Hacker Catches Yahoo! Off Guard

You already know about the hacker who broke into the Yahoo! (Nasdaq: YHOO  ) email account of vice presidential candidate Sarah Palin, publishing the contents for everyone to see.

As details of the account's hijacking begin to roll out, it seems as if Yahoo!'s lax password retrieval interface may have been the key.

Initial reports say the alleged hacker confessed to the simplicity of breaking into the account, which basically entailed providing Yahoo!'s automated engine for forgotten passwords with answers like the Alaskan governor's email, her ZIP code, and where she met her spouse.

Set your political affiliations aside. Let's even set aside where you stand on email snooping. The key takeaway for Yahoo! investors here is that Yahoo! is apparently quite vulnerable.

"For Yahoo!'s sake, let's hope that it was a security oversight on Palin's part and not the result of a hacker tricking Yahoo! into retrieving the password," I wrote earlier this week.

Unfortunately, it seems as if it's the retrieval system. Yes, Palin probably could have done the smart thing and make up obscure answers to the questions, but most Internet users approach free Webmail offerings -- such as Yahoo! Mail, Microsoft's (Nasdaq: MSFT  ) Hotmail, Google's (Nasdaq: GOOG  ) Gmail, or Time Warner's (NYSE: TWX  ) AOL -- casually.

This naturally opens the door for rivals to promote their user safeguards. Broadband providers such as Comcast (Nasdaq: CMCSA  ) and AT&T (NYSE: T  ) that provide email accounts to paying subscribers no doubt will jump on this incident to market their own alternatives.

Yahoo! can't afford to stay quiet. With more than 260 million active accounts, it will need to shore up confidence that it can protect its users.

In his alleged online confession, the hacker laments that he didn't find anything juicy in the emails. He did, though. He unearthed flaws at Yahoo!

Some other recent dot-com dealings:

Microsoft is a Motley Fool Inside Value recommendation. Google is a Rule Breakers recommendation. Try any of our Foolish newsletter services free for 30 days.

Longtime Fool contributor Rick Munarriz is a fan of Yahoo! and Microsoft, but not of bad weddings. Howns no shares in any of the stocks in this story. Rick is also part of the Rule Breakers newsletter research team, seeking out tomorrow's ultimate growth stocks a day early. The Fool has a disclosure policy.


Read/Post Comments (7) | Recommend This Article (2)

Comments from our Foolish Readers

Help us keep this a respectfully Foolish area! This is a place for our readers to discuss, debate, and learn more about the Foolish investing topic you read about above. Help us keep it clean and safe. If you believe a comment is abusive or otherwise violates our Fool's Rules, please report it via the Report this Comment Report this Comment icon found on every comment.

  • Report this Comment On September 19, 2008, at 3:43 PM, tradermagic wrote:

    It's true that most consumers of free email accounts don't take security seriously, but Yahoo should know better than to take security lightly. There are software tools available to prevent the kind of breach suffered on Palin's account. Beefing up with stronger multi-factor authentication, blocking proxies (which the hacker used to post anonymously) , and taking customer complaints more seriously would be a good place to begin. Let's hope this embarassment causes Yahoo to do some serious examination of its policies and practices.

  • Report this Comment On September 19, 2008, at 3:59 PM, mikeque wrote:

    I have noticed this flaw in most websites, not just yahoo's. Even on some bank sites. Many websites insist that you give a password hint to retrieve the password in the event that you forget it. What happens is that the password hint serves as a backdoor password, but something easy to guess. It even asks anyone that request it something like: "what is your elementary school" and then you have the password. Anyone who knows this about you and your login name can get your password.

    What is maddening is that some sites don't just encourage but require this. I am surprised that this practice is so universal. Hopefully this publicity will be a wake up call to those developing secure web sites.

  • Report this Comment On September 19, 2008, at 7:58 PM, InvestorStorm wrote:

    Financial institutions had to comply with FFIEC regulations that went into effect the beginning of this year to upgrade systems with a strong multi-factor authentication system. They didn't dictate which authentication factors had to be used, but left it to the discretion of the company to determine what best suits their needs. Some banks prefer not to be intrusive and opt for less stringent methods, while others do machine fingerprinting and rules based AI.

    Some banks are using better authentication systems than others. As are some mail providers utilizing better systems than others. Many of the breaches that have occured are at institutions that use weaker authentication.

    Yahoo could certainly easily implement software that handles strong authentication with little impact. In fact, many of the products on the market provide 'fraud networks' that IP addresses can be ran against to eliminate problem proxies or intercept IP addresses from servers in countries where cyber crime is very high and growing.

    Yahoo has many other issues on their site that implementing strong multi-factor authentication would eliminate (such as click fraud and pay to post fraudulent traffic).

  • Report this Comment On September 20, 2008, at 9:49 AM, mocoltsfan wrote:

    send me the dude's name- I recently had a head injury and forgot my yahoo password- never mind that they're charging my credit card for two premium services- in order to get into the damn thing they want me to send a copy of my dirver's license and social security card--had the account for a decade and am no threat to national security this is radical even by my standards so am taking my act to another site--

  • Report this Comment On September 20, 2008, at 5:24 PM, usuresure wrote:

    It's clear this kid has been set up. He hacked her email found nothing, absolved her of any wrong doing but was still compelled to send it to a web site after expressing fear of the FBI? Why? No one would have known he even done it,if it wasn't posted to ..Why after you found nothing would you go ahead and post it when it could put you in prison and would only absolve her of any wrong doing?Why would he do that then say there was nothing incriminating? If he really was scared at that point all he had to do was go to bed and forget it. Then he supposedly writes an email that he did it and used a name he had used for years all over the net? Right,sure sure. He said he was only behind one proxy and knew that wasn't enough,then why wasn't he behind three proxies? No my friends it's not true. Palin needed an excuse to get rid of her e-mails and this kid is being framed..

  • Report this Comment On September 21, 2008, at 10:38 AM, kenarthur wrote:

    Yahoo had their VP respond on a blog they run about the breach, and his response suggested customers use longer passwords. It's obvious he's clueless about the breach.

    Longer password wouldn't have done a thing to prevent this breach. Yahoo's password reset process requires strengthening. A college kid was able to social engineer and breach Yahoo's system by using public information about Palin.

    Yahoo needs to strengthen their challenge questions, block proxies that mask identities, and perhaps install some type of multi-factor authentication that runs passively behind the scenes.

    I found the circumstances of this breach unsettling. Yahoo runs all this behind the scenes b

  • Report this Comment On September 21, 2008, at 10:39 AM, kenarthur wrote:

    Yahoo runs all this behind the scenes behavioral marketing using elaborate algorithms, extracting personal data, and tracking behavior online, but they can't do a simple thing like strong authentication? Let's get our priorities straight.

Add your comment.

Sponsored Links

Leaked: Apple's Next Smart Device
(Warning, it may shock you)
The secret is out... experts are predicting 458 million of these types of devices will be sold per year. 1 hyper-growth company stands to rake in maximum profit - and it's NOT Apple. Show me Apple's new smart gizmo!

DocumentId: 732327, ~/Articles/ArticleHandler.aspx, 9/2/2014 5:25:09 AM

Report This Comment

Use this area to report a comment that you believe is in violation of the community guidelines. Our team will review the entry and take any appropriate action.

Sending report...


Advertisement