But the site gives him five chances, and tells him which field has the error. He fills in her birth date, and simply guesses the year. Thompson goes back to the blog and does a search for “birthday.” He gets a date but no year.įinally, Thompson attempts the college reset password again. (Facebook also makes this piece of data very easy to get even if people do not note their birth year… Remember Thompson knew roughly how old Kim was.) But he had no luck with the Department of Motor Vehicles. Apparently, you can search for violations and court appearances by name! And such records include a birth date. But he only had a rough idea of her age, no actual birth date. Then came a stumbling block: the college wanted her birthday. The same resume found from the simple Google search done earlier.
Home address, home zip code and home country? No problem, Thompson has it all from the same resume. Thompson clicks the “forgot password” link on this page and winds up facing a few questions. Gmail tells you this address’ domain (at least it did in 2008 when Thompson conducted the experiments) so he knew he had to get access to that specific address.Ĭollege email account page.
He attempts to reset her Gmail password but Gmail sends this to her college email address.
The bank sends a reset link to her email, which he does not have access to. Next stop: Password recovery feature on her bank’s web site. Most importantly he gets her college email address and current Gmail address. (Thompson called her blog a “goldmine.”) He gets information about grandparents, pets, and hometown. Read below to see how he did it – in the days before Facebook! Using the knowledge he knew about her, her name, where she was from, where she worked and roughly her age, he was able to access her bank account in ONLY 7 STEPS!!! He did the experiment on someone who he barely knew, a girl named Kim. Herbert Thompson* in 2008 wanted to show the public how easy it was to access someone’s personal information and bank account. 7 steps to hack into someone’s bank account