How Paris Hilton Got Hacked? Bad Password Protection

from the tinkerbell dept

This morning, in Good Morning Silicon Valley, John Paczkowski joked (I think) that he’d bet “$5 and a Swarovski-encrusted dunce cap says her password was Tinkerbell.” He might be right. While T-Mobile still says they’re trying to figure out how Paris Hilton’s T-Mobile account got hacked, Brian McWilliams has it all figured out. Her password might not have been Tinkerbell (the well known name of her dog), but the secret question to get her password reset was: “What is your favorite pet’s name?” Yup. It wasn’t necessarily social engineering or a security hole or even real hacking (though, in some sense, it was a combination of all three). It was good, old fashioned, stupidity — leaving the keys under the front door matt with a big sign that says “keys under the matt” next to it.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “How Paris Hilton Got Hacked? Bad Password Protection”

Subscribe: RSS Leave a comment
Precision Blogger (user link) says:

Bruce Schneier wrote just recently about this secu

Bingo! Bruce Schneier wrote just recently about how the backup question weakens password protection. He says when forced to supply a Q&A, he hitsrandom keys that he won’t remember for the answer. See:

– The Precision Blogger

Ranger says:

Re: Re: Re: Use

Am I the only one suspicious of her getting hacked in the first place? I mean, isn’t she due for some scandalous web-activity about now?

I mean, who keeps perfect naked pictures of themselves on their mobile camera? For what possible reason? “Hey, I want to see if I’ve gained any extra weight from eating that ice cream sundae?”

Nick (user link) says:

T-Mobile Password Hacking

… another likely theory was given in this post over at Kevin Rose’s site.

The hack is a simple one that I duplicated easily. If you have Sprint or T-Mobile and have auto voicemail login enabled, you are vulnerable to this type of attack. I have auto voicemail login enabled because I hate entering my voicemail PIN number each time I want to check my messages.

The voicemail authentication system is simple. It uses caller ID to validate the originating number ? if the caller ID matches your cell phone number (ie. your cell phone calling in to check your voicemail messages), it will log you in automatically.

This system has worked great for the last few years. Well, that is until the advent of commercial caller ID spoofing systems such as CovertCall and Telespoof. For those not in-the-know, caller ID spoofing allows you to change your caller ID number to anything you like. To hack myself, I simply logged into CovertCall and placed a spoofed call to my cell phone. The spoofed call was to my cell phone, from my cell phone, forwarded to a pay phone. Sprint (my provider) thought I was calling from my cell, and automatically logged me in (even though I was performing this from a pay phone down the street).

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...