Researchers are shooing away theories of an elaborate “deep state” hacking plot against Jeff Bezos tied to the alleged tawdry images of him and girlfriend Lauren Sanchez. They say, alleged images that Bezos claims that the National Enquirer is threatening to release were likely obtained via a “simple hack.”
They point to fact that email addresses tied to Sanchez were part of the massive “Collection#1” database of compromised email addresses and passwords. That alone, could have given even an unsophisticated hacker the ability to illegally obtain access to her personal accounts.
Robert Graham, a security researcher and the owner of Errata Security, asserts that Sanchez would have been the target of any attempted hack.
“To start with, from which end were they stolen? As a billionaire, I’m guessing Bezos himself has pretty good security, so I’m going to assume it was the recipient, his girlfriend, who was hacked,” Graham wrote on Friday.
Using perfectly legal privacy-busting tools found online, Graham was able to obtain Sanchez’s email address.
“There are lots of ‘people finder’ services on the Internet that you can use to track this information down. These services are partly scams, using ‘dark patterns’ to get you to spend tons of money on them without realizing it, so be careful,” he wrote. “Using one of these sites, I quickly found a couple of a email accounts she’s used.”
Next, Graham ran her email address through a database of compromised email addresses called HaveIBeenPwned. The HaveIBeenPwned service doesn’t reveal password info. It does, however, identify the breach or collection associated with the address. Graham found that several of Sanchez’s emails were tied to a massive database of compromised email addresses and passwords known as Collection#1.
This is the stage where Graham stopped his investigation. But, assuming that Sanchez is like many online, she likely reused the same password across multiple accounts. Graham is careful to stress that he never broke the law and attempted to access any accounts that didn’t belong to him. However, he does suggest that motivated “sleazeballs” often use data culled from Collection#1 illegally.
“No, I didn’t hack her accounts,” he wrote. “However, her email addresses and some passwords are public on the Internet for hackers who look for them. Some passwords are public. That doesn’t mean the important passwords that would gain access to real accounts are public. I didn’t try them to find out. Even though I didn’t fully test this, people get their sensitive information (like nude pics) stolen this way all the time.”
Scandalous images tied to the Anthony Wiener scandal were sent via commercial messaging services, Graham points out. But, even when private messages are using some other service protected by two-factor authentication, there are a number of advanced hacks that have been used to bypass those protections.
“Using the phone as a second-factor has its own hacks that skilled hackers can bypass. Phone numbers that belong to her are also on that ‘people finder’ report I paid for,” Graham wrote.
The researcher concedes he is only theorizing how Bezos’ alleged images could have been obtained illegally. “Maybe it wasn’t her phone/accounts that were hacked. Maybe she shared them with her siblings, friends, or agent. Diligent hackers go after those accounts as well,” he said.
Most important to Graham’s navel gazing are his tips on how not to get hacked.
- Set up different email accounts: Ones you use for personal reasons that can easily be discovered, and ones you use in other situations that cannot be tied to your name.
- Don’t reuse passwords, as was done in the case, where all the accounts I found have the same password. At least one site where you’ve used that password will get hacked and have that password shared in the underground. Use unique password for major sites. Knowing your GMail password should not give me access to your iPhone account because that’s a different password. Write these passwords down on paper and store them in a safe place. For unimportant accounts you don’t care about, sure, go ahead and use the same password, or common password pattern, for all of them. They’ll get hacked but you don’t care.
- Check https://haveibeenpwned.com to see how many of your accounts have pwned in hacker attacks against websites. Obviously, the passwords you used for those websites should never be used again.
- If you send sexy messages and you are a celebrity, there are large parts of the hacker underground who specialize in trying to steal them.