Tulsi Gabbard, the director of national intelligence, used the same easily cracked password for different online accounts over a period of years, according to leaked records reviewed by WIRED. Following her participation in a Signal group chat in which sensitive details of a military operation were unwittingly shared with a journalist, the revelation raises further questions about the security practices of the US spy chief.
WIRED reviewed Gabbard’s passwords using databases of material leaked online created by the open-source intelligence firms District4Labs and Constella Intelligence. Gabbard served in Congress from 2013 to 2021, during which time she sat on the Armed Services Committee, its Subcommittee on Intelligence and Special Operations, and the Foreign Affairs Committee, giving her access to sensitive information. Material from breaches shows that during a portion of this period, she used the same password across multiple email addresses and online accounts, in contravention of well-established best practices for online security. (There is no indication that she used the password on government accounts.)
Two collections of breached records published in 2017 (but breached at some previous unknown date), known as “combolists,” reveal a password that was used for an email account associated with her personal website; that same password, according to a combolist published in 2019, was used with her Gmail account. That same password was used, according to records dating to 2012, for Dropbox and LinkedIn accounts associated with the email address tied to her personal website. According to records dating to 2018 breaches, she also used it on a MyFitnessPal account associated with a me.com email address and an account at HauteLook, a now-defunct ecommerce site then owned by Nordstrom.
Records of these breaches have been available online for years and are accessible in commercial databases.
The password associated with all of the accounts in question includes the word “shraddha,” which appears to have personal significance to Gabbard: Earlier this year, The Wall Street Journal reported that she had been initiated into the Science of Identity Foundation, an offshoot of the Hare Krishna movement into which she was reportedly born and which former members have accused of being a cult. Several former adherents told The Journal that they believe Gabbard received the name “Shraddha Dasi” when she was allegedly received into the group. Gabbard’s deputy chief of staff, Alexa Henning, responded to questions from The Journal at the time by posting them on X and accusing the news media of publicizing “Hinduphobic smears and other lies.”
“The data breaches you’re referring to occurred almost 10 years ago, and the passwords have changed multiple times since,” wrote Olivia Coleman, a Gabbard spokesperson, in response to questions from WIRED. “As our deputy chief of staff has already made clear on a number of occasions, the DNI has never and doesn’t have affiliation with that organization. Attempting to smear the DNI as being in a cult is bigoted behavior.“
“Your bigoted lies and smears of a cabinet member and your story fomenting hinduphobia is noted,” wrote Henning in response to a follow-up question about the probability of Gabbard’s password containing the same name she was reportedly received into Science of Identity Foundation with, given her denials that she has ever been affiliated with the group. “This was well litigated during her confirmation hearing so congrats on being about 6 months late to this story. Great job.”
Science of Identity did not respond to a request for comment.
Security experts advise people to never use the same password on different accounts precisely because people often do so. If a password for one account is revealed in a breach, hackers will often attempt to use it to access other accounts controlled by the same person. Reusing passwords is especially dangerous with email, because a compromised email account can be used to reset credentials for other accounts or systems.
The Cybersecurity Infrastructure and Security Agency, the top US government authority on digital security, advises members of the public to use a password manager to generate a different password of at least 16 characters, consisting of random strings of mixed-case numbers, letters, and symbols or at least four unrelated words, for every account they use.
As director of national intelligence, Gabbard oversees the 18 organizations comprising the US intelligence community, including the Central Intelligence Agency and the National Security Agency, and their budget of roughly $100 billion. By statute, she is the principal adviser to the president and the National Security Council on intelligence matters relating to national security, and so is charged with maintaining the security of much of the most sensitive information in the government. The Democratic National Committee, citing a 2019 statement that Syrian dictator Bashar al-Assad was “not the enemy of the United States,” news reports on the support she has enjoyed from Russian state media, and her ties to “conspiracy theorists,” has characterized Gabbard as a “direct threat to our national security.”
Gabbard addressed these criticisms during her Senate confirmation hearings in January.
“Those who oppose my nomination imply that I am loyal to something or someone other than God, my own conscience, and the constitution of the United States, accusing me of being Trump’s puppet, Putin’s puppet, Assad’s puppet, a guru’s puppet, Modi’s puppet, not recognizing the absurdity of simultaneously being the puppet of five different puppet masters,” she said. “The fact is, what truly unsettles my political opponents is I refuse to be their puppet.”
