A student claiming to have broken into Gov. Sarah Palin's Yahoo e-mail account used a technique so simple, that it's likely to unleash a flurry of copycat attempts across the Internet.
With permission, of course, I tried the technique on a colleague's account. At first, it didn't work because I couldn't guess the answer to his security question -- in fact, he couldn't remember his own answer. But with another editor's account, once I knew the answer to her "secret question," I was able to reset the password and access her account.
Here's the key: To be able to reset the password on a Yahoo account, it looks like you need either to have access to the alternate, non-Yahoo e-mail address used to sign up for the account (which a hacker wouldn't); or know the person's Yahoo ID and security question responses -- which a hacker shouldn't, but could.
If your Yahoo ID is different from your Yahoo e-mail user name, you should be reasonably safe from this kind of attack. So, if your Yahoo ID is sharonmachlis (mine's not), my Yahoo e-mail account should not be firstname.lastname@example.org (it isn't). It should be something else at yahoo.com.
Some security experts are skeptical that an account could be accessed via a simple password reset. However, based on our simple newsroom tests, I'd say that if your e-mail user name is the same as your Yahoo ID, and your security question is one that your acquaintences would know or anyone could easily find out or guess, your Yahoo account could be at risk.
The good news: Even if your ID is obvious from your e-mail address, someone can't do an unlimited brute-force attack on your account; if they can't guess the right answers after a dozen or so tries, the password reset will lock up for 24 hours (as my colleague's did). So having a difficult-to-guess answer to a security question should protect your account.
But if you set up your account years ago, without realizing that, say, the year you graduated from college could be easily found via a Google search, well, you might want to think carefully about what you're sending and receiving in that Yahoo account.
Related news and blogs
- Report: Tenn. legislator confirms son is at center of Palin hack chatter
- Web proxy firm working with FBI to trace Palin e-mail hacker
- IT Blogwatch: Sarah Palin e-mail hacker drops anchor, arrr!
- Security researchers ponder possible Palin hacks
- Update: Hackers claim to break into Palin's Yahoo Mail account
- Sharon Machlis: Yahoo users: Like Sarah Palin, you may be vulnerable to an e-mail hack
- Douglas Schweitzer: How safe is your e-mail correspondence?
- Global News Update: Thursday, September 18, 2008
- Shark Bait: Monty Python and the Holy Bank Account