as you can see, it can be problematic,” a source told the Post.
Also posted on one of the hacker's now-suspended Twitter accounts was Brennan's telephone call logs from July 20 to October 12 with Avril Haines, the White House's Deputy National Security Advisor.
In addition to Haines, the hacker claims to have accessed the Comcast account of US Homeland Security Secretary Jeh Johnson via social engineering. The teen claims to have listened to the DHS boss's voicemails, and has posted billing information from the account.
"We are aware of the media report, however as a matter of policy, we do not comment on the Secretary's personal security," DHS spokesman S.Y. Lee told El Reg in an email.
The teenager – whose main Twitter account phphax is still active – said the attack and disclosure was motivated by opposition to US foreign policy and support for Palestine. He told the New York Post that he wasn't a Muslim, and referred to ISIS as "retarded" on his Twitter feed.
There's no word on any further releases by phphax. In the meantime, the high school tearaway may want to put on a pair of running shoes or get a good lawyer – we suspect the CIA and DHS will be knocking down his door sooner rather than later. ®