Details describing how someone hacked into Sarah Palin’s Yahoo Mail account emerged on Thursday, and it appears to have been done with little more than social engineering.

Since Tuesday, anonymous posters using a forum on the 4Chan.org Web site have been circulating password-protected zip files containing the contents of the now-deleted e-mail account once belonging to the Republican vice presidential candidate.

Like most Web account services, Yahoo Mail provides an option to reset or recover one’s user name and password. What is unclear is how the account recovery was rerouted from the alternative e-mail address chosen by Palin to a secondary e-mail address.

When Yahoo Mail prompted for Palin’s birthday, one poster said it took only 15 seconds on Wikipedia to answer that question. When it prompted for ZIP code, Wasilla, Ala., has only two ZIP Codes. As for Palin’s personal security question “Where did you meet your spouse?” that did slow the process down. The poster claimed it took several tries but eventually hit upon the correct answer: Wasilla High.

Tee hee.


Update: Inkadentally, the leading suspect in the crack – I wouldn’t call it a hack, especially – is a college student named David Kernell.

He changed Palin’s password to “popcorn”. Whadda you think?




  1. ran6110 says:

    You know, I use the stock questions but I’ve never used the ‘real’ answer. And I would NEVER supply an answer that could be easily looked up!

  2. BigBoyBC says:

    I don’t care if it took the power of 10 super computers, what they did was wrong. I don’t care who they did it to, they need to be caught and mad an example of…

  3. BillM says:

    Ok, so I come to your house and find you have an inexpensive lock on your door. I pick it, come into your home, make copies of the correspondence, financial records, photos, etc. that I find in your desk and post copies of all over town. Stupid you, should have had a better lock.

  4. “What is unclear is how the account recovery was rerouted from the alternative e-mail address chosen by Palin to a secondary e-mail address.” – that is the hack… Yahoo shouldn’t have sent info to any other e-mail but the one provided by the owner. Nor should it be hackable in that sense. If that part have worked as it should, no amount of social engineering would have been able to crack in.
    The most disappointing part is mute silence from the Obama camp, one who promotes himself as champion of on-line fairness and privacy for all. Where is his public request for Gawker to remove the content and to the hacker to come forward and admit his doings? That is what I expect from the potential President. Not “ha, ha”, which makes him equal to the Nixon in Watergate (despite differences).

  5. edwinrogers says:

    There’s a new orange pair of overalls hanging in a closet, somewhere, with that hacker’s name on them.

  6. Lou says:

    The more inportant point here is she is shielding herself with a Yahoo email address.
    Should have got a Hushmail account.

  7. #6 – Lou

    Yeah, what is she doing conducting state business with a freebie Yahoo account??? The only time anyone does that is when they’ve got something to hide.

    All things will be revealed.

  8. Beonarri says:

    Breaking into someone’s poorly protected email…that’s illegal. Not in any sort of “lock him away and throw the key away.”

    But, emails are send in the clear anyways. I’m sure there’s an way to plant something between the sender and recipient to see what the email is. Doing that would be like reading a postcard.

  9. Sinn Fein says:

    Its going to be rather unfortunate for the “hackers” with the new Fed ID theft laws recently in place…hacking such a high profile person now involves the FBI with a mandate to bust ALOT of people and to hang’em high.

  10. Gary, the dangerous infidel says:

    #4 dusan maletic wrote “The most disappointing part is mute silence from the Obama camp, one who promotes himself as champion of on-line fairness and privacy for all. Where is his public request for Gawker to remove the content and to the hacker to come forward and admit his doings? That is what I expect from the potential President.”

    By the same token, George Bush should have openly denounced all the lies and dirty tricks that his supporters performed for his benefit throughout two very dirty campaigns, just as you’re now demanding of Barack Obama. For that matter, as President, he should have demanded that anyone on his staff that had revealed the identity of a certain covert CIA operative step forward, tell the truth, and face the consequences. Instead, much time and taxpayer money was wasted to cut through all the obstruction of justice just to determine if a crime was committed.

    Hmmm, knowing what a supporter you were of Hurricane George, methinks you may be trying to apply a very different standard to Obama.

  11. Brock says:

    Excellent approach to get 99% of americans on Palin’s side. Fear of identify theft comes home and now everybody feels for Sarah. Couldn’t have worked out better

  12. Lou Minatti says:

    [Comment deleted – Violation of Posting Guidelines. – ed.]

  13. Lou Minatti says:

    [Comment deleted – Violation of Posting Guidelines. – ed.]

  14. J says:

    # 12 Lou Minatti

    “What IS funny is that you didn’t mention that the hacker is the son of a prominent Democrat politician.”

    Care to post proof of that?

  15. Beonarri says:

    #13 Lou Minatti

    I think by using KKK in the middle of the word “Democrats”, you’ve destroyed any semblance of a rational, well-thought-out, reasoned argument.

