The web is abuzz with how vice presidential candidate Sarah Palin’s email got hacked. Hackers who obtained Alaska Gov. Palin’s email password apparently used the “forgot my password” feature of Yahoo’s email service.
The hackers evidently used information they knew about Palin — her zip code, date of birth, and that she met her husband in high school — to convince Yahoo’s service into assigning a new password for Palin’s email account.
PC World notes that the security question that Palin chose didn’t turn out to be so secure. Most online services ask questions that only you should know. But in Palin’s case, it must have been something that could easily be guessed, given all of the public information available about her.
Meanwhile, Ars Technica suggests that current reports (such as one from Wired’s Threat Level blog) fingering the son of a Democratic politician could be a set-up, and that it should be possible to track down the actual attacker through the IP address used via an anonymizing service.
Lastly, if you recall, security researcher Dan Kaminsky warned in August that the “forgot my password” feature of many web sites is insecure, particularly if you consider the ability to redirect emails in a system where servers with the DNS flaw exposed by Kaminsky haven’t been patched.
If authorities track down the perpetrator, the attacker could face jail time. Sophisticated or not, it’s still illegal to crack someone’s password for a private email account.