The 21st email release included the actual March 19, 2016, email which provided the hackers with Podesta’s password.
Podesta had received an email claiming to be from Google, warning him that someone in Ukraine had obtained his password, and that he was required to change it. The form they linked to, however, was not from Google, but from a site mirroring the internet giant, which, after the password was unthinkingly reset within it, then sent his new password to the hacker.
— Poliphilosophy (@poliphilosophy) October 28, 2016
The phishing email came from firstname.lastname@example.org, which is not actually Google.
— Alexander Higgins (@kr3at) October 28, 2016
The initial email read as follows:
“Someone just used your password to try to sign in to your Google Account email@example.com.
Details: Saturday, 19 March, 8:34:30 UTC
IP Address: 18.104.22.168
Google stopped this sign-in attempt. You should change your password immediately.”
“Sara, This is a legitimate email. John needs to change his password immediately, and ensure that two-factor authentication is turned on his account,” wrote Charles Delavan, a Hillary for America help desk staffer, to Sara Latham, Podesta’s chief of staff.
Latham quickly sent a panicked email to Podesta, and copied the Hillary for America tech manager Michael Fisher, who, ironically, used to work at Google, and should have immediately known that the email was a simple phishing attack
“The gmail one is REAL Milia, can you change — does JDP have the 2 step verification or do we need to do with him on the phone? Don't want to lock him out of his in box!”
Based on the fact that we are now reading these emails, we can assume that Podesta took some ill-advised advice.