  16. Rick Cain says:

    Palin should be punished by the legislature for doing state business on a yahoo account, possibly exposing the alaskan government to loss of protected and privileged information. Ironically I guess that was her motive….but to keep privileged information out of the hands of the alaskan legislature.

  17. dwsolberg says:

    What bothers me is that I can pick a very secure password, but companies are willing to override it if someone knows my place of birth and my pet’s name. These “added security measures” should be re-examined in light of how obviously they remove protection from a proper password.

  18. MikeN says:

    Well the Klan’s Nathan Bedford Forrest is from Tennesseee, and Democrats there had the state celebrate Nathan Bedford Forrest day. And of course the Klan was made up of Democrats. However the original post is gone so I don’t know if that’s what he meant.

  19. god says:

    The Klan’s been an all-Republikan Krew since 1970 – boy. Nixon took care of that.

    You may now wander back to the topik.

  20. soundwash says:

    crystal ball:

    they discover that the hacker used the much touted DNS cache poisoning exploit of late, which would be the perfect way to redirect the mail to the mail server of choice.

    since our government is on a Nationalization spree, it then declares it must bail out the DNS system as this poses a grave threat to the free market interwebtubes economy -and of course..national security.

    this finally results in the whitehouse drafting an ultra vague Continuance Of Net “DNSPD51” directive, -complete with “Annex A and the classified Continuity Annexes, attached hereto, are hereby incorporated into and made a part of this directive.” –

    -which of course, are classified in the name of national security.. 😛

    (hey, its the best i could do at 4:45am, -omw back from getting some water)

    -s

  21. soundwash says:

    -or yahoo IT’s are simply idiots and (most likely) send the password email in the clear, which any savy 9yr could simply tracert the route to alaska, and simply sniff out the needed packets in no time..(as he would have a good idea of the time stamps on the packets..etc) (?)

    *shrug*

    -s

  22. LinusVP says:

    Figures you guys would write a headline like that.

    #2 Agreed.

  23. Uncle Patso says:

    # 3 BillM said:

    “Ok, so I come to your house and find you have an inexpensive lock on your door. I pick it, come into your home, make copies of the correspondence, financial records, photos, etc. that I find in your desk and post copies of all over town. Stupid you, should have had a better lock.”

    Even so, that wouldn’t stop me from prosecuting you for burglary and theft.

  24. keaneo says:

    The funniest nutballs in the comments, today, are the poor, ignorant gits who think the “stupidity” in the headline is political.

    Some of you “sensitive” conservatives have only been geeks for three weeks, I guess. The phrase has been around as long as human engineering was used to get telephone credit card numbers.

    Cripes. The t-shirts have been around for decades.

  25. Plillary says:

    Good grief can you imagine the howls of outrage if it was Biden’s email account that was compromised! It would be front page news on the Times and Post. No instead we get little or no news coverage and liberals blaming the victim!!! Can the bias be more obvious?

  26. Paddy-O says:

    The suspect, DAVID Kernell
    has a father named MIKE Kernell. Mikey is a DEM Rep from Tenn.

    I’m sure Rep. Mike Kernell is very proud of his son.

  27. Ben says:

    I did this on my own account. The challenge question can be hacked with a dictionary attack.

    You don’t need access to the alternative e-mail address. Just select, “I don’t have access to the alternative e-mail address” and you are golden. It just lets you change the password when you answer the question correctly, such as “What is your dog’s name?”

    The system is flawed. It doesn’t matter if you have “LjDaeu&^86” as a password (made up example of secure password), you can still bypass it. This is not good.

    Here is how I would fix it. If you forget your password, it lets you do all that, but it won’t change the password for 72 hours. Then it sends the account an e-mail saying the password will change in 72 hours. To avoid phishing there would be no links and you would only have to change your password again to lock out the person who changed your password.

  28. soundwash says:

    …or just do 3 factor authentication for lost passwords.

  29. becagle says:

    The guy will more than likley get off with just a wrist slap, because Daddy is in the government.

  30. Mr. Fusion says:

    #4, Dusan,

    The most disappointing part is mute silence from the Obama camp, one who promotes himself as champion of on-line fairness and privacy for all.

    Again I ask you. Where is McCain’s outrage when the right wing nuts claim Obama is a Muslim? Where is YOUR outrage when McCain tells deliberate lies about Obama’s policies?

    That is what I expect from the potential President. Not “ha, ha”, which makes him equal to the Nixon in Watergate (despite differences).

    So Obama is a bad person because he has not commented one way or another. Yet Palin who has lied multiple times during the campaign, used her offices of Mayor and Governor to vindictively fire those she didn’t like, is illegally avoiding Alaska law, and obstructed a legal and legitimate inquiry into her wrong doings deserves only support?

    Geeze, you better see your physician about upping your meds.


1

Bad Behavior has blocked 5808 access attempts in the last 7 days.