I’m no fan of the folks at DOGE; but, I feel this bit is important to highlight:
the presence of an individual’s credentials in such logs isn’t automatically an indication that the individual himself was compromised or used a weak password. In many cases, such data is exposed through database compromises that hit the service provider. The steady stream of published credentials for Schutt, however, is a clear indication that the credentials he has used over a decade or more have been publicly known at various points.
I know that my own credentials show up in the HaveIBeenPwned database quite a few times. I’ve had the same email address going on three decades now and have been signed up to a lot of services which got breached. The result is that you can find my personal email address and the associated password for whatever service got popped. Does that mean my own security is bad and/or my credentials for anything else are compromised? No, because I use complex, unique passwords everywhere. Yes, if you dig through the data, you can find my username and password for Dungeons and Dragons Online. And that will net you fuck all, because that was the only place I used that password.
Honestly, this article is more an embarrassment to the person who wrote it than the person it’s about. Anyone who has had the same email address for any significant length of time and has used it to sign up to internet based services has probably had their credentials for some of those sites compromised. Sure, the OpSec and practices of folks in DOGE have been terrible, but all we know is that this user has had their credentials from other sites and services dumped, just like every other victim of such breaches. That’s not news, nor does it reflect on the victims of those breaches. This is just a sad attempt at a hit piece, which only shows the author’s lack of ability to find anything interesting to write about.
I understand your desire to be charitable or tempered, but this isn’t some random schmuck who made an oopsie and reused a password from a previous database hack.
This idiot has his dumb fingers in vital government systems, and the fact that he didn’t clean up his security profile before wreaking havoc says a lot about his ability to do his job safely. Thus, I think it is justified to point out the fact that he’s stupid and can’t get his security together, and your charitability is wasted on someone like him.
I understand your desire to be charitable or tempered, but this isn’t some random schmuck who made an oopsie and reused a password from a previous database hack.
And nothing we know shows that he did that. Sure, he could have, and maybe he is that bad at security. The whole article is based on the supposition that he is reusing passwords. With no proof provided. If there’s some evidence, then sure burn the witch. Otherwise, it’s just baseless supposition.
This idiot has his dumb fingers in vital government systems, and the fact that he didn’t clean up his security profile before wreaking havoc says a lot about his ability to do his job safely.
There isn’t anything he could have done about past breaches. As I said, my email is still in the HaveIBeenPwned database, not because I didn’t clean up anything, but because I can’t clean up anything. Once those creds have been published, they stay published forever. The only thing you can do is rotate any affected passwords and move on with life.
And yes, the obvious failures on the DOGE website do speak to poor coding practices. I wouldn’t hire the guy to code anything, but I still think the article is just over the top muck raking trying to turn breached credentials into a story which really isn’t there.
When was the last time you heard about a vibe coder with unfettered access to government systems getting hacked? Probably never, because the government used to try its best to ensure security policy was followed. But Trump and Elon come along, and all of a sudden, secure info is leaked everywhere.
I understand your desire to remain skeptical and demand evidence, I do, but I think you’re just throwing your pearls before swine at the end of the day in doing so.
In the event, however, that Schutt used the same or similar credentials in systems or machines during his work at CISA and DOGE, attackers may already have been able to access sensitive information he’s privy to. And as Lee noted, the four dumps from stealer logs show that at least one of his devices was hacked at some point.
I don’t trust that they have as good password practices as you.
Fair enough, but absent any evidence that password reuse is leading to a problem, the article is trying to claim that him being the victim of previous breaches is somehow a failure of security on his part. That’s just dumb. Maye he did reuse passwords and that’s going to cause problems. But, absent any evidence of it, the whole article just comes off as yellow journalism, at best.
I’m no fan of the folks at DOGE; but, I feel this bit is important to highlight:
I know that my own credentials show up in the HaveIBeenPwned database quite a few times. I’ve had the same email address going on three decades now and have been signed up to a lot of services which got breached. The result is that you can find my personal email address and the associated password for whatever service got popped. Does that mean my own security is bad and/or my credentials for anything else are compromised? No, because I use complex, unique passwords everywhere. Yes, if you dig through the data, you can find my username and password for Dungeons and Dragons Online. And that will net you fuck all, because that was the only place I used that password.
Honestly, this article is more an embarrassment to the person who wrote it than the person it’s about. Anyone who has had the same email address for any significant length of time and has used it to sign up to internet based services has probably had their credentials for some of those sites compromised. Sure, the OpSec and practices of folks in DOGE have been terrible, but all we know is that this user has had their credentials from other sites and services dumped, just like every other victim of such breaches. That’s not news, nor does it reflect on the victims of those breaches. This is just a sad attempt at a hit piece, which only shows the author’s lack of ability to find anything interesting to write about.
I understand your desire to be charitable or tempered, but this isn’t some random schmuck who made an oopsie and reused a password from a previous database hack.
This idiot has his dumb fingers in vital government systems, and the fact that he didn’t clean up his security profile before wreaking havoc says a lot about his ability to do his job safely. Thus, I think it is justified to point out the fact that he’s stupid and can’t get his security together, and your charitability is wasted on someone like him.
And nothing we know shows that he did that. Sure, he could have, and maybe he is that bad at security. The whole article is based on the supposition that he is reusing passwords. With no proof provided. If there’s some evidence, then sure burn the witch. Otherwise, it’s just baseless supposition.
There isn’t anything he could have done about past breaches. As I said, my email is still in the HaveIBeenPwned database, not because I didn’t clean up anything, but because I can’t clean up anything. Once those creds have been published, they stay published forever. The only thing you can do is rotate any affected passwords and move on with life.
And yes, the obvious failures on the DOGE website do speak to poor coding practices. I wouldn’t hire the guy to code anything, but I still think the article is just over the top muck raking trying to turn breached credentials into a story which really isn’t there.
When was the last time you heard about a vibe coder with unfettered access to government systems getting hacked? Probably never, because the government used to try its best to ensure security policy was followed. But Trump and Elon come along, and all of a sudden, secure info is leaked everywhere.
I understand your desire to remain skeptical and demand evidence, I do, but I think you’re just throwing your pearls before swine at the end of the day in doing so.
I don’t trust that they have as good password practices as you.
Fair enough, but absent any evidence that password reuse is leading to a problem, the article is trying to claim that him being the victim of previous breaches is somehow a failure of security on his part. That’s just dumb. Maye he did reuse passwords and that’s going to cause problems. But, absent any evidence of it, the whole article just comes off as yellow journalism, at best.