09:14 AM

Romney Campaign Investigates Hotmail Account Hack

Attacker claims one-off access of Romney's Hotmail and Dropbox accounts was accomplished by guessing the name of a favorite pet.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Memo to presidential contenders: Lose the free Webmail accounts.

A hacker Tuesday claimed to have infiltrated the personal Hotmail [email protected] Dropbox account of Republican presidential candidate Mitt Romney, after guessing his "favorite pet" security question to change the password. Gawker broke the story after receiving an email from the hacker, who said he--or she--had gleaned Romney's Hotmail address from a recent news story, although Gawker redacted the supplied password.

"I hacked in after finding the answer to the security question, 'What is your favorite pet?' It is [redacted] by the way. The password is now [redacted] ... This is also the password for the Dropbox account," said the hacker's email. "This is all I have gotten into. I have nothing to do with Anonymous and have never done something like this before. Goodbye."

"The tipster didn't include any screenshots or evidence of what the accounts contained as proof," noted Gawker, which said that for legal reasons, it didn't test to see whether the proffered password for Romney's accounts worked. But the breach suggests that Romney--or his aides--used the same password across multiple Web services.

[ Hackers are finding security holes in many places. Read Google Apps Security Beat By CloudFlare Hackers. ]

The Romney campaign, meanwhile, confirmed that a related investigation is underway, but didn't detail which accounts may have been hacked, or whether they were used by Romney for personal communications. "Proper authorities are investigating this crime and we will have no further comment on it," according to a statement released by Gail Gitcho, Romney's campaign communications director.

The hack of Romney's "favorite pet" question is ironic, given his complicated history with animals. Or as The New Yorker recently put it, "We know about Seamus the dog, how Romney put him in a crate and strapped it to the roof of the family station wagon for hours of driving."

The unauthorized email access recalls a similar incident in 2008 involving Republican candidate for vice president Sarah Palin, after 4Chan aficionado David C. Kernell, then 22, guessed her Yahoo Mail password--"popcorn"--and leaked screenshots and text files to WikiLeaks. In April 2010, a federal jury convicted Kernell of obstruction of justice and unauthorized access to a computer.

In 2008, WikiLeaks justified releasing the Palin information by noting that "Governor Palin has come under criticism for using private email accounts to conduct government business and in the process avoid transparency laws."

Similar questions have been dogging Romney. Notably, The Wall Street Journal Tuesday published what it said is "believed to be the most complete set of the internal emails to date, including attachments to some of the messages" from Romney's tenure as governor of Massachusetts, from 2003 to 2007.

That feat was made possible by a public records request, which turned up "a small cache of emails," but it evidently took some digging. "When Mitt Romney left office as Massachusetts governor, his aides removed all emails from a server computer in the governor's office, and purchased and carted off hard drives from 17 state-owned personal computers," reported the Journal.

Earlier this year, the Associated Press reported that Romney had used a free Microsoft Hotmail account and private email address to conduct state business. The AP noted that copies of the emails--which it obtained under Massachusetts Public Records Law and which spanned a four-month period--were not included in boxes of archived materials that it was allowed to examine from Romney's time as governor.

The rise of Webmail has led to questions over the degree to which government communications--long a matter if not of public record, then at least national archiving--are being captured for posterity. Government watchdogs in particular have warned that official business conducted via private email addresses raise transparency questions, while security experts have long warned that such communications are more liable to being intercepted by hackers or intelligence agencies.

On a related note, the White House instituted a new email archiving program in 2010, including controls to prevent unauthorized deletions, after settling a suit filed by the National Security Archive and Citizens for Reform and Ethics in Washington in 2007. The two groups sued the White House in response to reports that millions of White House emails had gone missing after the Bush administration, which moved from Lotus Notes to Microsoft Exchange, abandoned an email archiving system that had been installed during the Clinton Administration.

Members of the Bush Administration--including then White House Deputy Chief of Staff Karl Rove--also came under fire for not using the White House email system for official communications. Rove said he'd avoided using the White House system for the majority of his communications because it wouldn't work with his BlackBerry.

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/13/2012 | 11:06:53 AM
re: Romney Campaign Investigates Hotmail Account Hack
We can't make any inferences about password reuse from what we have in the story. Instead what probably happened was that the attacker reset the password for the Hotmail account, which was linked to Dropbox and allowed him to reset that password as well. It's doubtful the person discovered the original passwords.
User Rank: Apprentice
6/7/2012 | 4:00:57 PM
re: Romney Campaign Investigates Hotmail Account Hack
People in such positions need to use more caution in these areas, but the these email providers need to take some responsibility and steps to secure there users accounts. But from what I can see they want to be hacked, spammed and viewed as not being secure? And they will continue to be hacked and defrauded until they pull their heads out of the sand and implement some form of 2FA (two-factor authentication) where you can safely telesign into your account by entering a one-time PIN code.
User Rank: Apprentice
6/6/2012 | 5:48:57 PM
re: Romney Campaign Investigates Hotmail Account Hack
We users are very naive to believe our information is safe online when is password protected G passwords, and challenge questions and captcha are a thing of the past. The only safe online sites are those who allow us to telesign in. It doesn't matter if you are purchasing, using email, paying a bill..If it doesn't let you telesign in, browse away!
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.