The Washington Post has published an article about the continuing availability of password-cracking services as YourHackerz.com, piratecrackers.com and hack-mail.net. They advertise openly, and offer to crack the password of Web-based email systems as Gmail, Facebook, Yahoo, Hotmail, and AOL for fees as low as $33.
Are their actions illegal? US federal law (and similar laws in many US states) prohibits hacking into email. But it’s a misdemeanor – not a felony – unless there’s illegal activity, and authorities don’t usually have resources to investigate misdemeanors. It’s also very difficult to know if an account has actually been compromised because the intrusion doesn’t leave much of a trace.
Many (most?) people who use the Internet use one or more of these Web-based email services for personal use, but very few people realize just how insecure these accounts can be – despite recent high-profile incidents such as the hacking of Gov. Sarah Palin’s personal Yahoo email account, or Miley Cyrus’s Gmail account.
And the problem probably impacts many organizations as well. Employees frequently talk about work-related issues on personal email accounts (this presents problems for e-discovery, as well, but that’s another story), and sometimes staff use web-based email accounts if they’re out of the office.
The insecurity of Web-based email systems should be a key talking point in your security awareness training program. Many people will continue to use them – after all, there aren’t many alternatives out there – but they should do so in the knowledge that they could easily be hacked and, therefore, the accounts shouldn’t be used for anything sensitive at all.