My best guess is that what they did was to impersonate the EP-EXT wifi network and steal our credentials from the login page (https://wifiauth.europarl.europa.eu/, now no longer available, see screenshot below for what it more-or-less used to look like). In this scenario, after I automatically connect to the rogue WiFi (because my phone recognizes the SSID), it presents me with the familiar login page, but this time it’s not HTTPS but plain HTTP. So, no warning about a self-signed certificate is presented to the user.
After I type in my credentials, the rogue WiFi is turned off for a minute or more, so my phone re-connects to the real EP-EXT network and I am asked for my credentials again. I would probably think that I mistyped the password or something and not think twice about it. After a minute the rogue WiFi goes back online, waiting for the next victim.
This is classic MITM where a user inadvertently accepts a different certificate than provided from the mail server which allows the man in the middle access to the encrypted stream. Always be on the lookout for those pop up notifications. An attacker can’t get to an encrypted stream without your permission — even on an unsecured open wifi.
The Parliament has been subject for a man-in-the-middle attack, where a hacker has captured the communication between private smartphones and the public Wi-Fi of the Parliament (EP-EXT Network).
The consequence is that some individual mail-boxes have been compromised. All concerned users have already been contacted and asked to change their password.
As a precaution, the Parliament has therefore decided to switch-off the public Wi-Fi network until further notice, and we invite you to contact the ITEC Service Desk in order to install an EP software certificate on all the devices that you use to access the EP IT systems (email, etc..).