Lessons of the Sarah Palin e-mail hack

Hacking password reset questions is far easier than guessing the passwords themselves, and the Palin incident will surely start a trend

Sarah Palin's Yahoo e-mail account was hacked and at least some of her e-mails were downloaded and distributed. Besides being illegal, the hacking was simply wrong, no matter what your political ideology. When screenshots of her e-mail were first being displayed, several analysts theorized that her e-mail account password was hacked or guessed.

In one of the screenshots, you could see a password reset notification message in Palin's now-compromised inbox. That led me to believe that the attackers had guessed her three password reset questions, which is substantially easier than guessing even a short password. I was right.

Here's the story from an article on AppScout's Web site:

Hacking Sarah Palin: What We Can All Learn

Breaking into Sarah Palin's webmail account was a simple hack--one that required little to no technical expertise. There is, of course, an important lesson to be learned here for the vice presidential candidate, and hopefully the rest of us can take something away from this as well.

The attack was perpetrated by 4Chan's "random" /b/ board. The board has long been at the forefront of Internet memeology, helping popularize such favorites as lolcats, Rick-rolling, and the "Anonymous" group, which has been known to launch its share of large-scale anti-Scientology protests.

On Tuesday night, someone from the /b/ board ("/b/tards," as they are colloquially known) broke into Sarah Palin's Yahoo! e-mail account. They read the e-mails and posted the address and password on the board. Fellow /b/tards proceeded to wreak general havoc with the account.

The /b/tard in question used Yahoo!'s password recovery feature, and then proceeded to fill in the answers using Wikipedia. A message posted to the forum explains the process thusly:

"After the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

"The second was somewhat harder, the question was 'where did you meet your spouse?' did some research, and apparently she had eloped with mister palin after college, if you'll look on some of the screenshits [sic] that I took and other fellow anon have so graciously put on photobucket you will see the google search for 'palin eloped' or some such in one of the tabs.