Looks like even alleged international criminals have shitty password practices.
Donald Trump's former campaign manager Paul Manafort turned himself into the FBI Monday after being charged with conspiracy against the United States, money laundering, and tax fraud. His former business associate Rick Gates, who pleaded guilty to lying to the FBI, also turned himself in.
Manafort has been accused of funneling millions of dollars through overseas shell corporations, and spending the cash on extravagant luxuries, like fancy rugs and over one-million dollars in men's clothing. He has pleaded not guilty.
Manafort, whose alleged involvement in off-the-books Ukrainian government dealings and Donald Trump's presidential campaign make him sound like a character from a spy novel, used to reference another character from a spy novel in his online passwords: James Bond. The password associated with both his former Adobe and Dropbox accounts were variations of "Bond007," according to two security researchers who asked not to be named citing professional concerns.
It's possible Manafort used the same password for other accounts. "if someone was using what was materially the same password on two different sites, the likelihood of that person using the same password for other accounts is high. It's an educated guess to leap to 'his email address'—but it's a guess, IMO," one researcher told me. People often reuse the same password on all their accounts, which is a big security no-no.
One of the researchers walked me through how he connected Manafort to the James Bond reference. In March, hacked text messages allegedly belonging to Manafort's daughter, Andrea, were released on the dark web. Manafort confirmed to Politico that his daughter had experienced a breach. The messages contained what is believed to be Manafort's former email address: firstname.lastname@example.org, uncovered by the security researcher known as Krypt3ia.
By searching for the email address on HaveIBeenPwned.com, a website that helps users discern whether their data has been compromised as part of a major hack, the researcher discovered that email@example.com was indeed part of two breaches: the 2013 Adobe hack, as well as the 2012 Dropbox hack.
One of the researchers I spoke to downloaded all of the data that was dumped during the Adobe leak, and searched for Paul Manafort's email address. The password for the Adobe account associated with his email address was encrypted, but the researcher could tell it was the same password as a number of other accounts included.
Those accounts had password hints (which were made public as part of the leak) that included things like "secret agent" and "James Bond." The researcher then inferred that the password could be something like "Bond007."
"I tried a few guesses in a decoder," the researcher told me. "And bond007 worked."
The other researcher I spoke to confirmed that they had discovered the same password was used for Manafort's Dropbox account, which they verified using the hacked Dropbox data dump. "Like many password researchers, I maintain an archive of public password dumps for research purpose," they told me "I tried 'bond007' against the hashed password associated with 'firstname.lastname@example.org' in the Dropbox data, and it matched."
It's not clear how long it has been known that the James Bond reference was associated with Manafort's two accounts. The researcher who examined the Adobe archive said they first discovered it several months ago, but did not make it public until today. The researcher who looked at the Dropbox archive said they had not discovered the password until today.
Several users on Twitter are assuming that because Manafort used "bond007" for his Adobe and Dropbox passwords, that he used them for his email too. That's not necessarily the case. Though many people reuse the same passwords across accounts, Manafort may have had another password he used for his email. Motherboard has not independently confirmed that these passwords were indeed used by someone connected to Manafort's accounts.
Got a tip? You can contact this reporter securely on Signal at +1 201-316-6981, or by email at email@example.com
Get six of our favorite Motherboard stories every day by signing up for our newsletter.