Attacker claims one-off access of Romney's Hotmail and Dropbox accounts was accomplished by guessing the name of a favorite pet.

Mathew J. Schwartz, Contributor

June 6, 2012

4 Min Read

10 Massive Security Breaches

10 Massive Security Breaches


(click image for larger view)
Slideshow: 10 Massive Security Breaches

Memo to presidential contenders: Lose the free Webmail accounts.

A hacker Tuesday claimed to have infiltrated the personal Hotmail [email protected] Dropbox account of Republican presidential candidate Mitt Romney, after guessing his "favorite pet" security question to change the password. Gawker broke the story after receiving an email from the hacker, who said he--or she--had gleaned Romney's Hotmail address from a recent news story, although Gawker redacted the supplied password.

"I hacked in after finding the answer to the security question, 'What is your favorite pet?' It is [redacted] by the way. The password is now [redacted] ... This is also the password for the Dropbox account," said the hacker's email. "This is all I have gotten into. I have nothing to do with Anonymous and have never done something like this before. Goodbye."

"The tipster didn't include any screenshots or evidence of what the accounts contained as proof," noted Gawker, which said that for legal reasons, it didn't test to see whether the proffered password for Romney's accounts worked. But the breach suggests that Romney--or his aides--used the same password across multiple Web services.

[ Hackers are finding security holes in many places. Read Google Apps Security Beat By CloudFlare Hackers. ]

The Romney campaign, meanwhile, confirmed that a related investigation is underway, but didn't detail which accounts may have been hacked, or whether they were used by Romney for personal communications. "Proper authorities are investigating this crime and we will have no further comment on it," according to a statement released by Gail Gitcho, Romney's campaign communications director.

The hack of Romney's "favorite pet" question is ironic, given his complicated history with animals. Or as The New Yorker recently put it, "We know about Seamus the dog, how Romney put him in a crate and strapped it to the roof of the family station wagon for hours of driving."

The unauthorized email access recalls a similar incident in 2008 involving Republican candidate for vice president Sarah Palin, after 4Chan aficionado David C. Kernell, then 22, guessed her Yahoo Mail password--"popcorn"--and leaked screenshots and text files to WikiLeaks. In April 2010, a federal jury convicted Kernell of obstruction of justice and unauthorized access to a computer.

In 2008, WikiLeaks justified releasing the Palin information by noting that "Governor Palin has come under criticism for using private email accounts to conduct government business and in the process avoid transparency laws."

Similar questions have been dogging Romney. Notably, The Wall Street Journal Tuesday published what it said is "believed to be the most complete set of the internal emails to date, including attachments to some of the messages" from Romney's tenure as governor of Massachusetts, from 2003 to 2007.

That feat was made possible by a public records request, which turned up "a small cache of emails," but it evidently took some digging. "When Mitt Romney left office as Massachusetts governor, his aides removed all emails from a server computer in the governor's office, and purchased and carted off hard drives from 17 state-owned personal computers," reported the Journal.

Earlier this year, the Associated Press reported that Romney had used a free Microsoft Hotmail account and private email address to conduct state business. The AP noted that copies of the emails--which it obtained under Massachusetts Public Records Law and which spanned a four-month period--were not included in boxes of archived materials that it was allowed to examine from Romney's time as governor.

The rise of Webmail has led to questions over the degree to which government communications--long a matter if not of public record, then at least national archiving--are being captured for posterity. Government watchdogs in particular have warned that official business conducted via private email addresses raise transparency questions, while security experts have long warned that such communications are more liable to being intercepted by hackers or intelligence agencies.

On a related note, the White House instituted a new email archiving program in 2010, including controls to prevent unauthorized deletions, after settling a suit filed by the National Security Archive and Citizens for Reform and Ethics in Washington in 2007. The two groups sued the White House in response to reports that millions of White House emails had gone missing after the Bush administration, which moved from Lotus Notes to Microsoft Exchange, abandoned an email archiving system that had been installed during the Clinton Administration.

Members of the Bush Administration--including then White House Deputy Chief of Staff Karl Rove--also came under fire for not using the White House email system for official communications. Rove said he'd avoided using the White House system for the majority of his communications because it wouldn't work with his BlackBerry.

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights