Companies can learn from hacking of Palin's e-mail

SEATTLE -- A precocious hacker cracks into Republican vice presidential candidate Sarah Palin's private e-mail account, looking for dirt. In doing so, he opens a Pandora's box of tech security concerns for the presidential candidates — but perhaps even more so for Corporate America.

That's the upshot of a fast-developing story playing out on tech websites Valleywag, Gawker, NetworkWorld and others. On Thursday, Kim Zetter, a veteran investigative reporter at Wired News, broke a story describing how a hacker, going by the nickname Rubico, easily changed Palin's Yahoo account password, rifled through her e-mail and posted the password on a popular tech discussion website, 4chan.org.

Other 4chan participants subsequently boasted about accessing Palin's Yahoo account, posting family photos and samples of personal messages widely across the Internet.

A statement from John McCain's campaign condemned the hack as an "invasion of the governor's privacy and a violation of law."

"It's a cautionary tale for all of us," says Owen Thomas, Valleywag's managing editor. "Passwords are easy to guess, and we don't use the extra protection sites like Yahoo offer us."

The digital break-in underscores the risk corporations and government agencies take on when they give tacit approval to extensive workplace use of free, Web-based, applications such as e-mail, instant messaging and toolbars. A recent survey of 60 companies by Palo Alto found them all using a wide variety of different Web mail applications. The most popular: Hotmail, Yahoo Mail, Gmail and AOL Mail.

According to postings by Rubico on 4chan, it took just 45 minutes to reset Palin's password using the Alaska governor's birth date, ZIP code and information about where she met her spouse. The main tool for obtaining Palin's background details: Google searches.

Yahoo declined comment on security features for its free e-mail service.

"We don't comment on the specifics of our security policies so that we don't give a roadmap to hackers and bad actors," says spokeswoman Kelley Benander.

Most corporations and government agencies have policies allowing "reasonable use" of free Web-based e-mail, says Palo Alto Network's product manager Chris King. Trouble is, he says, employees generally ignore "best practices around strong passwords, secure connections and access only from trusted systems."

Even before her selection as vice presidential candidate, Palin had come under criticism for using non-government e-mail accounts to conduct state business.

Valleywag reported Thursday that Palin's hacked account, and another Yahoo e-mail account she used, gov.sarah@yahoo.com, have been deleted.