Deron Berkovitz, CEO of StrongWebmail, started a contest, offering $10,000 to anyone who could hack into the company’s e-mail network.

The gimmick was to promote a new voice-based authentication technology being sold by the company. Berkovitz released his username and password, confident that outsiders still wouldn’t be able to access his in-box.

But it turns out the money was owed just days after the contest was launched, PC World reports.

A group of hackers exploited a flaw in the software used to power the Web-based e-mail system. They launched a cross-site scripting (XSS) attack – basically, taking advantage of a bug on the Web server to run malicious code on Berkowitz’s browser and gain control.

The group claims they found the flaw within a minute and spent just six hours perfecting their attack.

The company admitted defeat and is paying the hackers the $10,000 – but Berkowitz did emphasize the fact that the bug the hackers used was in the software used to power StrongWebmail, not in the authentication device the contest was designed to promote.

The lesson: When testing security, make sure you’ve got all your bases covered. Many companies focus too much on one area and leave another open to attack.