[jakejake]

From the article "Itz very simple sir… Im hacked your account in 2 min… Im learned ur boi (bio) from internet… and create gmail account like yours then I fill the submit form with my email and Harvard send mail the Password change link.. That it…"

[nchelluri]

So I don't quite understand that... Trying to piece it together.

Perhaps the Harvard email system will allow you to send a Reset Password link to an arbitrary (?) email address if you correctly identify some "identity verification" questions, and this guy was able to glean the answers to those questions from reading the article author's bio?

[jakejake]

Didn't sound like it was too awfully difficult but yea, pretty thin on the details. Here's Harvards password reset instructions... http://huit.harvard.edu/reset-your-harvard-password

[TwoBit]

So Facebook had his Harvard email as the password reset email?

[joergsauer]

That is what I got from On the day it happened, I figured out he got in by taking over my Harvard alumni email and then requesting that a new password from Facebook be sent there.

Gaining control of email accounts is how other accounts are typically captured when multi-factor auth is not enabled, of course. The question is how exactly the attacker got into Thurston's email account at Harvard. The reset instructions read like answering a verification question is all that is needed to change the password without knowing the original password. That would mean two lessons:

1. Harvard should add at least one additional step to this procedure, such as requiring confirmation through a secondary email address.

2. Nobody should ever use publicly available information as answers for password reset "security" questions.

(Both not exactly surprising insights here, of course...)

What still doesn't add up is the part about the attacker "creating gmail account like yours".