The personal phone number of Defense Secretary Pete Hegseth was publicly available online as recently as March, raising concerns about potential risks to national security due to its accessibility on platforms like WhatsApp, Facebook, and a fantasy sports website. This number was reportedly used by Hegseth in a Signal chat to share details on U.S. military operations against the Houthi militia in Yemen.
Experts in cybersecurity commented that the communications devices used by someone in Hegseth’s position are usually among the most safeguarded assets in matters of national security.
“There’s no doubt that attempts have been made to install spyware like Pegasus on his phone,” remarked Mike Casey, the former director of the National Counterintelligence and Security Center, in a discussion. “He’s likely among the top five individuals in the world targeted for espionage.”
Emily Harding, a defense and security specialist at the Center for Strategic and International Studies, commented, “The secretary of defense’s phone number should not be easily accessible to the public.”
There was no response from Pentagon spokesman Sean Parnell regarding the matter.
Hegseth’s use of Signal for discussing military actions in Yemen came to light last month when an editor from The Atlantic mentioned he had been mistakenly added to a secure chat with senior U.S. officials. A report by The New York Times revealed that Hegseth shared sensitive information in a Signal group chat that included family members as well.
Shortly after details of the initial Signal chat about Yemen emerged in March, the German news outlet Der Spiegel reported finding Hegseth’s phone number, along with those of other high-ranking Trump officials, listed on the internet.
Experts pointed out that Hegseth’s personal phone number being easily accessible through commercial data providers is not surprising, considering he was a private citizen before being appointed to oversee the Pentagon, which operates on an $849 billion annual budget and employs nearly three million people.
These days, it’s not uncommon for government officials to retain their personal cellphones upon taking office, as noted by several defense and security officials. However, they should refrain from using them for official tasks, an issue Hegseth fell into.
Even lower-level government employees are advised against using personal devices for work purposes, according to current and former officials who requested anonymity to discuss sensitive topics.
For high-ranking national security officials, adhering to this guideline is even more critical, said one former senior Pentagon official.
Hegseth maintained a strong social media presence, with an active WhatsApp profile and a Facebook account, which he continues to have.
On August 15, 2024, he registered on Sleeper.com, a fantasy sports site, under the username “PeteHegseth,” using his personal phone number. Less than two weeks later, a phone number associated with his wife, Jennifer, also signed up on the platform. She was part of one of the Signal chats concerning the military operations.
Hegseth also left other digital traces, using his phone to sign up for services like Airbnb and Microsoft Teams, which is used for video meetings. His phone number is linked to an email address associated with a Google Maps profile, where he has shared reviews for various businesses, including a dentist (“The staff is amazing”), a plumber (“Fast, honest, quality work”), and a mural painter (“Painted 2 beautiful flags for us — spot on”). (Google Maps street view blurs out the image of Hegseth’s former residence.)
“By using your phone for regular daily tasks, you create a highly visible digital footprint that even a moderately savvy entity, let alone a malicious actor, could follow,” said Glenn S. Gerstell, a former general counsel for the National Security Agency.
In comparison, government-issued phones are significantly more secure, equipped with stringent controls for safeguarding official communications.
By using this same number on Signal to share sensitive information, such as the precise takeoff times for American airstrikes in Yemen, Hegseth made himself and potentially the pilots vulnerable to foreign adversaries who are known to possess hacking capabilities against U.S. officials, whether the communication is encrypted or not.
“Phone numbers are akin to a street address indicating which house to target,” stated cybersecurity expert James A. Lewis. “Once someone has the address, they can approach the house, and even if there are locks on the doors, they consider, ‘Do I have the means to bypass or break through these locks?’”
Countries like China and Russia, as well as potentially Iran, have these capabilities, according to several cybersecurity analysts.
Last year, a series of reports highlighted how a sophisticated Chinese intelligence faction, referred to as Salt Typhoon, infiltrated at least nine U.S. telecommunications companies. Investigators noted that targeted communications included commercial, unencrypted phone lines used by former President Trump, Vice President JD Vance, and senior national security officials.
Gerstell mentioned that while he was unaware of any attacks on Hegseth’s phone, personal devices are generally much more susceptible than those issued by the government.
“It’s feasible, with some effort, for someone to covertly take control of a phone once they have the number, especially if a malicious link is clicked,” Gerstell explained. “When highly skilled malicious actors, like those from Russia or China, are involved, phones can be compromised even without user interaction.”
Cybersecurity specialists stated that more than 75 countries possess the capability to conduct such attacks.
In the last ten years, many entities have obtained commercial spyware. Among the most advanced spyware tools is Pegasus, which utilizes “zero-click” technology. This allows it to surreptitiously access and extract all information from a target’s mobile device without requiring the user to click on any harmful link. Consequently, it can transform a mobile phone into a tool for tracking and covertly recording, effectively spying on its owner.
Signal is known for its encryption, providing a strong level of security for a commercial messaging service. However, if malware is installed on a device, such as a keylogger or keystroke capture software, it could enable a hacker or nation-state to see everything someone types, even when using an encrypted app, according to former officials.
For instance, regarding Mr. Hegseth’s use of Signal to discuss plans for a strike in Yemen, cybersecurity experts indicate that spyware on his device could potentially capture what he typed or read before he pressed “send.” This is because Signal encrypts messages at the points of sending and receiving.
One individual aware of the Signal discussions mentioned that Mr. Hegseth’s aides had cautioned him just a day or two prior to the Yemen strikes on March 15 against sharing sensitive operational information in his group chat. Despite its encryption, this chat was deemed less secure than official government communication channels.
It remains uncertain how Mr. Hegseth reacted to those advisories.
Additionally, Mr. Hegseth had Signal installed on a computer in his Pentagon office to send and receive messages in a location where personal cell phones are prohibited, according to two sources familiar with the situation. He reportedly has two computers in his office, one for personal tasks and another that is issued by the government.
“I am certain that Russia and China are monitoring the secretary of defense’s cellphone,” remarked Representative Don Bacon, a Republican from Nebraska, who has suggested that Mr. Hegseth should be dismissed, during an interview with CNN this week.
Christiaan Triebert reported from New York, while Greg Jaffe in Washington provided additional reporting, and Sheelagh McNeill assisted with research.
