Defense Secretary Pete Hegses' personal phone number, used in recent signal chats, was recently easily accessible via the internet and public apps in March, potentially exposing national security secrets to foreign enemies.
Phone numbers can be found on a variety of locations, including WhatsApp, Facebook, and fantasy sports sites. It was the same number that the Secretary of Defense used the Signal Commercial Messaging app to disclose flight data for the US strike in Yemen's Houthi militia.
Cybersecurity analysts said the US Secretary of Defense's communications equipment is usually one of the most protected national security assets.
“There's zero chance that someone isn't trying to install Pegasus or any other spyware on their phones,” Mike Casey, former director of the National Center for Anti-Intelligence and Security, said in an interview. “He's one of the top five and perhaps the most targeted people in the spy world.”
Emily Harding, a defense and security expert at the Center for Strategic and International Studies, added: “I don't want the Secretary of Defense phone number to be there and available to anyone.”
Sean Parnell, the Pentagon's chief spokesman, did not respond to a request for comment.
The use of Hegses' signals to convey details of Yemen's military strikes first surfaced last month when an Atlantic editor wrote an article that apparently happened to have been added to a encrypted chat between US government officials. The New York Times reported this week that Heggs included sensitive information about the strike of the signal group chat, which set up his wife and brothers, among other things.
Shortly after the initial signal chat about Yemen's release in March, German news publication der Spiegel found telephone numbers for Hegzes and other senior Trump officials on the internet.
It's not surprising that Hegseth's private mobile phone number is easily available through commercial providers of contact information, security experts said. After all, Hegses announced that then-presidential election Donald J. Trump hopes former National Guardman and Fox News weekend anchor will run the Pentagon, a $84.9 billion company with nearly three million employees.
Several defense attorneys and security guards said in interviews that it has become a routine for government officials to maintain personal mobile phones when they take office. But as Hegses did, they are not expected to use them for official business.
Even low-level government workers have been instructed not to use personal mobile phones or laptops for work-related issues, according to current and former government officials who spoke about the terms of anonymity to discuss confidential information.
The directive is even more important to senior national security authorities, said a former Pentagon official.
Hegseth had a key social media presence, a WhatsApp profile and a Facebook page.
On August 15, 2024, he joined the fantasy football and sports betting site Sleeper.com using his personal phone number and username “Petehegseth.” Within two weeks, a phone number related to my wife Jennifer also joined the site. She was included in one of two signal chats about the strike.
Hegseth also left other digital bread crumbs to use his phone to register with Airbnb and Microsoft teams, video and communications programs.
Hegseth's number is also linked to the email address linked to his Google Maps profile. Hegseth's reviews on Google Maps include dentist support (“staff is amazing”), plumbers (“fast, honest, quality work”), mural painter (“drawn two beautiful flags for us”), and other businesses. (Google Maps Street View obscures Hegseth's previous home.)
“When using mobile phones for normal daily activities, even moderately sophisticated people leave a very visible digital pathway, let alone malicious actors,” said Glenn S. Gerstel, a former advisor to the National Security Agency.
In contrast, government mobile phones are much safer as they are equipped with strict government controls to protect official communications.
Using the same phone number as a signal, he discussed the exact time American fighter pilots would take off for strikes in Yemen and other sensitive issues, and heggess opened them up to foreigners who potentially showed the ability to hack American officials with the potential, security experts said.
“A phone number is like a street address that tells you which house to break into,” said James A. Lewis, a cybersecurity expert. “Once you get your street address, you'll arrive at the house and there might be a lock above the door. You might ask yourself, “Do you have any tools to bypass or break the lock?” ”
That's true for China and Russia, and Iran likewise for a few cybersecurity experts said.
Last year, a series of revelations showed that the sophisticated Chinese intelligence group of salt-era, had penetrated deeply into at least nine US telecommunications companies. Investigators said some of the targets were commercial, unencrypted telephone lines used by Trump, Vice President J.D. Vance and national security officials.
Garstell said he has no knowledge of Hegses' phone call or whether it was the target of the attack. However, personal phones are usually far more vulnerable than government-issued mobile phones.
“If you have the numbers assuming someone clicked on something malicious, it would be mildly difficult for someone to take over the phone in a secret way,” Garstell said. “And when you're really sophisticated bad guys involved, like Russia or China, you can get infected with the phone without clicking anything.”
Cybersecurity experts said over 75 countries have acquired commercial spyware within the past decade. The most sophisticated spyware tools like Pegasus feature “zero click” technology. This means that users can stealthily extract everything from the target phone remotely without clicking a malicious link to provide remote access for Pegasus. You can turn your phone into a tracking and secret recording device, allowing your phone to spy on its owner.
Signals are encrypted apps and commercial messaging services are considered to be extremely secure. But malware that has installed keyloggers or keystroke capture codes on your phone can read hackers or national state status on your phone, former officials said.
If Hegseth used signals to discuss Yemen's strike plans, his phone's spyware could potentially see what he was typed or read before he hit “send”.
Those familiar with signal conversations said that Hegses' aide warned him not to discuss details of such delicate operations in his group chat one or two days before Yemen attacked on March 15th. The chat was encrypted, but not as secure as government channels.
It was unclear how Hegseth responded to these warnings.
Hegseth also had a signal installed on a computer in his office at Pentagon, allowing personal mobile phones to send and receive instant messages in unauthorized spaces, according to two people with knowledge of the matter. He has two computers in his office. One is for personal use and the other is issued by the government.
“I guarantee you that Russia and China are everywhere on the Secretary of Defense's mobile phones,” Nebraska Republican leader Don Bacon told CNN this week that he had suggested that Hegses should be fired.
Christian Triebert Reported from New York. Greg Jaffe In Washington, he contributed to the report. Sheila McNeill Contributed research.
