An unnamed US intelligence official was quoted by NBC News as calling the leak of contractor Ian Mellul’s e-mails “the most damaging compromise of the security of the president of the United States that I’ve seen in decades”—one caused by the use of an outside personal e-mail account for government business. The e-mails included full scans Mellul had forwarded to himself from a White House e-mail account of passports, including Michelle Obama’s. Mellul likely forwarded the e-mails to his Gmail account because he couldn’t access White House mail offsite without a secure device.
Government sources have described DCleaks.com as being connected to Russian intelligence organizations. But just about anyone could have gotten into Ian Mellul’s e-mail if he was using the same password for his Gmail account that was exposed in a 2013 breach of Adobe user data—just as was Navy Captain Carl Pistole’s. The accounts of Powell and of Sarah Hamilton were both leaked as part of a 2012 breach of Dropbox’s user data, according to data from HaveIBeenPwned.
The earlier exposure of Mellul’s account in the Adobe breach, combined with the rest of the accounts attacked and DCleaks.com’s overall digital footprint, makes the attribution of the e-mail exposures much more difficult. The DCleaks domain was registered through an Australian domain privacy service. The site itself is hosted by a company in Malaysia and runs on WordPress using a commercial theme called “Stockholm,” from the Australian design firm Envato—a fairly out-of-the-box site with its MySQL server ports left open to the Internet.
Anyone with the time or money to sift through breached user data for targets connected to the US government could be behind the exposure of the e-mails. And while DCleaks has particularly targeted Clinton, her husband former President Bill Clinton, the Clinton Foundation, and George Soros’ Open Society Foundation in past document dumps—leading to suspicions that someone working on behalf of the Russian government was behind them—plenty of other, less sophisticated “cyber actors” out there might want to dump trash on Obama and Clinton. As former US Assistant Attorney General Jack Goldsmith said in a panel on the Democratic National Committee breach earlier this week, “The number of actors who could do this are many, and our ability to defend against it is uncertain.”