A hacker yesterday claimed to have broken into a personal email account linked to GOP presidential candidate Mitt Romney by answering "secret" password-reset questions.
Gawker first reported the break-in after the anonymous intruder made the claim via -- ironically -- email. The hacker also said the password used for [email protected] was the same that secured a Dropbox account associated with Romney.
However, the hacker had not provided evidence of the hack, such as screenshots of the account's inbox or messages, and Gawker, fearing legal repercussions, did not access either the Hotmail or Dropbox accounts with the password provided by the intruder.
The incident is reminiscent of one in 2008 when a Tennessee college student broke into the Yahoo Mail account of then-Gov. Sarah Palin, the Republican nominee for vice president during that year's campaign.
As with the Romney hack, the one on Palin's account was successful because the snooper was able to correctly answer the security questions that preceded a password reset.
In 2010, 20-year-old David Kernell was sentenced to a year in prison for the Palin breach.
"'Secret' questions have been fraught with problems for a while now," said Charles McColgan, chief technology officer at TeleSign, a company that markets anti-fraud solutions to organizations and enterprises. "As the Palin case showed, the answers are often very easily discoverable types of things. Secret questions are just not that secret."
Before he was arrested, Kernell had boasted online that it took him less than an hour of research to find the answers Palin's account required before resetting its password.
According to wire service reports, Romney's campaign did not confirm that the Hotmail account was actually the candidate's, but did say that it had alerted law enforcement officials, which were "investigating this crime," hinting that the account was, in fact, Romney's or run on his behalf.
One expert doubted it was Romney's personal account.
"I think this was a throw-away account, or at best, one run by a staffer," said Phil Lieberman, CEO of Lieberman Software, an identity and password management developer. "I wouldn't be surprised if he doesn't have a number of accounts, but where he came from, the equity capital business, I'd be shocked if his confidential information wasn't done through a full email service, not a free consumer-grade account like this. With his experience in fiduciary and confidentiality responsibility, security has got to be baked into his DNA."
McColgan disagreed. "People break the rules all the time," he noted, referring to practices that users engage in even though they know it's not what they should do.
In fact, the Associated Press reported earlier this year that Romney did use a Hotmail account, specifically [email protected], and he and his aides relied on other private email addresses, while he was governor of Massachusetts. Although not illegal, the practice was contrary to his administration's own policy and warnings to state agencies.
The AP, and later the Wall Street Journal, obtained documents that showed the [email protected] address after filing records requests with Massachusetts state officials.
Hotmail -- and other free email services such as Yahoo Mail and Google's Gmail -- offer additional protection against this kind of hacking, primarily through a two-step authentication that sends a second password for an account to a pre-defined phone number. The security feature doesn't seem to have been in place for the [email protected] account, assuming the intruder's claims are accurate.
That didn't surprise McColgan.
"More would use the phone verification step if companies like Google and Microsoft pushed it more," McColgan said. "Users will do what [Google, Microsoft and Yahoo] drive them to do, as long as it's very easy to use."
There's evidence of that, said McColgan, who noted that the Q&A "secret questions" concept superseded the earlier practice of asking users to provide an alternative email address for verification purposes.
Lieberman expected that the Romney hacker would be quickly found out, as was Kernell.
"These services collect an amazing amount of information, they know the exact IP address of each log-on," said Lieberman. "They know who did this, and the consequences are guaranteed."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is [email protected].
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.