Hacking email accounts doesn’t have to be a sophisticated affair.
We are reminded once again of this fact thanks to a report released Friday by the Microsoft Threat Intelligence Center detailing how a group of hackers targeted the email accounts of journalists, government officials, and the campaign of a U.S. presidential candidate. And here’s the thing, the bad actors didn’t use some fancy 1337 computer skills, but rather employed the oldest trick in the book: the password reset.
According to Microsoft, over a 30-day period in August and September of this year, hackers likely affiliated with the Iranian government went after 241 email accounts and successfully compromised four. The MTIC dubbed the group Phosphorous, and explained how the team operated.
“Phosphorous used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts,” reads the blog post. “For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account.”
Importantly, MTIC writes that the four compromised accounts were not tied to the U.S. presidential campaign. But, still, this isn’t good.
Password-reset features come in many forms, from questions about where you went to high school or your mother’s maiden name to sending a link or code to a secondary email address or phone number. The former opens victims up to attack by anyone who knows how Google works, while the latter makes your primary email only as secure as your linked secondary email or cell phone.
A prominent abuse of this feature came in 2008, when a 20-year-old college student accessed Sarah Palin’s Yahoo email account. He used information like Palin’s ZIP code and birthday to reset her account password and gain access to the email account.
“While the attacks we’re disclosing today were not technically sophisticated,” explain MTIC, “they attempted to use a significant amount of personal information both to identify the accounts belonging to their intended targets and in a few cases to attempt attacks.”
This warning from Microsoft should serve as a reminder to everyone online that a password alone isn’t enough to protect your email — especially if someone is motivated to hack the account. Instead, use multi-factor authentication and for the love of god create a unique password.
Oh, and consider ditching those password-reset questions altogether.