It's actually not that hard to do. All they did was basically go in through the front door.
It appears that the hacker(s) used Yahoo's really insecure "forgot my password" feature to get in. For someone as famous as Palin is now, it's easy to do a little sniffing into her background and get information such as names, places she's lived, jobs she's held, the names of her kids, and so on. All of these are used within Yahoo's functionality to prove you are who you say you are - authentication.
Using all this info they gleaned, they were able to hit on the right password and voila, access.
Lots of sites (and companies) use this sort of test questioning for forgotten accounts and passwords, and it's really not a good idea. Since it's easy now to Google someone and find out all sorts of things that previously only the actual person would know, it's time to be a little more robust. Instead of "what street did you live on when you were a kid", how about "what was the last name of the person who lived across the street from you when you were a kid?" Much harder to social engineer, and while not perfect, a bit more secure.
No comments:
Post a Comment
Please tell me what you think.