The private email system Secretary of State Hillary Clinton used to conduct all official federal business was vulnerable to an exploit known as "spoofing," a trick that could have allowed hackers to impersonate her identity, former U.S. officials familiar with her email system told Bloomberg.
Though Clinton said last week that there were no security breaches of the personal email server she used to send 60,000 professional and personal emails, security experts told Bloomberg that hackers could have easily infiltrated without leaving a trace.
In fact, the vulnerabilities were so severe, anyone who communicated with Clinton via her clintonemail.com account while she was head diplomat for the U.S. was at risk of being hacked.
One of the most glaring vulnerabilities involves an anti-spoofing mechanism called Sender Policy Framework (SPF). Whoever maintained Clinton's server didn't enable SPF, so if hackers had access to her account, they would have been able to send emails to anyone and have them appear as if they were sent from Clinton.
"I have no doubt in my mind that this thing was penetrated by multiple foreign powers, to assume otherwise is to put blinders on," Bob Gourley, the chief technology officer at the Defense Intelligence Agency from 2005 to 2008, told Bloomberg.
"If a Sender Policy Framework was not in use, they could send an e-mail that looks like it comes from her to, say, the ambassador of France that says, 'leave the back door open to the residence a package is coming,'" Gourley said. "Or a malicious person could send an e-mail to a foreign dignitary meant to cause an international incident or confuse U.S. foreign policy."
Another concern is that hackers could have conducted a "spear phishing" attack on other top officials from Clinton's account. By spoofing her email address, a hacker could send a personal email that appears to come from Clinton, but when the target opens the email, it would compromise the target's system.
As Bloomberg notes, both the White House and State Department have been hacked by Chinese and Russian hackers using this method.
At least one hacker, who goes by the name Guccifer, was aware of Clinton's private emails and its 'consumer grade' domain registrar, Network Solutions, which was a significant liability in itself. In 2010, a year into Clinton's tenure, hundreds of its domains were hacked, with some of the stolen information being redirected to Ukraine, according to The Blaze.
There is no evidence that Clinton's account was compromised in the 2010 hacked, but anyone who did hack Network Solutions would have been able to also quietly hijack Clinton's email domain, allowing them to intercept, redirect and spoof her email, reported Wired.
Clinton's personal office spokesman Nick Merrill reassured Bloomberg that she took all the necessary security precautions when setting up her server, including implementing "additional upgrades and techniques ... as they became available."
"There was never any evidence of a breach, nor any unauthorized intrusions," he added.
The problem is, it's unlikely that Clinton's office would have known if hackers exploited the SPF vulnerability.
Merrill wouldn't disclose who maintained Clinton's server security, Bloomberg said.