Palin email hack post mortem

A few days ago a lone individual decided to crack [Governor Sarah Palin]‘s private Yahoo! email account. He did this by navigating the password reset procedure. [Gov. Palin]‘s birthday was publicly available and Wasilla only had two zip codes to guess. The follow up question “Where did you meet your spouse” required some more research. They met in high school so a few more guesses turned up “Wasilla high” as the answer. The original poster then read every single email only to discover that there really wasn’t anything of interest there. Frustrated, he posted the details to 4chan to let any wonk have at it. /b/ members began posting screenshots of the account, but very little came of it.

One screenshot of her inbox even revealed her daughter Bristol’s cell phone number. While there was no groundbreaking political information revealed, it is important to point out that it appears that Gov. Palin was using this private account to correspond to her assistants about potentially sensitive government information. This security breach should serve as a wake-up call to many public officials by showing how dangerous it can be to have a private e-mail account, especially when a free web-based service such as Yahoo! is used.

27 thoughts on “Palin email hack post mortem

  1. Or teach them about weak passwords and even easier password reset questions. I always fill those resets with about 50 random characters, numbers, etc that I don’t even know. :)

  2. Anonymous is quite a force, though in reality it’s only a handful of serious security experts and the rest being a bunch of meme-spouting fools. Not that I have anything against them, just the truth.
    As for Palin’s email, I guess 2 zip codes sorta narrows it down, as well as her personal history being widely available.

  3. “I still can’t believe people enter the actual answers to password reset questions.”
    I have always entered a random jumble of keystrokes, but I don’t think it’s the least bit surprising that 99% of people when they are prompted to answer security questions do what the email service asks them to. And, as a point of fact, if she hadn’t become a nationally reported-on figure from a very small community it probably would not even have been an issue. Since the guy in question was the son of Democrat senator, I’m guessing her address turned up in a forward or something. (otherwise no one in the public would have known what it was in the first place)

    It’s also worth noting that the questions offer a security *enhancement* in that, if someone intercepts your session authentication or original password, and changes your password, you still possess the means to immediately regain control of your account. For the average anonymous person, having these ‘knowledge tokens’ is probably a very good move and significant security enhancement.

    Anyway, I’ll bet an awful lot of other government figures are changing the settings on their mail accounts this week. :p

  4. Using a personal email means there’s no backlog and no accountability on Palin’s part. It would take a pretty beefy court order to get into it.

  5. Not to mention that I’m fairly certain it’s against the law, and if not that then very frowned upon. Governments have to keep very strict records of everything, so using a personal email lies outside the bounds of accountability. Ironically, her stump speech spiel contains lengthy sections about government accountability. Whoops.

  6. You know, I have more respect for this site for not following the media and posting up this as hacking.

    Nice response, keep up the good work.

  7. The password reset question can be a cypher in its own. Perhaps it is the name of a hash algorithm the owner has created and no one else would know. The deeper one reads into one of these questions the less likely it will be to break.

  8. awesome. not only did she use the yahoo account to conduct (arguably unofficial) government business, but she gave real answers to the security questions protecting the account.

    honestly, how many people reading this are stupid enough to use their mothers real maiden name? i’m sure she’ll rock at national security.

  9. These password reset questions are indeed a super vulnerability of yahoo, hotmail and the like… This breach making the headlines is pretty dumb, but raises public awareness over this issue nevertheless. Many people don’t realise (or worse, care for) how vulnerable their data are.
    On one of the web’s best security sensibilisation sites offers a neat password generating page: https://www.grc.com/passwords.htm
    Enjoy :)

  10. Security issues aside (and Palin’s security naivete’ is bothersome) did she use private e-mail to conduct state business out of the public eye? I don’t know about Alaska, but other more progressive states have ruled that communications between public officials are subject to open-meeting laws.

  11. “I still can’t believe people enter the actual answers to password reset questions.”

    Can you believe people still enter the suggested password types too, like… “a pet’s name”?

    Most common password in the US is still a pet’s name… and working at a computer repair place on a university campus showed me the next favorite is a loved one’s name followed by a sports person of some kind (like a race-car driver), followed by a vehicle of some kind and from there it does got a little foggy, but these are all one word passwords of things we know these people like coupled with (in most cases) the last two digits of the birthday of the person who set the password.

    Peace!

  12. i just stumbled on this. im happy to read (rather skim) that you used the proper terminology of “crack” rather than the notoriously misused term “hack.”

    though the news is rather uninteresting.

  13. What’s of interest is that Palin is using a private email address for public business while claiming protection for “private” email addresses during an investigation into abuse of power. It doesn’t really matter that there wasn’t an email here that said “let’s abuse my position to harass my ex LOL”. This discovery raises questions about her character and strengthens doubts about both her judgment and potential criminal behavior.

  14. bawwwwww, there was no dirt but lets read our personal bias into it anyways.

    BTW hackaday – good job on the article, as opposed to every other media outlets’ horrible misunderstanding of the content.

  15. Sigh, I’m tired of Sarah Palin already, a total fraud. In the event she where a Democrat, the right wing talk shows, would have labeled her a feminazi. I sure there’s a scramble to rewrite security guidelines. Anyone breaking into any email account used by a government official, is taking a big risk, in today’s be afraid America.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s