Sunday, December 06, 2009


Oscar Boykin once told me that nobody cares about security unless it can be obtained without inconvenience.

Monday morning around 8:00 a.m., I received a voicemail from my mother-in-law. She had received a “funny email” from me, time-stamped the night before, something about me being stranded in London and needing a money transfer right away. Could I please call her?

Facebook, I immediately thought, having read sometime this year that the usual people were scamming Facebook users with exactly this appeal from hacked accounts. But 30 seconds later, my wife called. My mom had called her to tell me that she had received an email from my Yahoo email address with the exact same appeal. Crap, they’ve got my Yahoo account? “Log on to my account and change the password,” I told her. “It will be a few minutes before I can reach a computer.”

Ten minutes later, I logged onto Yahoo and found . . . nothing. I had saved thousands of emails. I had had an address book with over 400 names. All of it was now gone, and I had no way of alerting anyone that the appeal for funds was fraudulent.

But what was potentially worse was that this email address was the email-of-record for every online service I used. And what was definitely worse was that Yahoo’s login / password combo was the very login / password combo I used with all of my social networking accounts. Google. Facebook. Blogger. LinkedIn. All of these were now wide open. And financial services? Most of them have long since prevented users from choosing dictionary words as passwords . . . but not all of them.

As near as I can figure, the hackers were using my account between 9:00 p.m. Sunday at 3:00 a.m. on Monday. Six hours. It took me longer than that to undo the damage.

First, I logged onto Facebook. Change the password, validate a new email address, and post a newsfeed item to ignore emails from Yahoo. I have about 140 Facebook friends, but they would need to be reading Facebook to see a newsfeed item, so I had to send out a Facebook message to be sure everyone would get the word. Facebook, unfortunately, doesn’t want its messaging system to be used for spam, so it limits each message to 20 recipients, and doesn’t make it easy to grind these out.

But that was only a fraction of the people vulnerable. Fortunately, I had a two-year-old backup of my address book on my laptop. Less fortunately, my new email service also had a limit on the number of recipients that a single email could have. The number was higher - 100 - but it worked out to be 100 per hour, because after each email of 100 recipients I sent out, the service temporarily froze my account.

It’s not fair! I thought. My hackers can churn out email faster than I can as the lawful owner!

Meanwhile, the phone at home was ringing off the hook. Most of the Americans called to say that I had been spoofed; I benefitted from a combination of my own reputation as a writer and the poor spelling of the hackers. But some of the foreigners were at the point of being taken in, although they wondered why I wasn’t calling my wife for help.

During the down time, I turned my attention to the other accounts. I just counted them, and I have at least 27 different services for which this address was the email-of-record. All of these now had to be updated. My favorite experience (intended sarcastically) was a business credit card obtained through my employer. When I logged in, I was greeted with a message that my password had expired; would I please click the button below to obtain a new password? Congratulations! it said afterward. We have emailed your new password to your email-of-record.

I was lucky. Oscar was right: I hadn’t cared enough about security to follow anything close to smart password practices. But my hackers didn’t even take the trouble to change the password to my Yahoo account, let alone examine its contents to see what other opportunities might be there for them. Had they done so, I could have been badly hurt, rather than put out about eight hours of work.

Blogging Status: still busy. I see that my RSS reader has over 400 unread items. Sorry for not keeping up with y'all.


Ferdinand Bardamu said...

I see that my RSS reader has over 400 unread items. Sorry for not keeping up with y'all.

If you've got the time, Φ, could you update your link to my blog?

Anonymous said...

first catch your hare, then cook him........................................

Anonymous said...

So how are we supposed to know if this post is created by the real theta and not the hacker "theta"? For all we know, the real theta is sitting at home reading this and shouting ineffectually at his monitor, "NO IT"S NOT ME, DON"T BELIEVE HIM".

Maybe you should embed a codeword in your posts that would tell us if you are the legitimate site owner. Send us the codeword by email. Now would be a good time to also implement the duress codeword, in case you are abducted and forced to write blog posts.

Kirt33 said...

Are you saying that the hackers guessed your password? How can we (I) avoid a similar event?

Anonymous said...

32bit random hexidecimal, changed every 3 months.

Anonymous said...

Also, NEVER use the same login/passwords for trivial things like facebooks, and important things like on-line banking.