Social engineering cracked Palin's e-mail account

Criminal hackers exploited known weaknesses in the password recovery feature to gain access.

Details describing how someone hacked into Sarah Palin's Yahoo Mail account emerged on Thursday, and it appears to have been done with little more than social engineering, the process of acquiring personal information through social manipulation.

Meanwhile, the Knoxville News Sentinel is reporting that a 20-year-old University of Tennessee student has been contacted in connection to the federal investigation of the break-in. Further details are not known.

Since Tuesday, anonymous posters using a forum on the 4Chan.org Web site have been circulating password-protected zip files containing the contents of the now-deleted e-mail account once belonging to the Republican vice presidential candidate. Various posts to the /b/ board have also provided insight into how the hack was carried out.

Like most Web account services, Yahoo Mail provides an option to reset or recover one's user name and password. What is unclear is how the account recovery was rerouted from the alternative e-mail address chosen by Palin to a secondary e-mail address.

When Yahoo Mail prompted for Palin's birthday, one poster said it took only 15 seconds on Wikipedia to answer that question. When it prompted for ZIP code, Wasilla, Ala., has only two ZIP Codes. As for Palin's personal security question "Where did you meet your spouse?" that did slow the process down. The poster claimed it took several tries but eventually hit upon the correct answer: Wasilla High.

Web mail accounts are not alone in using online security questions. In May Axiom , a Little Rock, Ark.-based data warehouse company, announced it was introducing a new biographical authentication service that asks online banking and e-commerce site users random questions based on their personal lives such as "How many fireplaces are in your current residence?" The answer can be obtained from any real estate Web site.

4Chan's "random" /b/ board is no stranger to controversy. In January, members waged an online media war against the Church of Scientology . Prior to that, the site popularized Lolcats, pictures of kittens with cute captions, and rickrolling, linking to videos of Rick Astley's 1987 song "Never Gonna Give You Up".

Tags:
Security
About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments
    Latest Galleries from CNET
    15 crazy old phones from a Korean museum (pictures)
    10 gloriously geeky highlights from 2014 (pictures)
    2015.5 Volvo XC60: updated tech, understated design
    Busted! CNET readers show us their broken devices (pictures)
    Take a closer look at the BlackBerry Classic (pictures)