Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gaining Info On Tech Execs With Just Their Email

Posted by Unknown on from the mark-zuckerburg-revealed-as-closet-myspace-fan dept.

jfruh writes "Did you know that Craigslist founder Craig Newmark has a loyalty points account with the Starwood hotel chain? Did you know that both Tim Cook and Steve Ballmer have Dropbox accounts? All this information — and much more — can be found out because so many prominent executives use their corporate email address for their account logins, and most sites make it possible to see if an email address is associated with an account even if you don't have the account password. Just knowing that such an account exists can lead to technical and social engineering attempts to crack it, as happened in the case of Wired's Mat Honan."

3 of 75 comments (clear)

  1. Any way around this? by jbuk · · Score: 5, Interesting

    Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

    1. Re:Any way around this? by jeffmeden · · Score: 5, Insightful

      Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

      Sure, flag the account for extra auditing in the following x number of hours. Or, start any registration with an email call-back and let anyone "start" the registration even if it exists, and in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly". Since you shouldn't be registering with an email that isn't yours and the web page will just be a "please check your email for registration info" this will not tell the illegitimate user anything useful.

  2. Hate using my Email address as log in by Nyder · · Score: 5, Interesting

    Always thought it was a bad idea. I was helping a buddy of mine get some online game going, and the place (EA Games) wants your email address as your log in ID. But my buddy, is like, "why do they want my email's password?" I try to explain, "They don't. They want you to use your email as your log in info, but make a new password." I'm pretty sure he used the same password as his email password. And honestly, that is way too easy to do like that.

    --
    Be seeing you...