The FBI Director's Email and Why Your Password Hasn't Changed Since 2019

Alan Wright

Alan Wright

5 min read

Or: How a Gmail account compromised in 2019 became a national security liability in 2026.

The Setup

In late 2024, Kash Patel, just weeks away from being appointed FBI Director,was warned by officials that his communications were being targeted by Iranian actors.

Thanks for reading The Sovereign Auditor! Subscribe for free to receive new posts and support my work.

He did nothing.

Six weeks ago, the Handala Hack Team (pro-Iranian, pro-Palestinian) published a trove from his Gmail account. Not state secrets. Not classified intelligence. Personal emails, photos of him smoking cigars in a convertible, metadata from his digital life going back to at least 2010.

The FBI’s response: “We are aware of malicious actors targeting Director Patel’s personal email information, and we have taken all necessary steps to mitigate.”

Translation: We knew. We warned him. He ignored the warning. Now the damage is permanent, and we’re doing damage control.

Let that sink in. The FBI Director,the man charged with protecting the nation’s law enforcement apparatus, received a specific, credible warning that a state actor was targeting his email. And he did not rotate his password. Did not enable multi-factor authentication. Did not close the account. Did not change anything.

Then the breach happened exactly as predicted.

Here’s the Part That Should Terrify You

Patel didn’t get breached because of a zero-day or a sophisticated supply-chain attack.

He got breached because his email was linked to an old compromise; likely from a 2019 breach that he never properly remediated. The kind of breach that gets a notification email from Google, gets filed in the spam folder, and then disappears from memory.

From there, Handala either:

  • Used credential stuffing (automated, cheap, effective)
  • Cracked a weak password (or one that hadn’t changed in years)
  • Exploited the absence of multi-factor authentication

Pick one. All three are depressingly common for people who think “it won’t happen to me.”

The FBI Director thought that too.

Why This Matters: The Seam Between Personal and Professional

Here’s where institutions lie to themselves:

The Official Story: “This is his personal email. No government information was compromised.”

The Reality: There is no such thing as a “personal” email for someone at his level.

That Gmail account contains:

  • His contacts (other officials, advisors, family)
  • His travel patterns (where he’s been, when, who he met)
  • His decision-making preferences (what he cares about, who he trusts)
  • His vulnerabilities (financial stress? health issues? family drama?)

A state actor with that metadata doesn’t need your classified documents. They have your psychological profile. They know how to pressure you, manipulate you, or publicly embarrass you into irrelevance.

Which brings us to the second payload.

The Information Operation: “Dox and Mock”

Handala didn’t just steal data. They published selected pieces designed to humanise, and de-authorise,the head of federal law enforcement.

Photos of Patel:

  • Smoking cigars
  • Sniffing rum
  • Riding in an antique convertible
  • Making a mirror selfie

These images are already viral in certain circles. The message is clear: Your supreme law enforcement official is a regular guy with hobbies, and we can reach him whenever we want.

It’s not a traditional cyber attack. It’s a reputation strike. The goal isn’t data theft; it’s institutional prestige erosion.

And it works.

The Broader Campaign

Handala didn’t stop with Patel.

Earlier this month, the group claimed credit for disrupting systems at Stryker, a Michigan-based medical technology company. Combined with the Patel breach, you’re looking at a coordinated campaign targeting both US leadership and critical infrastructure.

The group identifies itself as pro-Iranian, pro-Palestinian. The timing suggests a doctrine: “Symmetric personal retaliation.”

When the US strikes physical targets in West Asia, Iran-linked actors strike the personal digital lives of US officials and the supply chains they depend on. It’s low-cost, it bypasses the Pentagon, and it’s psychologically corrosive.

Now Apply This to You

Here’s the uncomfortable part: If it can happen to the FBI Director, it will happen to you, unless you do three things.

1. Stop Reusing Passwords

Patel’s Gmail breach likely traces back to a 2019 compromise from some forgotten service he used once. The password was probably the same one he used elsewhere. Credential stuffing did the rest.

Your move: Use a password manager. Generate unique, 20+ character passwords for every account. No reuse. Ever. It takes 5 minutes to set up and saves you from inheriting someone else’s 2019 breach.

2. Enable Multi-Factor Authentication (MFA)

Even if your password leaks, MFA stops the breach cold. You need a second factor—a code from your phone, a hardware key, a biometric scan.

Your move: Enable MFA on every account that matters: email, banking, cloud storage, work systems. Prioritise email first (it’s the master key). Don’t use SMS if your provider offers an authenticator app or hardware key.

3. Rotate Passwords Annually

This is the unglamorous one nobody does. But here’s the math: if you haven’t changed your password in five years, and there’s a 2019 breach of some service you used, you’re still vulnerable right now.

Your move: Set a calendar reminder. Every January 1st, rotate your top 5 passwords: email, banking, work, cloud storage, password manager. It’s boring. It works.

Why Institutions Won’t Fix This

The FBI has the world’s best security tools. What it lacks is discipline.

You can’t automate password rotation. You can’t mandate MFA without user friction. You can’t force someone to care about a breach notification from 2019.

When the dust settles, the FBI will announce a new CISO, launch a “cybersecurity modernisation initiative,” and hold congressional hearings. None of that fixes Patel’s mistake, because his mistake wasn’t technical.

It was human. And it’s contagious.

The Real Lesson

You are not a state actor’s primary target. But you are valuable collateral:

  • Your email is a vector into your employer’s network
  • Your credentials are commodities in bulk leak databases
  • Your “personal” data is intelligence once someone has it

The difference between the FBI Director and you isn’t the sophistication of the attack. It’s that the FBI Director can absorb the hit. You probably can’t.

So start with the three things above. Not because you’re paranoid. But because Kash Patel just proved that institutional prestige isn’t a shield.

Neither is apathy.

The Bigger Picture: “Symmetric Personal Retaliation”

Handala isn’t operating in isolation. Earlier this month, the group claimed credit for disrupting systems at Stryker, a Michigan-based medical technology company.

Combined with the Patel breach, you’re seeing the birth of a new doctrine in state-sponsored cyber operations: “Symmetric Personal Retaliation.”

When the US strikes physical targets in West Asia, Iran-linked actors don’t retaliate by hitting military networks or critical infrastructure (though they do that too). They hit the personal digital lives of US leadership. They hit the supply chains that keep the American economy moving. They leak the photos, the emails, the metadata that makes a government official look reachable and human.

It’s low cost. It bypasses the Pentagon. It’s psychologically corrosive. And most importantly: it works. Because it exploits the exact same discipline gap that let the FBI Director’s email get compromised in the first place.

The US has the best defensive tools in the world. What it lacks is the will to use them. What you lack is the time to be complacent.

What You Should Do Monday Morning

  1. Audit your email. Search your inbox for breach notifications from the past 5 years. If you find one and didn’t change your password, do it now.
  2. Enable MFA on your email. All of it. This is the single highest-ROI security move you can make.
  3. Check your passwords in your password manager (or write them down). How many are the same as they were in 2019?

If the answer is “more than zero,” you’re one credential-stuffing attack away from becoming a case study.

Don’t wait for the warning. You already got it.

I run sovereign infrastructure on the Isle of Man and think about this stuff professionally.

Read more