NCWYT

Hacking Palin’s email account

Posted in Current events, Explorations, Politics by John Gregory on 18-Sep-2008

The news yesterday that VP candidate Palin’s email account at yahoo was hacked got my attention quickly.  I was curious not about the information that was obtained (it was mundane) or the target (who cares?) but how someone got the data.  How does someone hack into a major email service provider?

It took a little surfing and digging but I got a possible true summary of what happened from a michelle malkin blog post where she may have received a communication from the hacker.  To confirm this story, one needs to understand the yahoo.com methodology for password re-setting (of which I am unfamiliar).

The hacker obtained Palin’s email address and then attempted access to the account, via the password recovery routine,

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…[michelle maklin post; see above]

So, the implication is this hacker used some relatively manual brute search techniques to get the answers to Palin’s challenge questions: what is your birthday? what is your zipcode? and where did you meet your spouse?

If this is how it was done, I would conclude that yahoo does not have a limitation on the number of tries for successful challenge question answers.  The ability to bang away with any number of answer combinations seems like a weak security feature. There is also a lesson for us all in how we select challenge questions and the answers.

leave a comment

Leave a Reply