On average, an American office worker sends and receives roughly 120 emails per day, a number that grows with each passing year. The ubiquity and utility of email has turned it into a fine-grained record of our day-to-day lives, rich with mundane and potentially embarrassing details, stored in a perpetual archive, accessible from anywhere on earth and protected, in some cases, by nothing more than a single password. In the case of Violeta Lagunes, her email login represented a point of vulnerability, a seam where the digital walls protecting her campaign were at the mercy of her human judgment — specifically, whether she could determine if a message from an apparently reputable source was real or fake. Nearly two years later, John Podesta, chairman of Hillary Clinton’s campaign, was faced with a similar judgment call. An email warned him that someone in Ukraine had tried to access his Gmail account and asked him to click on a button and reset his password. His senior adviser forwarded the email to one of the campaign’s technology experts. “This is a legitimate email,” he replied, in what the expert later would clarify was a simple typing error on his part; he meant to say it was not legitimate. “The gmail one is REAL,” the senior adviser wrote to Podesta and another aide.

And so, like Lagunes, Podesta fell into a trap. The button appeared to lead to an official Google page, but it was in fact a meticulously personalized fake, with a domain address linked to a remote cluster of atolls in the South Pacific. The details were designed to trick Podesta into entering his password. This technique is known as “spear phishing.” It is an especially potent weapon against companies and political organizations because it needs to succeed only one time, against one target. After that, attackers can use the trusted identity of the first compromised account to more easily lure colleagues into opening infected attachments or clicking on malicious links. Not only will a working email password yield years of intraoffice chatter, invoices, credit-card bills and confidential memos; it can often be leveraged into control of other personal accounts — Twitter, Facebook, Amazon — and even access to company servers and internet domains.

The Podesta and Lagunes episodes are far from the only cases in which hackers have used information from stolen emails as a weapon against an entire institution. The 2009 “Climategate” incident, which exposed troves of emails from prominent climate researchers, began when hackers remotely broke into servers at a British university with the help of illicitly obtained passwords. The 2014 hack of internal Sony files, which American officials attributed to the North Korean government, began with a series of spear-phishing emails that attackers then used to dig deeper into Sony’s servers. Each hack yielded the most private thoughts and deeds from the members of each respective organization: their blunt insults, their quashed dissents, their half-baked plans, their smarmy flattery, all chronicled in time down to the hundredth of the second when the author clicked “send.” In an earlier era, the hackers might have had to engage in riskier behavior, like bribery or burglary. Now, in many cases, all they had to do was send along a link.

The White House, C.I.A. and F.B.I. have all claimed that, based on classified evidence, they can trace the hacks of Podesta’s email account (and other hacks of people close to the Clinton campaign) back to the Russian government. But with the rise of private firms like Hacking Team, penetrating the email accounts of political opponents does not require the kind of money and expertise available to major powers. A subscription-based website called Insider Surveillance lists more than a dozen companies selling so-called ethical malware, including Milan-based Hacking Team and the German firms FinFisher and Trovicor. Compared with conventional arms, surveillance software is subject to few trade controls; a recent attempt by the United States to regulate it under a 41-country pact called the Wassenaar Arrangement failed. “The technology is morally neutral,” says Joel Brenner, a former inspector general of the National Security Agency. “The same program that you use to monitor your babysitter might be used by Bashar Assad or Abdel Fattah el-Sisi to keep track of whomever they don’t like.”

Hacking Team has fewer than 50 employees, but it has customers all over the world. According to internal documents, its espionage tool, which is called the Remote Control System, or R.C.S., can be licensed for as little as $200,000 a year — well within the budget of a provincial strongman. After it has been surreptitiously installed on a target’s computer or phone, the Remote Control System can invisibly eavesdrop on everything: text messages, emails, phone and Skype calls, location data and so on. Whereas the N.S.A.’s best-known programs grab data in transit from switching rooms and undersea cables, the R.C.S. acquires it at the source, right off a target’s device, before it can be encrypted. It carries out an invisible, digitized equivalent of a Watergate-style break-in.

The United States government is almost certainly the world’s most formidable repository of hacking talent, but its most powerful cyberweapons are generally reserved for intelligence agencies and the military. This might explain why, according to company documents, at least two federal law-enforcement agencies have been Hacking Team clients: the F.B.I., beginning in 2011, and the Drug Enforcement Administration, beginning in 2012. The F.B.I. contract paid Hacking Team more than $700,000; the D.E.A. appears to have used the software to go after targets in Colombia.

Documents show that the company has also sold its software to some of the world’s most repressive governments. Some, like those of Honduras, Ethiopia, Bahrain, Morocco, Egypt and Saudi Arabia, are Western allies. Other countries, like Uzbekistan and Turkey, have a more troubled relationship. A few are openly hostile to the West. Between 2012 and 2014, Hacking Team was paid nearly one million euros by the government of Sudan, a United States-designated state sponsor of terrorism. Even more notable, in light of recent events, is the three-year relationship that Hacking Team carried on with the F.S.B., one of Russia’s main intelligence agencies. As with Puebla, Hacking Team used a middleman, a research agency called Kvant, to handle its sales to Russia. Between 2012 and 2014, the agency paid Hacking Team 451,000 euros to license the Remote Control System.