How Paris Hilton got hacked?
posted February 23rd 2005 7:42AM
We may have an easy answer for how someonw was able to break into
Paris Hilton's Sidekick account and grab her address book
and emails. Turns out they didn't hack into the server or guess her password. Rather, they guessed (correctly) that she
wasn't quite savvy enough to realize that everyone already knew what her answer would be to the secret
question T-Mobile asks when you forget your password: "What is your favorite pet's name?" Enter the correct answer and
T-Mobile lets you reset the password to whatever you want. Yeah, we know that required some serious l33tness on the
part of the hackers (hey, but if you're so smart, why weren't you logging into her account months ago?), but it was
only yesterday that T-Mobile was even made aware of the, uh, vulnerability in Paris's account and fixed things.
[Via Waxy]
"Social Engineering - Because There Is No Patch For Human Stupidity"
I suppose she has all those details on her website :D
There is clearly no limit to stupidity in this world.
She should post her naked pictures on her website and save us the trouble of hacking for it...
You know, honestly, this is a mistake anybody could make. You think up a great password and then you're made to think automatically that the "security question" is making you MORE secure, not less, and you don't think to change from the default.
I've personally always been extremely suspicious of those security questions. They are almost always ALL things that somebody who knows anything about you would know or could easily find out - your pet's name, the city you were born, your mother's maiden name, etc. - and if you answer it right, any company will just give out your password. Worse, most companies will not even let you set a password these days without the security question.
But it actually makes you LESS secure, even if you're not a celeb. Asking me something that's publicly available info to verify my identity is not a good idea at all. Maybe this will wake the world up to this fact.
I've always had a hard time with the secret question thing. It DOES seem utterly stupid that they ask for such inanely easy to find out facts. If the secret answer were used in conjunction with your normal password and username (like on the Halifax bank website) that makes some sense. It'll make you wonder how many other sites/services use such imaginatively simple security measures....
Sometimes you don't need to ask... in the company were I work (Its a big multinacional one) all you have to do is dial the helpdek number:
-Hi! My ID is 12374 can you reset my password?
-Ok sir!
Sad but true...
What's cool is, she gets killed in an upcoming movie shes in called "HOUSE OF WAX"
No it's not about a trip to the beauty salon with Nicole Richie either.
I'm just curious who the two people in Boston are (the paul weirdo & sad boy entities in the first Notes entry). Almost makes me think those are the 'hackers' leaving a little tag behind.
Normally, answering a security question causes them to e-mail your password (or link to generate a new password) to your primary address. This would mean that they would have to hack both your security question AND your primary e-mail account.
Sounds like someone at T-Mobile's website took the idea of a security question and screwed it up.
hmm, so do you think she'll sue - I mean from what it sounds like, t-mobile could easily be held liable for such an obvious security blunder
I totally agree about the stupidness of Security Questions.
I hate sites that require them... I'm always forced to decide to answer them truthfully with an answer anyone could easily know about me or else make up something obscure that I'll never remember (basically a 2nd obscure password)
agreed flup,
but on a note, is it possible that T-mobile is lying to protect themselves....i mean heck if they could blame it on her simple choice of password, then they can aleviate fear of their customers, potential clients, let alone stock...which is why i find it hard to beleive, if it was that easy, why did it not happen months ago like Peter commented.
anotherwords, I think they got hacked, and just trying to save their asses by putting a large portion of the blame on a "stupid spoiled whore" so to speak...
The server logs would show that someone successfully used their password retriever.
I tried the whole thing using my T-Mobile account and indeed, you can change your password once you know the person's mobile phone number (not hard, since she's been hacked before) and can guess their security answer.
I was rather shocked it didn't SMS me my password or e-mail it to me. (I had forgotten that T-Mobile never asked me my e-mail address when I created my account last year.)
The issue here isn't an easily guessable password, it is an easily guessable security answer. Remember security answers are SUPPOSED to be easily remembered (and thus guessable). Because they ARE NOT supposed to allow you to directly change your password.
This is a security flaw on T-Mobile's website, plain an simple. People are either confusing easily guessable passwords (BAD) with easily guessable security answers (GOOD) or forgetting that the security answer is followed by an e-mail, requiring two things be hacked.
Ten bucks says her password was "ThatsHot"
....
My question (something that wasn't completely clear to me) is whether or not the 'secret question' was one she thought of herself, or one that was offered by default by T-mobile? If the latter, then I think it could be construed as T-mobile's fault for offering such obviously unsecure questions, especially in the case of celebrities. Otherwise, she's just stupid herself for not seeing that others would know the answer too (which may well be the case) In any case, if T-Mobile let's you change your password without sending it to a primary address as terry mentioned, then I think they very well could be held liable.
