How Sarah Palin’s Yahoo Mail Account was Hacked
by: Jerry Liao
Undoubtly, email is the most popular application on the web. Just like mobile phones, almost every citizen or those who have access to the web definitely has one email address or maybe even more. And why not, email is considered one of the most effective way of communication regardless of users location. Not only can you send messages, but one can also attach files like documents, audio and video files and others.
It also has become part of one’s daily habit to check his/her email every so often. Email definitely is part of ones life. It’s like if you don’t have an email account, then perhaps something is wrong with you. Why? Because getting an email account is easy and is free.
The most popular free web based emails according to Hitwise are Yahoo Mail, Windows Live, and Gmail. ComScore Media Metrix figures for February, 2008 indicated that Microsoft webmail has 256.2 million users, Yahoo has 254.6 million users, Google has 91.6 million users and AOL webmail has 48.9 million users. Althoug Yahoo said they have around 260 million users.
While these web based emails are widely used, the next question we users should ask is are they secure? The answer is no it seems.
Just recently, Republican vice presidential candidate Sarah Palin’s Yahoo email account was hacked, without much technical skills needed. The hacker simply use the “Forget your ID Password” option. The hacker simply filled up the information asked by Yahoo to assign a new password like Palin’s zip code, date of birth and where she met her husband. All information available via Google search and Wikipedia.
In a posting found at 4chan.org forum where the hack first surfaced, the hacker explain the process:
– after the password recovery was re-enabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)
– the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits [sic] that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.
– I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…
The “Forgot my Password” feature of many web sites is insecure, specially if you consider the ability to redirect emails in a system where servers with DNS flaws. The limitation of Yahoo email in as far as the secret question is concerned is Yahoo simply allow the user to select the question from its list. Unlike Gmail, Google allows the users to write its own question which somehow will be a little bit harder to crack.
The experience of Sarah Palin should be a wake up call to the email providers. While they provide their services for free, it is their responsibility to ensure that their service is hack-proof, and should help in maintaining data integrity. To us users, it should also serve as a lesson that we should not use web-based email services for important communications, and use Pop-mails instead.
The hacking incident will definitely be a setback to the rising popularity of Cloud Computing, where applications and data are all stored on the web. Solution providers and security experts should work hand in hand to help solve this problem. Otherwise, people will again go back to the desktop model where everything is stored in their personal harddisk or servers.