How Palin's Email was Hacked

Last week, a Tennessee college student using what has come to be known as the "Tinkerbell Hack," made the news when he hacked in to Vice Presidential nominee Sarah Palin's personal email account. He proceeded and post her emails on a message board. His method raises some important issues about password protection for the rest of us.

The interesting thing about the "Tinkerbell Hack" is how easy it is. Almost anyone with a computer who possessed some basic information about the hackee could potentially get into email, financial accounts, and so much more. The information used to perform the Tinkerbell Hack on Sarah Palin was all available online. While most of us probably don't have as much personal information available online as a celebrity like Sarah Palin, the fact is that most of us have a lot of people in our personal circle who could get enough information to perform a Tinkerbell Hack on us, particularly if we have taken a less than paranoid level of caution in password protection on various accounts.

The Tinkerbell Hack is named for Paris Hilton's pet Chihuahua, also called Tinkerbell. We have all answered password protection questions intended for those moments when you forget your password. Questions like, in Hilton's case for example, "what is the name of your favorite pet." That was the question she answered to secure her T-Mobile account's password. After a 2005 dog-napping incident in which Hilton offered a $5,000 reward for the return of her beloved pet Tinkerbell, the answer wasn't terribly hard for a hacker of little skill to divine. Paris was hacked, her information was spread around the web, and she provided the name for the easiest hack in the known universe.

Sarah Palin fell victim to the same sort of hack. After a rash of stories came out detailing Palin's use of a Yahoo mail account to conduct state business, someone got the bright idea to try the Tinkerbell Hack on her. This after news stories emerged that Palin was hiding information about her practices as Governor of Alaska by using a Yahoo account instead of her official state account.

The information the hacker needed to gain access to Sarah Palin's email? Her zip code, date of birth and where she met her husband. It was all online and took minutes to access. Wikipedia provided date of birth, there are two zip codes in Wasilla, Ak. And the hacker guessed that she met her spouse at her listed Alma Mater, Wasilla High. And voila; Sarah Palin now has something in common with Paris Hilton - besides being a celebrity and wearing lipstick. The hacker got into her password protection, changed her password to "popcorn," and proceeded to start posting her emails online.

The question this should bring up for most of us is how many of those password protection questions we've all set and how easy would it be for someone to find out the answers. For instance, "in what city were you born," is a common one. You may know dozens of people who know your answer to that question and if you don't they could probably get it out of you fairly easily in conversation. It could seem like a pretty harmless question.

The examples of Paris Hilton and Sarah Palin should serve as cautionary tales for the rest of us. It might be a good time to go back over critical accounts and check your password protection questions, before some vindictive co-worker or wacked ex decides you might be a candidate for the Tinkerbell Hack. How many password protection questions have you answered that might be fairly easy to figure out? The problem is also greatly magnified if someone could get into, say, your primary email, and then access other accounts by having access to that one.

And by the way, don't try this hack yourself. It is against the law.

Just ask David Kernell, 20, son of state Representative Mike Kernell, a Memphis Democrat and chairman of Tennessee's house government operations committee. He's the guy who Tinkerbell Hacked Palin. He was tracked down when law enforcement traced his IP and is now being investigated by the FBI and Secret Service, for violating various privacy laws. And his dad isn't very happy either.