【War Archives】

So you've created a strong password,War Archives kept an eye out for sketchy links, and enabled two-factor authentication — what could possibly go wrong?

Well, it turns out the answer is "you."

SEE ALSO: Here's what we know about alleged NSA leaker Reality Leigh Winner

As the leaked NSA report on Russian efforts to hack the computers of U.S. election officials before the 2016 presidential election demonstrates, we are all often our own biggest security weakness. The document, published by The Intercept, shows that hackers found a way around the protections offered by two-factor authentication that is striking in its simplicity: They asked the targets for their verification codes.

"If the victim had previously enabled two-factor authentication (2FA)," explains a slide detailing the Russian attack, "the actor-controlled website would further prompt the victim to provide their phone number and their legitimate Google verification code that was sent to their phone."

To translate, after tricking victims into entering their email and password into a fake Google site, the hackers found that some victims had 2FA set up on their accounts. This meant that even with the password, hackers were unable to gain access to the Gmail accounts in question — that is, unless they could get the verification codes as well.

Mashable Light Speed Want more out-of-this world tech, space and science stories? Sign up for Mashable's weekly Light Speed newsletter. By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up!

So, again, they just straight up asked for them.

Original image has been replaced. Credit: Mashable

"Once the victim supplied this information to the actor-controlled website, it would be relayed to a legitimate Google service, but only after [redacted] actors had successfully obtained the victim's password (and if two-factor, phone number and Google verification code) associated with that specific email account."

Basically, the hackers were able to bypass the email security measures by requesting that the victims give them the keys to the digital castle.

Once access was gained to the accounts, which reportedly belonged to an electronic-voting vendor, the hackers would then email election officials from the hacked accounts and attempt to trick those same officials into opening script-laden Word docs that would compromise their computers.

It's an elaborate bit of spear phishing, and it reminds us that no matter what digital security practices we put in place, we can all still slip up.

In the face of everyday online threats, the best defense (other than setting up 2FA — which you should definitely still do) might be the simplest: exercise caution with every email you receive, and be paranoid as hell.

In the face of skilled Russian hackers? Well, that one's trickier, but maybe start with not handing over your email password, phone number, and 2FA verification code.

---

Featured Video For You

---

Researchers are using sound to levitate objects, and it's changing the medical industry

---

Topics Cybersecurity Elections

• Life
• Deals
• Games
• Tech
• Entertainment
• Social Good
• Digital Culture
• Shopping

• How to Squeeze the Most Out of Your iPhone's Battery
• Bristol Bears vs. Saracens 2024 livestream: Watch live rugby for free
• Apple has apologised for its tone
• Best AirPods Pro deal: Get the AirPods Pro for just $179.99
• Ireland fines TikTok $600 million for sharing user data with China
• Bilibili warns fall in gaming revenue may impact annual earnings · TechNode
• 'Poolman' review: How bad is Chris Pine's directorial debut?
• MotoGP livestream: Watch the 2024 French Grand Prix for free
• NYT mini crossword answers for May 9, 2025
• Where the northern lights will be visible thanks to the solar flare

• NVIDIA reportedly to launch cut
• MediaTek’s first 2nm chip set to tape out in September · TechNode
• Xiaomi unveils self
• DJI reportedly set to launch robotic vacuum cleaner next month · TechNode
• Ele.me deploys Unitree humanoid robots to promote flash delivery · TechNode
• China’s GAC starts operations at new Indonesia EV plant · TechNode
• Xiaomi CEO expects EV business to break even later this year · TechNode
• China drafts rules to govern hidden door handles following Xiaomi EV crash · TechNode
• Nintendo Switch 2 launches in China with over 400,000 pre
• Tencent eyeing $15 billion acquisition of game developer Nexon: report · TechNode

• Today's Hurdle hints and answers for May 9, 2025
• Where to pre
• Best smartwatch deal: Buy one, get one Galaxy Watch 6 from Samsung
• Xiaomi set to display first EV at stores in Q1 · TechNode
• Amazon Pet Day: All the best deals
• Instead of buying lame gifts, donate to these conservation orgs
• Where the northern lights will be visible thanks to the solar flare
• CCTV unveils mascot for Year of the Dragon Spring Festival Gala · TechNode
• Robin Triumphant
• 2019's word of the year is 'climate strike'

• Amazon Prime Grubhub deal: Save $10 off orders of $20 or more
• This 'starry night' toad was lost to scientists for decades
• What will OpenAI announce Monday? Quite possibly an AI voice assistant.
• NIO vehicle margin rebounds in Q3 as CEO keeps pricing stable · TechNode
• Amazon Prime Grubhub deal: Save $10 off orders of $20 or more
• Wonder what your dog would look like as a cat? There's a new AI tool for you.
• Earth's winds have picked up again, after decades of slowing
• 'Biosphere' spoiler
• NYT Connections hints and answers for May 10: Tips to solve 'Connections' #699.
• How to pre