How To Hack An Email Account

A few years ago, my wife Lauren, along with some friends of hers, planned a surprise baby shower for her best friend. My wife sent out an email to her pregnant friend with their “pretend” plans to get lunch and BCC’d (blind carbon copied) the other friends she was planning the shower with.

The email came to my inbox, and then, a few minutes later, another message from one of the friends blind copied on the email saying “She’s going to be so surprised! Can’t wait!”, AND ACCIDENTALLY INCLUDED THE FRIEND BEING SURPRISED on the email. This is the worst possible use of the “Reply All” button.

I called my wife and explained the situation. Once I got home, we talked about it in more detail. “We have to hack her email to prevent her from seeing that message,” I told Lauren. “How?” she asked. Here’s what I told her.

A few years ago, Alaska Governor Sarah Palin’s email was hacked. The hackers didn’t guess her password, or even break into her house and look under her keyboard. What they actually did was ANSWER HER SECURITY QUESTIONS.  Security questions are used when you can’t remember your password, or your password isn’t working. The idea is that you provide information that only you would know, and then you’re given access to your account.

In the case of Sarah Palin, her security questions were “What’s your birthdate?” and “What high school did you attend?” WHICH IS ALL PUBLIC INFORMATION. The hacker in question, David Kernell, answered those questions, and posted the password for anyone who wanted to access Sarah Palin’s email account.

I explained to my wife that we would have to do something similar. Guessing the password would probably be impossible, so that left the security questions.

So we went to the email log-in screen.

Yahoo Mail

The first security question:

What was the name of your first pet? Lauren knew this without any trouble.

The second security question:

Where did you go on your honeymoon? My wife practically laughed at that question, because apparently it was that easy.  I don’t know where any of my friends went on their honeymoons.

The third security question:

What was the name of your favorite teacher? This one was tricky. Lauren thought about it for a while, because she knew the person, but she didn’t know the name. But a quick phone call later to a family friend, and we had the name.

And just like that, we could reset the password. We changed it, logged in, deleted the email, and logged out.  The shower was a surprise, so mission accomplished.  Lauren told her friend what happened after the shower. She vaguely remembered needing to reset her password for some unknown reason, but she quickly forgot about it.

So what can you do to prevent your passwords being compromised by someone with much more nefarious intentions?

Cyber-Security Expert Scott Schober, in his new book “Hacked Again: It Can Happen To Anyone – Even a CyberSecurity Expert”, Scott tells his personal stories of being hacked on multiple occasions, both on a professional and personal levels. Throughout the book, he stresses the importance of strong passwords. He provided a statistic that may be surprising: “In 2014, forensic investigations have revealed that 80% of security breaches involve stolen or weak passwords.”

Gaining access to your accounts is much easier than you think, especially if someone can use clues you provide on social media.  You might not be famous, but that doesn’t mean someone else couldn’t figure out the answers to your security questions. I could log-on to Facebook or Instagram, see pictures of your pets or pictures from your honeymoon (#Paris!) and start answering those security questions easily.

One question companies frequently use to verify your identity is your birth date. In his book, Scott Schober relates an experience at a conference he recently attended. He met people at the conference, connected with them on LinkedIn, and discovered that many of them had their birthdays listed on their public profiles. He could also see what high school and college they had attended, and entering their email address into a search engine provided event further details, including recent Craigslist postings. The next day at the event, when giving a presentation, he mentioned in under an hour, he was able to discover 10% of the attendees listed their birthdays on their public LinkedIn profiles, and was able to find other information from social media platforms, including names of their pets.

What can you do to prevent this from happening?  Scott recommends a strong password that’s at least 15 characters long, and has a mix of letters (both upper and lowercase), numbers, and symbols. To make those passwords easier to remember, Scott recommends using the first letter of a phrase that makes sense to you – perhaps the first line of a song or poem. “The Quick Brown Fox Jumped Over The Lazy Dog” could translate into a password like TQBFJOTLD – and adding symbols for some of the letters could change it to +qbfj0T!d.

Another solution presented by Scott is to use two factor authentication, which is when you verify your identity using 2 methods – for instance, by entering a password and a special code sent to a phone. The web site sends you a text message with some numbers, and you enter those numbers into the site to prove who you are before gaining access.  Although it does require an extra step to verify your identity, it’s an excellent safeguard because it requires using a device you must have in your possession to gain access.

Yahoo Mail No Security Questions

Scott’s book includes some excellent advice for people who may not feel comfortable dealing with such complex security details on their own. Admittedly, the knowledge to prevent these situations comes with time and experience. I highly recommend “Hacked Again” as an important read for every online user to ensure their privacy remains protected.