There’s a lot of buzz in the media today over Vice Presidential candidate Sarah Palin whose Yahoo! Mail account was recently compromised by an anonymous individual. The breach occurred just before dawn on Tuesday, with many screenshots uploaded to the image forum website 4chan.org. Unfortunately for those of you who are hoping for something juicy to fall out of this and into public scrutiny, there was nothing controversial to be found (so far). So how did this happen?
An anonymous person, using nothing more than Google, Wikipedia and the “I forgot my password” questionnaire on Yahoo! Mail’s website was all it took. Simple questions like, “What’s your birthday?” and “What’s your zip code” are examples. A slightly more difficult question was, “Where did you meet your spouse?”, which took a little digging and some minor trial and error. After about 45 minutes (according to the original poster), the account was compromised, the password changed to “popcorn” and then posted on 4chan’s /b/ forum for others to login to and confirm as being real.
So now everybody feels obligated to find someone to blame for this breach of security/violation of privacy. Of course we could point blame at a nameless, faceless person who isn’t admittedly affiliated with any political party… but what’s the point? You either know who the person is or you don’t and there’s even a chance they don’t even live in the United States (making it difficult to impossible to enforce the law). In the meantime, we should start by noting that the questions that the attacker had to answer were rather easy, and that they were selected by Palin herself when the account was created. Considering the fact that when the account was created she was already involved in politics (which mostly involves increasing your celebrity status), she should have thought to select more difficult, personal questions for the purposes of recovering a lost password.
The incident does bring up something broader: Those of us who use the Internet for social purposes often leave behind a paper trail of fun facts that might be found with something as simple as a Google search. I shouldn’t have to go on any further to tell you what info you probably shouldn’t post about yourself in a blog or forum somewhere. Nor should I have to tell you, much less a government official, what questions should be selected during registration in the event you lose your password (of course, most people who are in the government have their own government hosted e-mail accounts that are subject to much stricter security policies… apparently Alaska didn’t get the memo).
So now you know how it happened and how it could happen to you if you ever plan to become famous or just have some half-assed blog like this one that almost nobody reads (except for Google’s robots). We should be glad the emails that have leaked didn’t contain anything sensitive to national security (then again, you think she’s ever had access to such information?), and I’m betting Palin is literally counting her blessings for that very reason right now. Not just because she lucked out on having her emails stolen by strangers located in who knows what country, but also because she can notch this up as legitimate experience with regard to national security (it’s practically a step up from claiming you know all about foreign policy because you can see Russia from your house).
Update: An article detailing where the law stands on all of this can be found here:
DOJ View on Email Privacy May Hamper Prosecution of Palin Hackers
I should also throw out the ever so hypothetical rhetorical question: Why was having this email account necessary in the first place?