Full Report
A WIRED review shows national security adviser Mike Waltz, White House chief of staff Susie Wiles, and other top officials left sensitive information exposed via Venmo—until WIRED asked about it.
Analysis Summary
# Incident Report: Exposure of Sensitive Contacts via Public Venmo Accounts
## Executive Summary
A security and counterintelligence exposure was discovered where public Venmo accounts associated with senior US administration officials, including one linked to "Michael Waltz," revealed extensive friend lists comprised of hundreds of personal and professional associates, including other high-ranking officials, military personnel, and lobbyists. Although direct exploitation wasn't explicitly evidenced, this visibility grants potential adversaries a searchable map of sensitive relationships, significantly increasing counterintelligence risk. The exposure was mitigated after WIRED's inquiry prompted the responsible parties to immediately lock down their privacy settings.
## Incident Details
- **Discovery Date:** Wednesday afternoon (Implied, following WIRED's analysis and subsequent inquiry).
- **Incident Date:** Prior to Wednesday afternoon (The public exposure existed before discovery).
- **Affected Organization:** Associated with senior personnel within the US Administration/National Security apparatus (e.g., officials linked to White House/NSC).
- **Sector:** Government/National Security/Political.
- **Geography:** United States.
## Timeline of Events
### Initial Access
- **Date/Time:** Unspecified, prior to Wednesday afternoon.
- **Vector:** Misconfiguration of Venmo privacy settings (failure to opt out of sharing contact lists publicly).
- **Details:** A Venmo account under the name "Michael Waltz" (with a profile photo of the National Security Adviser) and another linked to Susie Wiles were left configured to publicly display their entire list of friends/contacts.
### Lateral Movement
- *Not applicable in the traditional sense of network intrusion; the movement was through association mapping revealed by public data.*
- **Details:** WIRED analysis connected the exposed friend lists to other high-profile figures, including the White House Chief of Staff (Susie Wiles) and NSC staffer Walker Barrett, mapping out an interconnected network of influential individuals.
### Data Exfiltration/Impact
- **What was stolen or damaged:** No direct data exfiltration was reported, but the *exposure* of relationships constituted a significant **counterintelligence risk**. The data exposed included the names of hundreds of associates across media, military, lobbying, and political sectors.
### Detection & Response
- **How it was discovered:** A WIRED analysis, following up on a separate signal group chat breach involving strike plans, reviewed the public data available on these Venmo accounts.
- **Response actions taken:** Following WIRED's inquiry, the Venmo accounts associated with Waltz and Wiles immediately changed their privacy settings to hide their friend lists. (Separate related accounts linked to Pete Hegseth were also later deleted).
## Attack Methodology
- **Initial Access:** Misconfiguration/Negligence (Failure to set default privacy to private).
- **Persistence:** N/A (This was a static exposure of stored data, not active persistence).
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A
- **Credential Access:** N/A
- **Discovery:** N/A (No evidence of malicious actor reconnaissance leading to discovery; discovery was by journalistic analysis).
- **Lateral Movement:** N/A (Association mapping by analyst).
- **Collection:** WIRED analysts collected the public friend lists from the exposed Venmo profiles.
- **Exfiltration:** N/A (No evidence of adversary exfiltration).
- **Impact:** Major counterintelligence risk due to the mapping of sensitive personal and professional relationships.
## Impact Assessment
- **Financial:** Unspecified; potentially high due to remediation and investigation costs if exploited.
- **Data Breach:** Exposure of contact lists (names and associations) of hundreds of individuals connected to senior US political and national security personnel.
- **Operational:** Minimal direct operational disruption, but severe risk to personnel security and counterintelligence posture.
- **Reputational:** Significant negative press for the administration regarding personnel security habits, following related incidents involving the Signal chat.
## Indicators of Compromise
*Note: As this was a configuration error resulting in public data exposure, traditional malicious IoCs are not applicable. The primary "Indicators" relate to the exposed data patterns.*
- **Network indicators:** N/A (No malicious domains/IPs involved in the exposure mechanism).
- **File indicators:** N/A
- **Behavioral indicators:** Visible, public Venmo "friend lists" for accounts linked to senior officials.
## Response Actions
- **Containment measures:** Privacy settings on the exposed Venmo accounts were immediately switched from public to private/hidden upon notification.
- **Eradication steps:** N/A (The vulnerability was the setting itself, which was immediately corrected).
- **Recovery actions:** Personnel using these platforms should be instructed to review and restrict all third-party data visibility options.
## Lessons Learned
- **Key takeaways:** Critical personnel managing sensitive roles must review the privacy settings of all personal/professional consumer applications, as default settings or user oversight can create significant external intelligence vulnerabilities.
- **What could have been done better:** Proactive organizational security mandates regarding the use of consumer apps for anything related to professional contacts or sensitive associations.
## Recommendations
- Mandate comprehensive training for senior officials and their immediate staff on the security implications of consumer-grade applications (e.g., Venmo, Signal defaults).
- Conduct internal audits of personal device and application settings for all personnel handling sensitive information to ensure maximum privacy settings are enforced.
- Review policies restricting the use of encrypted messaging apps (like Signal) for non-public defense information, especially when utilized by personal accounts whose contacts may be compromised.