I've said many times that the security measures for some of these various social networking services are pitiful. Well, check this out:
So, let’s say [Lepp]’s posting address was [Lepp].firstname.lastname@example.org. If Lepp emailed a photo to that address from his government account, it would be posted to Twitter. If I emailed that address from my own account, any photo I sent would be posted on his stream as well. All a “hacker” needs to know is that [Lepp].Hacked@yfrog.com address.
All those addresses follow the same format: Twitterusername.[ ]@yfrog.com, and that blank space was always filled with a random word, five to six characters long, generated by Yfrog. So it wouldn’t be that hard to fill in the blanks.
According to The Daily Dot, after it reached out to Yfrog for comment, the service disabled the email-to-post option. We’ve reached out to Yfrog for comment ourselves.
Interestingly enough, if something like this really did happen in George Lepp's case, it would mean that no Blackberry thief was required to make the prank work. Which would mean that Mr. Lepp is not probably being honest about what happened (and that he's till got his Blackberry). You would still need a loose penis around to pull it off, but those are easy enough to find.