Yahoo Mail isn't the only Web-based e-mail service that hackers could dupe into giving up user passwords, the tactic that was apparently used to break into the e-mail account of Alaska Gov. Sarah Palin, the Republican nominee for vice president.
Google Inc.'s Gmail and Microsoft Corp.'s Windows Live Hotmail also rely on automated password-reset mechanisms that can be abused by someone who knows the username associated with an account and an answer to a single security question, according to tests done by Computerworld.
Several reporters were able to access colleagues' accounts on all three services and then quickly reset their passwords. None of the services required the new passwords to be sent to an alternate e-mail address, although all three offered that as an option.
Adam O'Donnell, director of emerging technologies at messaging security vendor Cloudmark Inc., said that automated password-reset is the rule in Web mail, whether the service is free or offered to users by ISPs as part of their subscriptions.
Personal information that provides answers to account security questions can often be found by searching social networks and other Web sites. The hacker who accessed Palin's account -- a person using the name "Rubico" -- claimed in an online post that it took just 45 minutes to dig up the needed info.
David Kernell, the 20-year-old son of a Tennessee state representative, has been connected to the Rubico name in blog posts and online message boards. A federal grand jury in Chattanooga began hearing testimony about the hacking incident last week.
Meanwhile, the FBI served a search warrant at the Knoxville apartment of a college student, who was identified as David Kernell by a local television station. And a lawyer who is representing Kernell said in a statement that the student's family "wants to do the right thing, and they want what is best for their son."
This version of the story originally appeared in Computerworld's print edition.
Got something to add? Let us know in the article comments.