Seriously, how are all these email accounts getting hacked?

[Coldblackice]

How is "Guccifer" getting into so many prominent persons' email accounts?

I'm surprised how often this continues to happen. I've assumed it's via either guessing passwords (Password: "password") or guessing reset information (or finding it through publicly available info).

But even then, I still don't understand how accounts seem to be so easily hacked with "guesses" (if that's how the majority of these takeovers are happening) -- I'd expect the major email carriers to quickly block out more than a handful of wrong attempts, and if continued, ban IP addresses. Sure, there'd be ways around this through VPN's, proxies, automation, etc., but I'd still expect some form of authoritative quashing of such attempts.

It's been my understanding that the most prevalent methods are:

-Password guessing
-Security-reset information guessing
-Rogue links (w/ Java vulnerabilities)
-Trick emails ("Please respond with password for verification")

Any insight on how it keeps happening?

EDIT (forgot to include what sourced my question):

www.thesmokinggun.com/documents/colin-powell-guccifer-email-hack-594321

 

[Red Squirrel]

I've always wondered about this too, you hear so much about people's email and facebook etc being hacked. I run my own email server so it always concerns me as I wonder if I may potentially have the same security holes in mine.

 

[Innocence]

I would assume good old fashioned social engineering is still the biggest player. It worked for all that "Phone Hacking" in the UK, and when someone "hacked" that Gawker editor's amazon and apple accounts...

 

[wizdum]

The thing is, failures aren't reported. So 5 famous people may have had their accounts compromised, but the attacker failed to gain access to the other 500. Theres probably a lot of luck involved.

 

[MrGuvernment]

People are stupid....

 

[Jesse B]

1) Use strong passwords. People's passwords are garbage.
2) Don't use a REAL security question. Anybody can figure out your home town or dog's name.
3) Two-factor authentication is tremendously helpful.

 

[Red Squirrel]

I usually just put in some BS for the security questions. I hate systems that insist on asking those. Just send me an email confirmation...

 

[evilsofa]

You attempt to hack relatives, friends and employees of high-profile targets until you find one who's an idiot; you'll find one because we are all surrounded by idiots. The idiot will have the contact info that you really want: personal phone numbers and email addresses of the high-profile target that only family and close friends have. Once you've used those to hack the high-profile target, that target will have similar tightly-held contact info for other high-profile targets. This tightly-held contact info often isn't kept under high security because high security is damned inconvenient and "but nobody was supposed to have that email address except my daughters!"

And that's exactly what Guccifer has done. They started with the sister of President George W. Bush. They've been following the data they hacked from Bush to other targets ever since.

 

[markwo]

How many of you know the password reset procedure for all of your online accounts?

A security conscious friend's gmail account was recently hacked. I went through the process to see how likely this was the attack method and was surprised at how easy it was to get a password reset link sent to another email address.

A strong password means nothing if you can get a password reset link sent just by guessing answers to a few questions. These aren't the "security questions" where you define the answer yourself, but stuff like "When was the last time you were able to access your google account?" which for perhaps 95% of people is going to be today. "Name three email addresses you've emailed from this account." "Approximately when did you create this account?"

I haven't yet tested how having two factor enabled changes this process though.

 

[ChedWick]

Individual account hacking doesn't interest me as much as mass account breaches.

Recently my yahoo account was hijacked used for spam emails sending. Funny thing is, I was actually in it at the time too. All of a sudden my inbox got hit by 3 failure to deliver messages. I checked my outbox and sure enough, there was an email sent out to all those junk addresses I use my yahoo account for. In it was a malicious link.

I looked it up and there were dozens of recent posts coming up about peoples yahoo accounts being hacked in the past couple of days.

I checked my account activity and first a few hours before all of this, my account was accessed by some middle eastern IP from a yahoo app then by the web browser and then again a few hours later(when I was in it). I wouldn't say password guessing because even when I forget the damn thing its a pain to get in with all the "extra security" measures they have for when you try fail to type the password in too many times. Besides my passwords are all different and all 15+ characters.

No, my only assumption is that one of yahoos apps has a security hole in it that made it easy to get passwords to numerous accounts.

 

[Red Squirrel]

Hmm so if you run your own postfix server and everything, is it less likely to be hacked than gmail and what not?

 

[goodcooper]

there's also the thing where people think emails are coming from their accounts because they're getting complaints from friends or getting failure to deliver messages, but it's not really an account hack... but of course one of their "knowledgeable" computer friends tells them they got hacked... in reality some spammer just got a hold of one of their chainmails and was sending emails to everyone in it spoofing their email address...

 

[mkrohn]

most of these people use password as their password or my favorite Password1234!

 

[Red Squirrel]

most of these people use password as their password or my favorite Password1234!

I know people can be stupid, but are people really THAT stupid?

Email is actually even more important than banking, given your banking password + every single other service can be accessed by someone who has your email. Heck, if you own any domains someone could even initiate a domain transfer.

Email is definitly something you want a really strong password/security setup for.

 

[evilsofa]

I know people can be stupid, but are people really THAT stupid?

Yes.

4.7% of users have the password password;
8.5% have the passwords password or 123456;
9.8% have the passwords password, 123456 or 12345678;
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
98.8% have a password from the top 10,000 passwords

http://xato.net/passwords/more-top-worst-passwords/

You can get a .zip file there of the top 10,000 passwords. Some of the ones you use might be in there. One of your relatives or close friends does use one, guaranteed.

 

[HeavensCloud]

Mine was hijacked, sending spam emails. I think it was from that (former buy . com) fiasco, even though my password was different for the site and multiple types of characters.

 

[mkrohn]

I know people can be stupid, but are people really THAT stupid?

Email is actually even more important than banking, given your banking password + every single other service can be accessed by someone who has your email. Heck, if you own any domains someone could even initiate a domain transfer.

Email is definitly something you want a really strong password/security setup for.

shut your mouth, I already know your pin number to your bank account is 1234

 

[Jesse B]

shut your mouth, I already know your pin number to your bank account is 1234

It's clearly 1337

 

[JPF_]

Just as silly as peoples passwords are......the companies themselves are to blame as well for not taking security to the utmost regard.

Take for instance Facebook.

If you know someone well enough you can take over their account. There is an option for "changed my email address" so you create a bunk e-mail, and answer the security question. So if its a childhood friend and the question is "What street did you grow up on as a child?" Well.....there you have it.

Companies need to offer better security for their clients/users. I understand you can only do so much but, in this day in age where anyone can create an app for their phone, and anyone can be a "hacker/cracker/ddos'er" it needs a new approach.