At CES, the massive annual tech conference in Las Vegas, the cybersecurity stage heard this lie multiple times. In a panel discussion titled “password protection, authentication, and new exploits,” people like Tim Bajarin, president of Creative Strategies, Inc., opened his panel with the cautionary tale about Podesta’s password. Everyone laughed at the story.

But that’s just not the case. Some of Podesta’s passwords are on WikiLeaks, including his iCloud password: ‘Runner4567.’ That’s not a great password—Podesta famously loves jogging and you should not use easily identifiable hobbies as passwords—but it’s not nearly on the same incompetence level as using the actual word “password” as an email password. More to the point, Google doesn’t even allow “password” to be used as a GMail password, making the entire story impossible. Podesta’s Windows password was “p@ssword” for his Windows 8 machine at one point, but that has absolutely nothing to do with how his emails were hacked and leaked, making it irrelevant to the entire hacking incident.

Podesta wasn’t hacked because he used a bad password. His email was breached because hackers sent a spear phishing email pretending to be Google asking for his credentials because, according to the fake email, he had already been hacked. It’s a common tactic of hackers to create emotional urgency during an attack. Ironic as it is, pretending you’ve already been hacked is a common tactic because it can push people to quickly click malicious links without thinking through or checking the consequences.