Passwords used by Donald Trump's incoming cybersecurity advisor Rudy Giuliani and 13 other top staffers have been leaked in mass hacks, according to a Channel 4 investigation.

Giuliani, incoming national security advisor Lt Gen Michael Flynn and various cabinet members of Trump's administration had their details included in website mega breaches... like millions upon millions of others. This doesn't mean that we (or they) have been hacked and there's no indication that it's their current credentials that have been compromised. They may have changed their passwords since, for instance, the LinkedIn breach.

"The passwords of the appointees were hacked in mass breaches of websites like LinkedIn, MySpace, and others between 2012 and 2016," as Channel 4 puts it.

An appearance of someone's records in Have I Been Pwned? should not imply that they have been hacked, contrary to Channel 4's breathless headline.

Channel 4 assured us that their investigation went beyond looking at whether known email addresses of prominent Trump administration figures cropped up on Have I Been Pwned?

"Have I Been Pwned? was one of many sources checked," Mike Smith, the reporter behind the scoop told El Reg. "Many appointees using the same passwords in multiple places, using the simplest passwords in multiple places."

Kyle Wilhoit, senior security researcher at DomainTools, said: "Unfortunately leaks that include identifiable information like emails and passwords are common and in many cases can't be avoided. In this case, the leaked email address appeared to come from a common social networking site.

"The issue isn't necessarily about the passwords being leaked. The primary problem is password reuse between a social networking site, and say, some other system that could be deemed operationally important. All it takes is an attacker to find out their password from a dump, and capitalise on that human error of reuse." ®

Bootnote

Thanks to industry veteran Graham Cluley for helping us run a reality check on C4's exposé.