X

Social engineering cracked Palin's e-mail account

Criminal hackers exploited known weaknesses in the password recovery feature to gain access.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
See full bio
Robert Vamosi
2 min read

Details describing how someone hacked into Sarah Palin's Yahoo Mail account emerged on Thursday, and it appears to have been done with little more than social engineering, the process of acquiring personal information through social manipulation.

Meanwhile, the Knoxville News Sentinel is reporting that a 20-year-old University of Tennessee student has been contacted in connection to the federal investigation of the break-in. Further details are not known.

Since Tuesday, anonymous posters using a forum on the 4Chan.org Web site have been circulating password-protected zip files containing the contents of the now-deleted e-mail account once belonging to the Republican vice presidential candidate. Various posts to the /b/ board have also provided insight into how the hack was carried out.

Like most Web account services, Yahoo Mail provides an option to reset or recover one's user name and password. What is unclear is how the account recovery was rerouted from the alternative e-mail address chosen by Palin to a secondary e-mail address.

When Yahoo Mail prompted for Palin's birthday, one poster said it took only 15 seconds on Wikipedia to answer that question. When it prompted for ZIP code, Wasilla, Ala., has only two ZIP Codes. As for Palin's personal security question "Where did you meet your spouse?" that did slow the process down. The poster claimed it took several tries but eventually hit upon the correct answer: Wasilla High.

Web mail accounts are not alone in using online security questions. In May Axiom, a Little Rock, Ark.-based data warehouse company, announced it was introducing a new biographical authentication service that asks online banking and e-commerce site users random questions based on their personal lives such as "How many fireplaces are in your current residence?" The answer can be obtained from any real estate Web site.

4Chan's "random" /b/ board is no stranger to controversy. In January, members waged an online media war against the Church of Scientology. Prior to that, the site popularized Lolcats, pictures of kittens with cute captions, and rickrolling, linking to videos of Rick Astley's 1987 song "Never Gonna Give You Up".