On March 19, an IT employee at the Hillary Clinton campaign gave John Podesta, the campaign chairman, some computer-security advice. “John needs to change his password immediately,” he wrote in an email, “and ensure that two-factor authentication is turned on his account.”

The helpdesk staffer was responding to a Google alert with a bright red banner that had been sent to Podesta’s personal Gmail account. The alert said that someone in Ukraine had tried signing into Podesta’s email, and prompted him to change his password. An aide to Podesta had forwarded the warning when she saw it in his inbox.

The warning, it turned out, was fake. It was designed to look authentic by Russian hackers, who also created a fake password-reset page that would capture Podesta’s password when he entered it. But the Clinton IT employee, Charles Delavan, made a crucial error when he responded to the aide who forwarded the warning. “This is a legitimate email,” he wrote back. Somebody on the campaign clicked on the fake link, entered Podesta’s password, and the hackers gained access to tens of thousands of his emails.

In a detailed new report from The New York Times, Delavan said he didn’t intend to legitimize the phishing email back in March:

He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.

The Times piece was a vivid, blow-by-blow reconstruction of what happened between September 2015, when an FBI special agent first alerted the Democratic National Committee to Russian-directed hacking attempts on its computer networks, and the moment voters elected Donald Trump president. The story details a string of missed opportunities—like the FBI’s lackluster outreach to the DNC back in 2015—and an abundance of political caution, which kept the Obama administration from responding meaningfully to Russian aggression.