T-Mobile is definately at fault if they allow a password change with just the secret question, doesn't matter if she could choose the question herself or not
Speaking from experience as someone who has created login systems before for websites, it is purely T-Mobile's fault for misconstruing the intent of a security question.
The security question should, for all intensive purposes, either email you (or SMS you, in this case), a new password or instructions on how to change your old one.
The fact that it allowed you to DIRECTLY change the password is the problem, not the easy to guess security answer.
Security answers could be 'a' for all I care, and it still would be fine because the email would be sent to my email address and I would ignore it. Only if the hacker got access to my email would they be able to own me.
Thus, T-Mobile is obviously full of smart.
Later,
Mike.
so, given the consensus that T-Mobile is at fault, do you guys think she'll sue or not? What is her reaction so far? I wonder, is she pissed, or does she just like all the attention, slut as she seems to be.
I pray she sues because T-Mo is at fault here. Not send your new temp password to your email address? What kind of moron company does that (lots I am sure)
Well Paris was dumb enough to have the question "Who is your fav pet?" Everyone knows it's her dog
"Well Paris was dumb enough to have the question "Who is your fav pet?" Everyone knows it's her dog"
Still, this is Paris Hilton - I bet there is no security question in the world she could have chosen that someone wouldn't be able to research the correct answer for (usually they'll let you pick from a set of offered questions). Think about it, how hard would it be to find out:
a) her mother's maiden name;
b) her elementary school name;
c) her favourite colour.
There is no way that this is not T-mob's fault.
I don't know why everyone is so mean to her, I think she's so sweet and nice. Everyone makes mistakes in life and we all get over it. But then she does it's all over the papers and everyone calls her a slut and other mean names. Give her a change before you write her off as a dumb blonde or a slut.
FROM A FAN PARIS FAN!
i don't know about her personality, but she looks slutty.
btw, what are her other on-line activities? maybe we can still hack her yahoo! or msn account, LOL!!
In response to #18, the worst thing, after a directly changeable password, would be an SMS notification of the password, because there's nothing to hack. You just need the phone, and hey, cellphone theft isn't that bad, right?
Bruce Schneier, the reknowned security consultant and writer, had *just* written about this in his newsletter on February 15th:
http://www.schneier.com/crypto-gram-0502.html#9
For those too lazy to click the link, I should point out that he has a pretty good solution for the "security question" -- type something as random as possible and forget it.
His point is that the "security question" is just a way for companies (T-Mobile in this case) to save money on customer service, because if you forget your password, you should end up talking to a real, live, customer service person who can do a better job of authenticating you than a "security question".
Having a mechanism that is LESS SECURE THAN A PASSWORD -- the "security question" -- that can give people access to their accounts (or even email them their password, since we all know how secure email is) defeats the purpose of having a password at all.
Poor girl. I hope T-Mo get a good public blasting for this but I suspect the only headlines we'll see are 'stoopid paris done summat stoopid agen'
ho hum
Re: #25
If someone steals the phone, they don't need to guess anything anyway, as they have the addressbook and photos and everything already, so it wouldn't matter whether an SMS were sent with a password or not.
If someone has your phone, all security goes out the window, unless you're smart enough to lock it, which I doubt she was.
Later,
Mike.
The problem with the password being sent to your phone isn't just a problem with a stolen phone. How many of you have had a cell phone number and switched carriers? The next person who gets your old phone number may be able to access your personal information.
Let me tell you my experience with Verizon. I got a brand new phone, but my phone belonged to someone else previously. Verizon has a page where you can enter only your cell phone number and say you forgot your password. I entered my cell phone number and received a text message on my phone with the password. Once I had the password, I was able to access the complete personal phonebook of the last person who had my cell phone number. I know more about Evie than I care to know.
My husband works as a security manager for a telecommunications company, and he called Verizon to tell them they need to improve their security. There was no good reason why I should be able to get the personal phone book and messages of the last stranger who had my phone number. If I was able to do it within seconds, there was no telling how many other customer accounts have been compromised. Verizon didn't listen to him.
If you have used Verizon's getTXT or getPIX, and you didn't delete the information before you cancelled your account, the next person who gets your phone number can learn all kinds of things about you that you don't want them to know.
I hope the Paris Hilton incident will draw attention to the deficiencies in the security of companies like T-Mobile and Verizon. If Evie had been Paris Hilton or some other "celebrity," I bet Verizon would have paid more attention.
I found lindsay lohan's number....
1-347-596-9990
4 god sake! ur makin such a big deal bout the question thing,when all uve got 2 do its just write whatever!!its not that hard!
Q:where were u born?
A:nowhere
Q:whats your dogs name?
A:blablabla
See? its really easy ppl...
didn't paris one time think her dog was lost and forgot she left it at her grandparents house?