On September 17th, it was reported that Sarah Palin’s personal Yahoo email account was hacked. This was not achieved by using some unknown software exploit or a compromised computer, but with a little effort and effective use of search engines.
IT departments have been battling working with staff to keep email under corporate control. Often employees want the increased ease and flexibility that the free email services like Yahoo, Gmail and Hotmail provide, but these often come with a hidden price in terms of security and control.
The questions that most online accounts ask to authenticate the “account owner” are weak at best, and not that difficult for a motivated individual to find out the likely responses. This is how Sarah’s account was compromised. People are beginning to wake up and realize just how much of their personal information is on the Net.
I have been told more times then I care to remember that ‘no one would want to read my email’, which I always respond to with “oh really, you know that for certain?. It only takes one irritated customer or disgruntled employee to make a “motivated individual” who might just take action.” Most likely the information is already on the Internet, and it does not take long to dig it out.
A few years ago, I saw this happen to a colleague. His personal email account was hacked and his personal and some business email was faxed to him as proof. Needless to say, this was an unpleasant situation for him and his employer.
Lessons to be learned:
- Take your account security seriously!
Choose questions and answers that are difficult or impossible to for anyone to answer. I do not use real answers for any account authentication questions. I pick any of the default questions and use a LONG and random answer. In case I should ever need to use these questions to authenticate my account, I print the questions and answers and store them in a locked cabinet.
- Do not use free email services for work.
When your corporate account is being probed by a hacker it will most likely get lockout, and a valued member of the IT department will need to unlock it. This can act as a red flag that someone is poking around your account.
- Never mix personal and business email.
As a general rule, business email is monitored by your employer, so you really do not want personal email mixed in that may put you in an uncomfortable position. Do not use your personal email to move files to and from the office. There are much better ways to do this, just ask your IT department.
- Email is never gone, only archived.
Do not think just because you delete an email that it is gone forever. Most everything is backed up and can be retrieved with enough effort. Do not think that you can email from a free web-mail service and your identity is protected.