Updated on Wednesday, Sept. 17 at 8:40 p.m. EST
Hackers have reportedly breached the Yahoo email account of Republican vice presidential candidate Sarah Palin, exposing some of the contents on Wikileaks, a clearinghouse for whistleblower documents.
The Alaska governor’s account — gov.palin[at]yahoo.com — was hijacked Tuesday night by a hacker group known as Anonymous, according to published reports.
Security experts told SCMagazineUS.com on Wednesday that the hackers most likely breached the account through a brute force attack, in which a commonly available, automated program tries every possible login credential until the code is cracked. The vandals also may have employed a dictionary attack, in which only common words — typically found in a dictionary — are tried.
Anonymous provided Wikileaks with screenshots of the hack, which include an email exchange between Palin and Alaska Lt. Gov Sean Parnell concerning his campaign for Congress and a list of Palin’s email contacts, Wired reported.
Attempts to reach the Wikileaks site where the emails and other information are being displayed were unsuccessful due to a high level of traffic. Media gossip blog Gawker posted screenshots on Wednesday.
Prior to news of the hack, Palin had been under fire for using her Yahoo account to conduct state business, fueling speculation that she was trying to skate around certain regulations, such as email archiving or the state’s public records act.
Email security experts told SCMagazineUS.com on Wednesday that cracking a web mail account is not difficult if someone is dedicated to doing so.
There are a growing number of “password recovery” services on the underground web that commonly use brute force-style attacks to retrieve passwords, usually at a cost of about $100 to $200 per account, Gunter Ollmann, director of security strategy at IBM Internet Security Systems, said in a recent blog post.
“There are tools on the internet that will start with ‘aaaa’ and work all the way through,” Graham Cluley, senior technology consultant at Sophos, told SCMagazineUS.com.
Even simpler for the hackers, Palin could have been using an easy-to-guess password, or the hackers could have recovered the password by providing Yahoo’s password reset service with easy-to-obtain personal information about Palin, such as a birthdate or zip code, experts said.
Less likely scenarios are that Anonymous got its hands on the credentials by infecting Palin’s machine with a keylogger or by sniffing the password when she was using an insecure wireless connection, Cluley said. The hackers may have initially stolen the password she used for another website and found that it also worked on her Yahoo account.
“Over 40 percent of people use the same password for every single website they go to,” he said.
Observers said a high-profile person such as Palin should have known better than to use a personal account for work.
“The reason we have corporate emails is because we have corporate IT staff…that are supposed to guarantee some level of security,” said Adam O’Donnell, director of emerging technologies at Cloudmark.
He added that many business email accounts are protected through another form of authentication, such as tokens, making a hack much less likely.
“In general, you’re going to get better security controls for a privately controlled account than a public account,” O’Donnell told SCMagazineUS.com.
This incident should serve as a catalyst for web mail providers to bolster the authentication technologies they offer users, he said.
“People’s attitudes toward their free email accounts are going to change as a result of this,” O’Donnell said.
Yahoo spokeswoman Kelley Benander told SCMagazineUS.com that the company cannot comment on an individual user’s account.
But if Yahoo learns that an account has been hijacked, it will “investigate for suspicious activity and take appropriate action,” she said.
“This is a shocking invasion of the governor’s privacy and a violation of law. The matter has been turned over to the appropriate authorities and we hope that anyone in possession of these e-mails will destroy them,” the McCain campaign said in a statement, as reported by the Associated Press.