Campaign chair John Podesta—and an IT staffer—were fooled by a convincing fake.
A new batch of purported Clinton campaign emails released Friday by Wikilieaks include one apparently showing campaign chairman John Podesta and a Clinton campaign IT staffer falling victim to a password-phishing email disguised as a Google security warning. Observers say this may have been the moment that exposed a huge batch of Clinton campaign emails to the world. At the very least, it represents the type of attack likely involved.
The email, received by Podesta on March 19th of this year, superficially resembled a warning from Google of a suspicious login to Podesta’s account originating in the Ukraine. But it encouraged Podesta to reset his password by clicking on a shortened bit.ly link, rather than on a transparent link to Google itself.
Get Data Sheet, Fortune’s technology newsletter.
Most remarkably, the email was forwarded to a Clinton IT staffer, Charles Delavan, who failed to spot the trickery.
“This is a legitimate email,” Delavan wrote. “John needs to change his password immediately, and ensure that two-factor authentication is turned on [for] his account.”
In Delavan’s defense, he then provided a link to the real Gmail security-management page. If Podesta had followed that link, and taken the advice to turn on two-factor authentication, the ensuing hack might have been prevented.
Instead, according to an earlier report by Motherboard, the suspicious bit.ly link was clicked twice. It would have taken Podesta not to a Google page, but to a page associated with a Russian hacker known as Fancy Bear, where he may have unwittingly handed over his password. The Fancy Bear bit.ly account has been associated with thousands of attempted and successful hacks, including of Colin Powell and other Clinton staffers.
It may come as a surprise that a mundane (though well-crafted) phishing attack could lie at the root of perhaps the Clinton campaign’s biggest ongoing political headache. The information hackers gleaned from Podesta’s account have triggered a succession of major and minor scandals, including regarding Clinton’s paid speeches to Wall Street banks and possible mishandling of classified information.
For more on the Clinton emails, watch our video.
The news came alongside another explosive email-related development, as FBI director James Comey indicated that he was reviewing additional Clinton emails for possible classified information. The communications under new scrutiny were reportedly obtained through an investigation of former Congressman and Clinton associate Anthony Weiner, not from the phishing attack.
The new revelation also comes two weeks after miscreants accessed Podesta’s Twitter account and iCloud data, possibly because he used the same password, which was leaked in an earlier batch of emails, across multiple services.