Trump’s “Best Security People” Can’t Figure Out Basic Security
This hasn't been a good week for those who believed that Donald Trump would bring in the best, most competent" people around. Fresh off the revelation that a bunch of the top cabinet and security officials were accidentally sharing classified info with a journalist using Signal on their private phones (rather than, you know, secure government systems), the hits just keep coming.
Next, it came out that Mike Waltz, Trump's National Security Advisor and the person who had added the journalist Jeffrey Goldberg to the illegal Signal group chat, had also left his Venmo friends list wide open:
A Venmo account under the name Michael Waltz," carrying a profile photo of the national security adviser and connected to accounts bearing the names of people closely associated with him, was left open to the public until Wednesday afternoon. A WIRED analysis shows that the account revealed the names of hundreds of Waltz's personal and professional associates, including journalists, military officers, lobbyists, and others-information a foreign intelligence service or other actors could exploit for any number of ends, experts say.
Among the accounts linked to Michael Waltz" are ones that appear to belong to Susie Wiles, the White House chief of staff, and Walker Barrett, a staffer on the United States National Security Council. Both were fellow participants in a now-infamous Signal group chat called Houthi PC small group."
Oopsie.
While this is hardly the first time a politician left their Venmo info exposed, we're not talking about some random congressman's late-night pizza orders - this is the National Security Advisor, whose entire job revolves around protecting sensitive information. You'd think having even basic operational security would be, you know, a job requirement.
Hell, you might think that the National Security Advisor, of all people, would have someone on staff whose job includes making sure his digital pants are zipped. But that would require caring about security basics in the first place.
But Waltz's carelessness isn't isolated. Last month, it was revealed that Defense Secretary Pete Hegseth left his Venmo exposed as well. And on Thursday, Wired found that many others in the bomb the Houthis" Signal chat group have been walking around with their digital pants down - more members had left their Venmo info exposed in ways that created massive security risks.
A number of top Trump administration officials-including four who were on a now-infamous Signal group chat-appear to have Venmo accounts that have been leaking data, including contacts and in some cases transactions, to the public. Experts say this is a potentially serious counterintelligence problem that could allow foreign intelligence services to gain insight into a target's social network or even identify individuals who could be paid or coerced to act against them.
The officials in question include Dan Katz, chief of staff at the US Treasury; Joe Kent, President Donald Trump's nominee for director of the National Counterterrorism Center; and Mike Needham, counselor and chief of staff to the secretary of State. All three were participants in the Houthi PC small group" chat in which sensitive attack plans were discussed and to which Jeffrey Goldberg, editor in chief of The Atlantic, was accidentally invited. Katz was named in it as a point of contact by Scott Bessent, the Treasury secretary; Kent by Tulsi Gabbard, the director of national intelligence, to whom Kent serves as acting chief of staff; and Needham by Marco Rubio, the secretary of State.
It gets worse.
As if the Venmo exposure wasn't bad enough, the German newspaper Spiegel dropped another bombshell this week: they found private data - including actual passwords - for these same officials just sitting exposed on the internet. And we're not talking about old, abandoned accounts.
Private contact details of the most important security advisers to U.S. President Donald Trump can be found on the internet. DER SPIEGEL reporters were able to find mobile phone numbers, email addresses and even some passwords belonging to the top officials.
To do so, the reporters used commercial people search engines along with hacked customer data that has been published on the web. Those affected by the leaks include National Security Adviser Mike Waltz, Director of National Intelligence Tulsi Gabbard and Secretary of Defense Pete Hegseth.
Now, some might argue that everyone's data gets leaked eventually. But there's a world of difference between your average person's old MySpace password getting exposed and what we're seeing here. These are our top national security officials, using current credentials that provide access to their most sensitive communications - including, as the Spiegel report notes, their Signal phone numbers:
Most of these numbers and email addresses are apparently still in use, with some of them linked to profiles on social media platforms like Instagram and LinkedIn. They were used to create Dropbox accounts and profiles in apps that track running data. There are also WhatsApp profiles for the respective phone numbers and even Signal accounts in some cases.
This matters a lot. While Signal's encryption remains secure, foreign adversaries (particularly the Russians) have found a much simpler way in: exploiting Signal's linked devices" feature. It's not a technological hack - it's old-fashioned social engineering that preys on user carelessness. The feature lets you use Signal on multiple devices (like your phone and computer), but if attackers can trick someone into linking" a device they control, they can read all of that person's messages. With the phone numbers and other data now exposed, staging such attacks becomes dramatically easier.
Indeed, just days before the bomb the Houthis" Signal chat happened, the Defense Department had warned everyone to beware of this kind of attack on those who use Signal.
Whoops.
Spiegel found that both Waltz and Director of National Intelligence Tulsi Gabbard (yes, that's right - the person in charge of coordinating all US intelligence activities) had active Signal accounts linked to their exposed phone numbers:
Tulsi Gabbard has declined to comment. DER SPIEGEL reporting has demonstrated, though, that privately used and publicly accessible telephone numbers belonging to her and Waltz are, in fact, linked to Signal accounts.
Let's break this down: The two officials most responsible for America's intelligence security (1) were using Signal to illegally discuss information that should have been classified, (2) had their phone numbers and other personal data exposed online, including in Waltz's case, about his social circle, and (3) kept using those same compromised accounts even after being warned about potential attacks.
Seems... not great.
There's a particular irony in watching an administration that campaigned against the deep state" bureaucracy and DEI hires" while promising to bring in only the best people" install national security officials who can't figure out basic privacy settings. The deep state" types, whatever their faults, at least knew how to use secure government communication systems. (And probably knew better than to add journalists to their classified chat groups.)
These aren't just embarrassing gaffes or fodder for tech journalists. They're potentially devastating vulnerabilities in our national security apparatus, created by the very people tasked with protecting it. When your National Security Advisor and Director of National Intelligence are ignoring basic security practices that every corporate IT department requires of entry-level employees, something has gone deeply wrong with your hiring practices.
Perhaps we should consider bringing back DEI, since the people in charge sure seemed a lot more competent back then. At the very least, they knew how to lock down their Venmo accounts.