How Paris Got Hacked?

by Brian McWilliams

Paris Hilton's Chihuahua couldn't protect her Hollywood home from a burglary last summer. So why was Hilton counting on her dog to protect her T-Mobile account from intruders?

Despite repeated attacks on her T-Mobile email and telephone records in recent months, the actress and heiress has persisted in using the little dog's name to secure her password at the T-Mobile site.

Like many online service providers, requires users to answer a "secret question" if they forget their passwords. For Hilton's account, the secret question was "What is your favorite pet's name?" By correctly providing the answer, any internet user could change Hilton's password and freely access her account.

Hilton makes no secret of her affection for her Chihuahua. Last August, Hilton offered a reward of $5,000 when her beloved pet disappeared after the house she shared with sister Nicole was burglarized.

An anonymous source provided O'Reilly Network with a screen grab, proving he was able to access the contents of Hilton's T-Mobile inbox as of Tuesday morning. Another image confirmed that Hilton's "secret answer" was her dog's name.

Upon being notified Tuesday, T-Mobile corrected the potential security vulnerability in Hilton's account.

Related Reading

Spam Kings
The Real Story behind the High-Rolling Hucksters Pushing Porn, Pills, and %*@)# Enlargements
By Brian McWilliams

Last weekend, Hilton's T-Mobile online account was accessed by intruders calling themselves "The Niggas at DFNCTSC." The trespassers posted the contents of her address book, notes, and photo folder on the internet.

In January, Hilton reportedly suspected that a "hacker" had access to her email account and was reading messages there.

It's unclear how those intruders gained access to Hilton's account. A T-Mobile spokesperson said the company is "actively investigating" the situation.

Weak passwords are cited as one of the top twenty internet security vulnerabilities by the SANS Institute.

Account information belonging to Hilton and other T-Mobile users has been circulating in the computer underground since at least late March of 2004. A California man named Nicholas Jacobsen has admitted to hacking into T-Mobile's servers and accessing records on at least 400 customers. (Last week, security professionals openly speculated about how Jacobsen gained access to the wireless provider's internal systems.)

According to court papers, Jacobsen, who used the online alias Ethics, offered to sell the stolen information on an online message board on March 15, 2004. Jacobsen also apparently provided excerpts of the data to friends and colleagues.

A log file of a March 2004 instant-message conversation apparently between Ethics and an associate includes a section containing Hilton's T-Mobile phone number, password, social security number, and other confidential information.

Password hint systems like the one used by T-Mobile are common on the internet. Online service providers including the MSN Hotmail service have encountered security breaches involving attackers correctly answering "secret questions" and then locking victims out of their accounts.

T-Mobile representatives said Hilton uses a Sidekick II, a communication device that offers wireless telephone and internet access as well as a built-in flash camera.

Brian McWilliams is the author of Spam Kings and is an investigative journalist who has covered business and technology for web magazines including Wired News and Salon, as well as the Washington Post and PC World, Computerworld, and Inc. magazines.

Return to the O'Reilly Network.