Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Romney Campaign Investigates Hotmail Account Hack

Attacker claims one-off access of Romney's Hotmail and Dropbox accounts was accomplished by guessing the name of a favorite pet.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Memo to presidential contenders: Lose the free Webmail accounts.

A hacker Tuesday claimed to have infiltrated the personal Hotmail [email protected] Dropbox account of Republican presidential candidate Mitt Romney, after guessing his "favorite pet" security question to change the password. Gawker broke the story after receiving an email from the hacker, who said he--or she--had gleaned Romney's Hotmail address from a recent news story, although Gawker redacted the supplied password.

"I hacked in after finding the answer to the security question, 'What is your favorite pet?' It is [redacted] by the way. The password is now [redacted] ... This is also the password for the Dropbox account," said the hacker's email. "This is all I have gotten into. I have nothing to do with Anonymous and have never done something like this before. Goodbye."

"The tipster didn't include any screenshots or evidence of what the accounts contained as proof," noted Gawker, which said that for legal reasons, it didn't test to see whether the proffered password for Romney's accounts worked. But the breach suggests that Romney--or his aides--used the same password across multiple Web services.

[ Hackers are finding security holes in many places. Read Google Apps Security Beat By CloudFlare Hackers. ]

The Romney campaign, meanwhile, confirmed that a related investigation is underway, but didn't detail which accounts may have been hacked, or whether they were used by Romney for personal communications. "Proper authorities are investigating this crime and we will have no further comment on it," according to a statement released by Gail Gitcho, Romney's campaign communications director.

The hack of Romney's "favorite pet" question is ironic, given his complicated history with animals. Or as The New Yorker recently put it, "We know about Seamus the dog, how Romney put him in a crate and strapped it to the roof of the family station wagon for hours of driving."

The unauthorized email access recalls a similar incident in 2008 involving Republican candidate for vice president Sarah Palin, after 4Chan aficionado David C. Kernell, then 22, guessed her Yahoo Mail password--"popcorn"--and leaked screenshots and text files to WikiLeaks. In April 2010, a federal jury convicted Kernell of obstruction of justice and unauthorized access to a computer.

In 2008, WikiLeaks justified releasing the Palin information by noting that "Governor Palin has come under criticism for using private email accounts to conduct government business and in the process avoid transparency laws."

Similar questions have been dogging Romney. Notably, The Wall Street Journal Tuesday published what it said is "believed to be the most complete set of the internal emails to date, including attachments to some of the messages" from Romney's tenure as governor of Massachusetts, from 2003 to 2007.

That feat was made possible by a public records request, which turned up "a small cache of emails," but it evidently took some digging. "When Mitt Romney left office as Massachusetts governor, his aides removed all emails from a server computer in the governor's office, and purchased and carted off hard drives from 17 state-owned personal computers," reported the Journal.

Earlier this year, the Associated Press reported that Romney had used a free Microsoft Hotmail account and private email address to conduct state business. The AP noted that copies of the emails--which it obtained under Massachusetts Public Records Law and which spanned a four-month period--were not included in boxes of archived materials that it was allowed to examine from Romney's time as governor.

The rise of Webmail has led to questions over the degree to which government communications--long a matter if not of public record, then at least national archiving--are being captured for posterity. Government watchdogs in particular have warned that official business conducted via private email addresses raise transparency questions, while security experts have long warned that such communications are more liable to being intercepted by hackers or intelligence agencies.

On a related note, the White House instituted a new email archiving program in 2010, including controls to prevent unauthorized deletions, after settling a suit filed by the National Security Archive and Citizens for Reform and Ethics in Washington in 2007. The two groups sued the White House in response to reports that millions of White House emails had gone missing after the Bush administration, which moved from Lotus Notes to Microsoft Exchange, abandoned an email archiving system that had been installed during the Clinton Administration.

Members of the Bush Administration--including then White House Deputy Chief of Staff Karl Rove--also came under fire for not using the White House email system for official communications. Rove said he'd avoided using the White House system for the majority of his communications because it wouldn't work with his BlackBerry.

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/13/2012 | 11:06:53 AM
re: Romney Campaign Investigates Hotmail Account Hack
We can't make any inferences about password reuse from what we have in the story. Instead what probably happened was that the attacker reset the password for the Hotmail account, which was linked to Dropbox and allowed him to reset that password as well. It's doubtful the person discovered the original passwords.
User Rank: Apprentice
6/7/2012 | 4:00:57 PM
re: Romney Campaign Investigates Hotmail Account Hack
People in such positions need to use more caution in these areas, but the these email providers need to take some responsibility and steps to secure there users accounts. But from what I can see they want to be hacked, spammed and viewed as not being secure? And they will continue to be hacked and defrauded until they pull their heads out of the sand and implement some form of 2FA (two-factor authentication) where you can safely telesign into your account by entering a one-time PIN code.
User Rank: Apprentice
6/6/2012 | 5:48:57 PM
re: Romney Campaign Investigates Hotmail Account Hack
We users are very naive to believe our information is safe online when is password protected G passwords, and challenge questions and captcha are a thing of the past. The only safe online sites are those who allow us to telesign in. It doesn't matter if you are purchasing, using email, paying a bill..If it doesn't let you telesign in, browse away!
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-12
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Website SEO Keywords" field on the page "admin/info.php?shuyu".
PUBLISHED: 2021-05-12
An Information Disclosure vulnerability exists in dhcms 2017-09-18 when entering invalid characters after the normal interface, which causes an error that will leak the physical path.
PUBLISHED: 2021-05-12
evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an attacker to perform d...
PUBLISHED: 2021-05-12
A Cross SIte Scripting (XSS) vulnerability exists in Dhcms 2017-09-18 in guestbook via the message board, which could let a remote malicious user execute arbitrary code.
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter.