Defense Secretary Pete Hegseth’s personal phone number, the one used in a recent Signal chat, was easily accessible on the internet and public apps as recently as March, potentially exposing national security secrets to foreign adversaries.
The phone number could be found in a variety of places, including WhatsApp, Facebook and a fantasy sports site. It was the same number through which the defense secretary, using the Signal commercial messaging app, disclosed flight data for American strikes on the Houthi militia in Yemen.
Cybersecurity analysts said an American defense secretary’s communications device would usually be among the most protected national security assets.
“There’s zero percent chance that someone hasn’t tried to install Pegasus or some other spyware on his phone,” Mike Casey, the former director of the National Counterintelligence and Security Center, said in an interview. “He is one of the top five, probably, most targeted people in the world for espionage.”
Emily Harding, a defense and security expert at the Center for Strategic and International Studies, added: “You just don’t want the secretary of defense’s phone number to be out there and available to anyone.”
The chief Pentagon spokesman, Sean Parnell, did not respond to request for comment.
Mr. Hegseth’s use of Signal to convey details of military strikes in Yemen first surfaced last month when the editor of The Atlantic wrote an article that said he had been added, apparently accidentally, to an encrypted chat among senior U.S. government officials. The New York Times reported this week that Mr. Hegseth included sensitive information about the strikes in a Signal group chat he set up that included his wife and brother, among others.
Soon after the first Signal chat about Yemen became public in March, Der Spiegel, the German news publication, found the phone numbers of Mr. Hegseth and other senior Trump officials on the internet.
That Mr. Hegseth’s private cellphone number was easily available through commercial providers of contact information is not surprising, security experts said. After all, Mr. Hegseth was a private citizen until Donald J. Trump, who was then the president-elect, announced that he wanted the former National Guardsman and Fox News weekend anchor to run the Pentagon, an $849 billion-a-year enterprise with close to three million employees.
It has now become routine for government officials to keep their personal cellphones when they enter office, several defense and security officials said in interviews. But they are not supposed to use them for official business, as Mr. Hegseth did.
Even low-level government workers are instructed not to use their personal cellphones and laptops for work-related matters, according to current and former government officials, who spoke on the condition of anonymity to discuss sensitive information.
For senior national security officials, the directive is even more crucial, one former senior Pentagon official said.
Mr. Hegseth had a significant social media presence, a WhatsApp profile and a Facebook page, which he still has.
On Aug. 15, 2024, he used his personal phone number to join Sleeper.com, a fantasy football and sports betting site, using the username “PeteHegseth.” Less than two weeks later, a phone number associated with his wife, Jennifer, also joined the site. She was included in one of the two Signal chats about the strikes.
Mr. Hegseth also left other digital breadcrumbs, using his phone to register for Airbnb and Microsoft Teams, a video and communications program.
Mr. Hegseth’s number is also linked to an email address that is in turn linked to a Google Maps profile. Mr. Hegseth’s reviews on Google Maps include endorsements of a dentist (“The staff is amazing”), a plumber (“Fast, honest, and quality work”), a mural painter (“Painted 2 beautiful flags for us — spot on”) and other businesses. (Google Maps street view blurs out Mr. Hegseth’s former home.)
“If you use your phone for just ordinary daily activities, you are leaving a highly, highly visible digital pathway that even a moderately sophisticated person, let alone a nefarious actor, can follow,” said Glenn S. Gerstell, a former general counsel for the National Security Agency.
Government cellphones, by contrast, are far more secure because they are fitted with rigorous government controls meant to protect official communications.
In using that same phone number on Signal to discuss the exact times that American fighter pilots would take off for strikes in Yemen and other sensitive matters, Mr. Hegseth opened himself — and, potentially the pilots — to foreign adversaries who have demonstrated their abilities to hack into accounts of American officials, encrypted or not, security experts said.
“Phone numbers are like the street address that tell you what house to break into,” said James A. Lewis, a cybersecurity expert. “Once you get the street address, you get to the house, and there might be locks on the doors, and you ask yourself, ‘Do I have the tools to bypass or break the locks?’”
China and Russia do, and Iran may as well, several cybersecurity experts said.
Last year a series of revelations showed how a sophisticated Chinese intelligence group, called Salt Typhoon, penetrated deep into at least nine U.S. telecommunications firms. Investigators said that among the targets were the commercial, unencrypted phone lines used by Mr. Trump, Vice President JD Vance and top national security officials.
Mr. Gerstell said he had no knowledge of Mr. Hegseth’s phone or if it was subject to attack. But personal phones are typically far more vulnerable than government-issued phones.
“It would be possible, with moderate difficulty for someone to take over a phone in a surreptitious way once they had the number assuming you clicked on something malicious,” Mr. Gerstell said. “And when really sophisticated bad guys are involved, like Russia or China, phones can be infected even if you don’t click on anything.”
Cybersecurity experts said that more than 75 countries had acquired commercial spyware within the past decade. The most sophisticated spyware tools — like Pegasus — have “zero-click” technology, meaning they can stealthily and remotely extract everything from a target’s mobile phone, without the user having to click on a malicious link to give Pegasus remote access. They can turn the mobile phone into a tracking and secret recording device, allowing the phone to spy on its owner.
Signal is an encrypted app, and its security for a commercial messaging service is considered very good. But malware that installed a key logger or keystroke capture code on a phone would allow the hacker, or nation state, to read what someone types into a phone, even in an encrypted app, former officials said.
In the case of Mr. Hegseth’s use of Signal to discuss the Yemen strike plans, spyware on his phone could potentially see what he was typing or reading before he hit “send,” because Signal is encrypted during the moments of sending and receiving, cybersecurity experts said.
One person familiar with the Signal conversation said that Mr. Hegseth’s aides warned him a day or two before the Yemen strikes on March 15 not to discuss such sensitive operational details in his group chat. That chat, while encrypted, was not considered as secure as government channels.
It was unclear how Mr. Hegseth responded to those warnings.
Mr. Hegseth also had Signal set up on a computer in his office at the Pentagon so that he could send and receive instant messages in a space where personal cellphones are not permitted, according to two people with knowledge of the matter. He has two computers in his office, one for personal use and one that is government-issued, one of the people with knowledge of the matter said.
“I guarantee you Russia and China are all over the secretary of defense’s cellphone,” Representative Don Bacon, Republican of Nebraska, who has suggested that Mr. Hegseth should be fired, told CNN this week.
Christiaan Triebert reported from New York. Greg Jaffe in Washington contributed reporting and Sheelagh McNeill contributed research.
