Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Romney Campaign Investigates Hotmail Account Hack

Attacker claims one-off access of Romney's Hotmail and Dropbox accounts was accomplished by guessing the name of a favorite pet.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Memo to presidential contenders: Lose the free Webmail accounts.

A hacker Tuesday claimed to have infiltrated the personal Hotmail [email protected] Dropbox account of Republican presidential candidate Mitt Romney, after guessing his "favorite pet" security question to change the password. Gawker broke the story after receiving an email from the hacker, who said he--or she--had gleaned Romney's Hotmail address from a recent news story, although Gawker redacted the supplied password.

"I hacked in after finding the answer to the security question, 'What is your favorite pet?' It is [redacted] by the way. The password is now [redacted] ... This is also the password for the Dropbox account," said the hacker's email. "This is all I have gotten into. I have nothing to do with Anonymous and have never done something like this before. Goodbye."

"The tipster didn't include any screenshots or evidence of what the accounts contained as proof," noted Gawker, which said that for legal reasons, it didn't test to see whether the proffered password for Romney's accounts worked. But the breach suggests that Romney--or his aides--used the same password across multiple Web services.

[ Hackers are finding security holes in many places. Read Google Apps Security Beat By CloudFlare Hackers. ]

The Romney campaign, meanwhile, confirmed that a related investigation is underway, but didn't detail which accounts may have been hacked, or whether they were used by Romney for personal communications. "Proper authorities are investigating this crime and we will have no further comment on it," according to a statement released by Gail Gitcho, Romney's campaign communications director.

The hack of Romney's "favorite pet" question is ironic, given his complicated history with animals. Or as The New Yorker recently put it, "We know about Seamus the dog, how Romney put him in a crate and strapped it to the roof of the family station wagon for hours of driving."

The unauthorized email access recalls a similar incident in 2008 involving Republican candidate for vice president Sarah Palin, after 4Chan aficionado David C. Kernell, then 22, guessed her Yahoo Mail password--"popcorn"--and leaked screenshots and text files to WikiLeaks. In April 2010, a federal jury convicted Kernell of obstruction of justice and unauthorized access to a computer.

In 2008, WikiLeaks justified releasing the Palin information by noting that "Governor Palin has come under criticism for using private email accounts to conduct government business and in the process avoid transparency laws."

Similar questions have been dogging Romney. Notably, The Wall Street Journal Tuesday published what it said is "believed to be the most complete set of the internal emails to date, including attachments to some of the messages" from Romney's tenure as governor of Massachusetts, from 2003 to 2007.

That feat was made possible by a public records request, which turned up "a small cache of emails," but it evidently took some digging. "When Mitt Romney left office as Massachusetts governor, his aides removed all emails from a server computer in the governor's office, and purchased and carted off hard drives from 17 state-owned personal computers," reported the Journal.

Earlier this year, the Associated Press reported that Romney had used a free Microsoft Hotmail account and private email address to conduct state business. The AP noted that copies of the emails--which it obtained under Massachusetts Public Records Law and which spanned a four-month period--were not included in boxes of archived materials that it was allowed to examine from Romney's time as governor.

The rise of Webmail has led to questions over the degree to which government communications--long a matter if not of public record, then at least national archiving--are being captured for posterity. Government watchdogs in particular have warned that official business conducted via private email addresses raise transparency questions, while security experts have long warned that such communications are more liable to being intercepted by hackers or intelligence agencies.

On a related note, the White House instituted a new email archiving program in 2010, including controls to prevent unauthorized deletions, after settling a suit filed by the National Security Archive and Citizens for Reform and Ethics in Washington in 2007. The two groups sued the White House in response to reports that millions of White House emails had gone missing after the Bush administration, which moved from Lotus Notes to Microsoft Exchange, abandoned an email archiving system that had been installed during the Clinton Administration.

Members of the Bush Administration--including then White House Deputy Chief of Staff Karl Rove--also came under fire for not using the White House email system for official communications. Rove said he'd avoided using the White House system for the majority of his communications because it wouldn't work with his BlackBerry.

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/13/2012 | 11:06:53 AM
re: Romney Campaign Investigates Hotmail Account Hack
We can't make any inferences about password reuse from what we have in the story. Instead what probably happened was that the attacker reset the password for the Hotmail account, which was linked to Dropbox and allowed him to reset that password as well. It's doubtful the person discovered the original passwords.
User Rank: Apprentice
6/7/2012 | 4:00:57 PM
re: Romney Campaign Investigates Hotmail Account Hack
People in such positions need to use more caution in these areas, but the these email providers need to take some responsibility and steps to secure there users accounts. But from what I can see they want to be hacked, spammed and viewed as not being secure? And they will continue to be hacked and defrauded until they pull their heads out of the sand and implement some form of 2FA (two-factor authentication) where you can safely telesign into your account by entering a one-time PIN code.
User Rank: Apprentice
6/6/2012 | 5:48:57 PM
re: Romney Campaign Investigates Hotmail Account Hack
We users are very naive to believe our information is safe online when is password protected G passwords, and challenge questions and captcha are a thing of the past. The only safe online sites are those who allow us to telesign in. It doesn't matter if you are purchasing, using email, paying a bill..If it doesn't let you telesign in, browse away!
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (, contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P2 (, contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.