All it took was someone clicking a link on their phone while they were half asleep.
Whenever a high-level hacking incident takes place, reading about it often triggers images from a James Bond or Jason Bourne movie, with secret servers, hidden code, and shadowy characters in hoodies. But most of the time, it is so prosaic that it sounds like something we have all probably experienced dozens of times. Only much, much worse.
Have you ever gotten an email that asks you to reset your Google e-mail password, your Apple ID, or your banking login info? You look at it on your phone, or when you are half asleep, and it looks legit, so you click the button. And then all hell breaks loose.
In most cases, these phishing attempts might lead to an awkward phone call with your bank, which then has to eat some losses and reset your credit card. Or maybe you have to send a message to your relatives saying no, you are fine, and that wasn’t actually you who asked for the money, thanks.
Get Data Sheet, Fortune’s technology newsletter, where this essay originated.
In the case of the U.S. Democratic National Committee, however, similar behavior led to the leaking of thousands of emails from John Podesta, chairman of Hillary Clinton’s presidential campaign.
According to a feature in the The New York Times about the Russian connection to this hack, one Clinton staffer clicked the email at 4 a.m. in Hawaii and entered password info, giving the hackers—whose FBI codename was “The Dukes”—access to all his files. Podesta himself did the same thing after a staffer mistakenly said the email was legitimate.
And that’s about all it took for 60,000 of Podesta’s emails and thousands of others to come spilling out onto the Internet. The resulting furor, some believe, helped swing the election for Donald Trump. It wouldn’t fly in a Bond film, but it was more than enough to do the job.