Some of the passwords that Defense Secretary Pete Hegseth used to register for websites were exposed in cyberattacks on those sites and are available on the internet, raising new questions about his use of personal devices to communicate military information.
Mr. Hegseth did not appear to use those passwords for sensitive accounts, like banking. But at least one password appears to have been used multiple times for different personal email accounts maintained by Mr. Hegseth. If hackers access email accounts, they can often reset other passwords.
Like many Americans, Mr. Hegseth appears to have reused passwords to remember them more easily. At least one of them is, or was, a simple, lowercase alphanumeric combination of letters followed by numbers, potentially representing initials and a date. The same password was leaked in two separate breaches of personal email accounts, one in 2017 and another in 2018.
It is not clear whether he has updated the compromised passwords, or if he did so before he used his personal phone in March to share sensitive information about planned U.S. strikes on Houthi militia targets in Yemen.
Mr. Hegseth’s digital practices and security have been under scrutiny since he discussed the precise timing of those airstrikes in at least two chats on Signal, a free, encrypted messaging app. At least one of the chats took place on his personal phone. That information could have endangered U.S. pilots if an adversarial power had intercepted it.
In addition to those two Signal chats, Mr. Hegseth used the encrypted app for multiple other ongoing conversations and group messages, according to people briefed on his use of the platform. Some of the messages were posted by a military aide, Col. Ricky Buria, who had access to Mr. Hegseth’s personal phone. The use of the app for multiple ongoing conversations was earlier reported by The Wall Street Journal.
Mr. Hegseth was initially added to a Signal group created by Michael Waltz, who was the national security adviser at the time, to discuss the Houthi strikes. Mr. Hegseth shared similar details about the strikes with a second Signal group that included his wife, Jennifer. That group was set up on Mr. Hegseth’s personal phone.
Cybersecurity experts have said that because Mr. Hegseth’s phone number is easy to find on the web, it is a potential target for hackers and foreign intelligence agencies. Signal messages are sent across the internet securely, but messages typed into a phone could be intercepted if an adversarial intelligence agency has installed malware on the device.
When two-factor authentication is enabled on the sites, hackers will need more than passwords to gain access to information.
The chief Pentagon spokesman, Sean Parnell, did not respond to a request for comment.
Experts say that finding exposed passwords is easier than ever.
“If you know where to look, you can find them,” said Kristin Del Rosso, who monitors breach data at DevSec, a cybersecurity investigations firm.
Ms. Del Rosso said some companies collect and sell stolen data. Because data breaches are now almost routine, there is a large amount of data that adversaries or criminals could use to get a deeper understanding of an individual and potentially guess other passwords or gain access to more information.
“You can uncover more,” she said.
Passwords belonging to Mr. Waltz, who was removed as national security adviser on Thursday, have also been exposed in internet breaches.
Representatives of the National Security Council did not respond to a request for comment. But a person briefed on the situation said Mr. Waltz had changed his compromised passwords before joining Congress in 2019.
In March, Der Spiegel, a German news publication, found phone numbers and email addresses associated with Mr. Waltz, Mr. Hegseth and Tulsi Gabbard, the director of national intelligence, who were all on the initial Signal chat.
The phone numbers online for Ms. Gabbard are no longer associated with her.
But like Mr. Hegseth, Ms. Gabbard has reused passwords. The New York Times found at least one leaked password linked to multiple personal accounts used by Ms. Gabbard.
According to a spokeswoman, Ms. Gabbard’s passwords have been changed many times since a breach exposed a password nearly a decade ago. The Times uncovered more recent data breaches involving a similar reused password tied to her personal email account.
John Ratcliffe, the C.I.A. director, has a disciplined public profile. A former prosecutor and member of the House Intelligence Committee, he does not have an easily identifiable phone number and email address and seems to have left a small digital footprint.
Mr. Hegseth has repeatedly said he did nothing wrong in disclosing the Yemen strike details in Signal chat groups that included people who did not have a security clearance. But using his personal telephone, with a number — and password — that is available on the internet, will have undoubtedly left a senior Trump national security figure vulnerable to hacking efforts by foreign adversaries, intelligence analysts say.
“You just have to assume that the bad guys are listening,” Michael C. Casey, the former director of the National Counterintelligence and Security Center, said in an interview. He said that senior national security government officials were supposed to enter their jobs from Day 1 with the assumption that their personal devices were being hacked, and act protectively.
The use of phones by government officials has long been a security concern.
President Barack Obama wanted to keep using his personal phone and BlackBerry when he first came into office, former officials in his administration have said.
Intelligence officials said that using a personal phone presented too many risks. But officials at the National Security Agency eventually provided Mr. Obama with a BlackBerry that had been modified to enhance its security. (Mr. Obama routinely joked that his phone had so many security constraints that using it was “no fun.”)
Technology has advanced rapidly since then, and national security officials are now more routinely issued government phones that come with security enhancements. Most phones have extra security protocols in place that prevent installing unapproved apps.
But like Mr. Obama, officials routinely complain that the secured phones are awkward to use and limited in utility, and some continue to communicate with encrypted apps on their private phones.
Christiaan Triebert is a Times reporter working on the Visual Investigations team, a group that combines traditional reporting with digital sleuthing and analysis of visual evidence to verify and source facts from around the world.
Julian E. Barnes covers the U.S. intelligence agencies and international security matters for The Times. He has written about security issues for more than two decades.
Helene Cooper is a Pentagon correspondent for The Times. She was previously an editor, diplomatic correspondent and White House correspondent.
The post Hegseth’s Use of Passwords Raises New Security Concerns appeared first on New York Times.
