For a few days now, WikLeaks has been publishing select emails from Clinton campaign chairman John Podesta — and the leaks are starting to cause serious damage. Most likely obtained from a hacked archive file, the latest dump contains all sorts of sensitive info on Podesta with no obvious news value, including his Social Security number and enough info to compromise his Twitter account.
But the most painful casualty of the latest dump may have been Podesta’s iPhone. The leak contained Podesta’s Apple ID credentials as well as a significant array of other personal data, and a group of 4chan users claim to have used that information to gain access to Podesta’s iCloud account. From there, they triggered a remote wipe of both an iPhone and iPad belonging to the campaign chief. Others claim to have also downloaded all of the data in Podesta's iCloud account, although those claims are difficult to verify.
Before the wipe, the attackers posted a screenshot of Podesta's iPhone somewhere in Downtown Brooklyn, near the Clinton campaign headquarters. (Clinton herself is currently in California.)
Apparently some asshole from anonymous compromised Podesta's Apple account using creds in WL dump and remotely wiped his phone. V cruel. pic.twitter.com/ZdfWf2NkuY— Pwn All The Things (@pwnallthethings) October 13, 2016
The users posted various other screenshots as evidence, but — 4chan being 4chan — it’s hard to be sure the screenshots weren’t altered or other information concealed. Wikileaks denies the report, claiming the group made sure the relevant credentials had been changed before publishing them. That would be an usually careful measure from the group, which has included large batches of credit card and social security numbers in past publications.
Still, such a hack is entirely plausible, even if the Apple ID credentials were no longer valid. iCloud has long been vulnerable to social engineering attacks, and such an attack would be far easier with the subject's Social Security number and other financial data available in the leak. Unless Podesta had two-factor authentication turned on, there would be little stopping the attackers from wiping the devices.
Update 4:32PM ET: Updated with Wikileaks denial.