It's simpler than it sounds. When you access your voicemail, your phone is just dialing a special number (which is the same for all phones on the network). The voicemail machine verifies that it's your phone through caller ID. There are a variety of easy and cheap ways to fake caller ID.

Having a PIN set up is supposed to prevent this, but most people have guessable PINs, and some networks allow not having a PIN at all.
posted by miyabo at 6:18 PM on July 10, 2011

I think, broadly, they could either pay or dupe someone at the telco for access, or just brute-force the password. I bet there are 20 common voicemail PINs that would cover many users, moreso if you know basic info like their street address and birthday.

Here's how it happened to Paris Hilton in 2005.
posted by These Premises Are Alarmed at 6:18 PM on July 10, 2011

From Slate's explainer on the subject: "'Hacking' is a bit of a misnomer, given how low-tech the infiltrators' methods were: It seems they broke into victims' voice mail inboxes using the carrier's default passcode, such as 1111, taking advantage of the fact that many customers hadn't opted to change it. To do so all they needed to know was the victim's phone number, which if not handy could be obtained by bribing or deceiving customer support representatives."
posted by Mr.Know-it-some at 6:23 PM on July 10, 2011

A large part of what they did was use phone number spoofing.

You know how, when you call your cell phone voicemail from your cell phone, you don't have to enter a pin? That's because the voicemail number checks what number you're calling from and serves up that phone number's messages. So if I fake your number, I can call and, without entering a pin, hear your messages.

They also exploited the loophole that if you call a phone from another number, you can usually hit a key and enter a pin to check voicemail. But most of us never do this, so we never bother changing the default pin, which varies by service provider.

From what I've heard so far, the reporters mainly paid private investigators who did these things, and didn't do it themselves. But they easily could have, and it's almost certain most of the reporters and editors knew what was going on.
posted by lesli212 at 6:23 PM on July 10, 2011

Definitely spoofing and easy/stupid/nonexistent PINs. Not hard at all - arguably the easiest possible way of "spying" on someone. Don't have to leave home, don't even need special equipment, can pull the whole thing off with a normal phone in your bathtub while drinking champagne, if you like. And unless you're a moron, you probably won't leave behind any useful evidence.

I'm honestly surprised that it's taken this long for a massive scandal like this to happen, given that I knew kids who screwed around with phone number spoofing with cell phones (generally of friends, coworkers, etc.) ages ago. I knew kids who'd leave their university (landline) voicemail on the default PIN and got burned back in the 1990s (which is why I use hard-to-remember PINs, sigh.) I rather suspect that the reason we're hearing about this is that the NOTW people were incredibly injudicious with what they were doing and how they used the information they got.
posted by SMPA at 7:31 PM on July 10, 2011

Sophos (the security and anti-virus compay) wrote a pretty extensive (and mostly jargon free) article about it all here -> http://feedproxy.google.com/~r/nakedsecurity/~3/d4lTLfyqfmw/

The same article aslo has tips on how to make sure that similar techniches cannot be used against you.

Hope that helps unravel things for ya.
posted by Faintdreams at 7:29 AM on July 11, 2011

This thread is closed to new comments.