Sarah Palin Hack an Example of Password Recovery Backfire

Perhaps the most unsettling thing about the hack on Republican vice presidential candidate Sarah Palin’s Yahoo e-mail account was the way it happened.

Rather than some automated tool or complex virus, Google and Wikipedia searches appear to have been the weapons used to knock down the walls guarding her e-mail.

When news of the hack first circulated Wednesday, it was reported that screenshots of Palin’s account had been passed on to Wikileaks by hackers linked to “Anonymous,” a name given to the collection of anonymous posters on 4chan.org’s message boards.

However, there are indications now that the attack may have originated with a single hacker identified by the handle “Rubico.” The name has since been linked to the 20-year-old son of Tennessee State Rep. Mike Kernell, a Democrat.

Wednesday, Rubico posted details of the incident on 4chan.org’s popular /b/ board, claiming he was behind the attack. His account of the event has since been removed, but can be viewed here (warning – profanity is used).

As it turns out, his methods of gaining entry were not all that complex. According to his account, he used personal information about Palin obtained through simple Web searches to get around Yahoo’s password recovery feature.

Yahoo required the user provide Palin’s birthday and zip code, which the hacker said he found through Wikipedia and Google. The final security measure required him to answer a question regarding where Palin met her spouse; another Google search turned up the answer.

“I found out later through more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high,” the hacker wrote on Wednesday. “I promptly changed the password to ‘popcorn’ and took a cold shower…”

The incident remains under investigation by the FBI and Secret Service. In the meantime, it might be good for Yahoo to consider giving users the ability to create their own security questions, as Gmail does.