Monday, January 18, 2010

More Specifics on the Hacking Thing

Now that I've recovered from some of the panic from earlier today, I thought I'd try to distill down as much as I know about what happened to my account(s) so that anyone reading this can be on the lookout for similar problems in their own e-mail accounts.

This was NOT, as I originally thought, a virus. The problem was never on my computer (at least as far as I know so far - and thanks to my awesome brother-in-law for helping me diagnose that). What happened to me today was online identity theft, and my hope is that it was more a huge hassle than any actual destruction.

That said, the hassle DID take up my whole day, and I'm still concerned that someone may have lost money because of this garbage, or that some personal information of mine might've been compromised. Anyway, enough people have been thoroughly shocked at the depth and cunning of what seemed like a simple virus at first, that I thought a more thorough warning might be helpful.

So, here's what happened:
  • Early this morning, someone hacked into my gmail account. I've never given out my password, and I didn't fall for a phishing scam. There was some kind of security breach with my gmail password.
    [I should point out here that I made the careless mistake of keeping the same password for a very long time, and that I do use the same password for lots of non-financial accounts, like gmail.
    Someone more knowledgeable than I in this arena has pointed out that since this "London Scam" has been around (I've seen accounts of it as early as last May) some technorati fingers have been pointing at Facebook for the security breach, which Facebook apparently denies. According to my internet-wise friend, the theory is that the scam artists stole a whole bunch of passwords from somewhere, and have been holding onto them and slowly meting out this lovely lesson ever since. So, if you are reading this and haven't changed your e-mail password in a month or so, go do it now. Go ahead. We'll wait. Done? Good.]

  • Once the hackers were in my gmail account, they changed my password to lock me out. Then they sent out an e-mail to many of my contacts, claiming to be me, and claiming that I'd been robbed at gunpoint in London and needed money. I've noticed as the day wears on that they mostly contacted people who are not on my "most frequent contacts" list, the ones who I e-mail daily and would obviously know I'm not in London.
  • While in gmail, they also used my gmail-based Instant Messenger to contact friends of mine who were online, still pretending to be me and claiming to be in a library in London with only a passport. I find this especially creepy.
  • The hackers then created a fake e-mail address using my name at "OperaMail.com" and put it in my gmail account as the 'alternate' e-mail. They set my account to forward any incoming e-mails (like those of concerned friends wanting to help, for example) to this fake account and to delete them from my gmail. So, when I used google's account recovery system to get into my gmail account, it almost looked like nothing had happened - they deleted all the sent e-mails and any incoming e-mails were being automatically forwarded.
  • They also changed my security settings and put in a Nigerian cell phone number as my "password recovery option" - so when they locked me out of my gmail and I tried to use the automated system to reset the password, they received a text message notification so that they could jump in and beat me to the punch. I don't know about you, but these aren't things I immediately knew to look for when I got back into my e-mail the first time (instead, I started trying to send out warning e-mails to my contacts).
  • In addition to trolling through my gmail contacts, they also found all the other e-mail addresses I have connected to that account and tried to hack into those as well. I got a notification from yahoo asking me to confirm that I'd added a new e-mail address (which I hadn't), and fortunately I was quick enough to get in and fix that before they did too much damage on that account. They did, however, manage to change my contact information!
  • In the meantime, they used their access to my gmail account to get to my facebook page. I use a completely different password for facebook, but since they had access to my e-mail, all they had to do was go to facebook, click to reset the password, and then change it to their own.
  • They also created another e-mail account in my name, this one just like my yahoo account, but with one extra letter before the @. They added this fake account to my facebook page; and then deleted the e-mail that facebook automatically generates letting you know that changes have been made to your account. If I hadn't trolled through my gmail trash later, I never would've known that they did this. As it was, I was locked out of Facebook all day until I found that e-mail (and of course they were not only e-mailing my FB friends but also instant messaging with those who were online --- asking for money).
That's what happened. I've put it all in, step by step, so that my dear readers can get a sense for how clever (and thorough) these folks were in trying to extort money from my friends and colleagues. Not only did they hack in, they created two brand new e-mail addresses designed to mimic my own and spent lots of time tracking down my friends. They also had to be attentive to when I was attempting to recover and reset passwords. This was not just a random phishing scam, these folks really made an effort to steal my identity and represent themselves as me.

So, here's what I did:
  • I used Google's account recovery form to get back into my account (twice) via my yahoo account, and the second time, I waited for the first possible chance to get in and then quickly: changed my password to one much harder to duplicate, deleted all alternate e-mails from my profile, and deleted the Nigerian cell phone number from my password recovery options.
  • I changed the passwords on all my often-used social/e-mail sites, and on the sites for my financial institutions
  • I updated my friends and family via social networking, blogging, phone calls and (when possible) e-mail
  • Did a "deep scan" on my computer (again, thanks to my brother-in-law) to make sure I am virus-free
And here's what I am still working on:
  • Going through my e-mail accounts looking for passwords and/or login information that might have been vulnerable while the hackers had access to my email account. Deleting those e-mails once I've updated the information elsewhere.
  • Exporting my seldom-used contacts to a spreadsheet so that I can delete them from my e-mail account but still have them if I need them again.
  • I'm considering decentralizing some of my e-mail functions - while it's convenient having everything in one place, it also makes me pretty vulnerable
  • Credit freezes: since I don't know how far this "identity theft" actually goes, and I've seen how determined these bad guys are, we're calling the credit bureaus to have them freeze our credit. Clark Howard says it's a good idea anyway, and this little incident is just a good reminder....
  • Counting my blessings. I have to say I felt pretty violated today, but watching the news reports about the devastation in Haiti reminds me to keep even major annoyances like this one in perspective.
Some changes I'm hoping to make in the future:
  • Changing passwords more often
  • Deleting more e-mails (instead of just archiving), especially those with any kind of login information
  • Creating an offline, protected list of login names and passwords that I can maintain and update frequently
  • Stop using the same or similar passwords when I register for new websites or shop online. I've always done this because it makes it easier to remember, but I'll just have to go with a different system instead.
And.... what else? I'd love to hear suggestions from those more expert than I.

Be careful out there!

4 comments:

Brenda Cummings said...

I am so happy you have my work email as a contact for me. My IT department keeps my email contacts safe. (except for for my UK account)

Eli said...

http://news.cnet.com/8301-27080_3-10436698-245.html

One of Facebook's little known security changes not too long ago was to give all applications- and their owners- access to your profile and account information when you clicked on the app. I recently went into my Facebook account under Settings > Applications and was stunned at how many apps showed up that I have never used. That could be how the passwords were being stored. You can disable any applications you don't want to use.

Unknown said...

Same exact thing happened to me yesterday, and I'm still fighting to regain control of my gmail. I'm wondering if you've regained access to fb. The fb overlords shut it down yesterday, and since then I've heard nothing. Though I do appreciate your point that it's kind of nice to have the time back from fb-suckage, I would appreciate some closure from them. Thanks for giving me reassurance that I'm not alone in this mess!

M.J. Pullen said...

Sylvia -- I'm sorry this happened to you, too! It took me over a week to get FB restored, and I think I had to e-mail them two or three times to get it resolved. But, it did come back.

And, just to be safe, I'm not planning on using FB's "Friend Finder" anymore, or I will change my google password immediately after doing so.