So almost a year ago I got hacked, hacked real bad in fact and I literally (almost) pooped my pants – it was scary watching your whole online life disappearing before your eyes. Ironic in a way as I spend my time securing other people’s sites and lives – but often forget about my own.
Seriously, getting hacked – in front of your own eyes in not fun or nice – it’s really very terrifying thinking you could lose all those memories/connections/messages/e-mails.
I’d been ‘meaning’ to transition to some kind of online password management system for a long time – but as usual never actually got around to it.
I was super lucky that I was actually online when it was happening, I was browsing something on Facebook then suddenly I got logged out and I couldn’t get back in – then the panic set in because when I tried to login..Facebook said there was no account with that e-mail!
The email you entered does not belong to any account.
You can login using any email, username or mobile phone number associated with your account. Make sure that it is typed correctly.
Luckily it prompted me and I tried to login with my mobile number (and luckily I HAD put my mobile number in against my internal privacy complaints) and the hacker couldn’t change it (because they probably didn’t want to put their mobile number and get it verified).
As you can see though the e-mail had already changed to something ending in the Albanian TLD .al – it was @fbi.al actually.
Another reason I was ok, is that my primary e-mail was @gmail.com which I kept very secure (I actually use the Google Authenticator app for that account so it was safe, even if the password was leaked).
And the smart thing is (Which I didn’t know) and I guess Facebook does for cases like this – it actually remembers your previous e-mail addresses – so it can test you on them and revert the account back to you.
But he was in my secondary e-mail @hotmail.com which was a recovery account for my Gmail account – so that was pretty scary.
My Gmail account was also a secondary for my @hotmail.com account though, so I managed to lock it up pretty quickly. It also now supports 2 factor authentication using the same Google Authenticator app – so I turned that on to secure the @hotmail.com account for good.
I managed to get the reset code via SMS though and eventually I managed to get back in – although after regaining access I was locked out of Facebook for 24 hours after answering a bunch of stuff.
Facebook actually has a lot of cool security features I didn’t know about, like the fact that during a dispute (this was pretty much a real time tussle between the hacker to lock me out, and me to lock the hacker out) it does stuff like show you pictures of your friends and asks you to identify them from a list of names.
Obviously if it wasn’t really your account the best you could do was guess – this was how I managed to get back in – by identifying my friends.
Another feature I discovered during this whole debacle, was that Facebook also has a trusted friends feature where you can add friends or family members that can verify your identity during a dispute over an account.
After some research I figured out some time in 2011 my passwords had been snatched, sometimes we get complacent and save passwords in our browsers for convenience, what we forget is that the passwords are saved in plain text (that’s how the browser can retrieve them to fill in the web forms) and thus any nefarious little piece of software (security tool/keygen etc) can grab ALL our passwords from whatever browsers we use (Chrome/IE/Firefox) and other software too (I found passwords in the list from Filezilla too – FTP passwords to all my sites).
Another irony, in 2011 I wrote this –
Sometime early in 2012 they were posted in public on some kinda script kiddie hacking blog and so my blog, Shutter Asia and some other sites that I had saved in my browser had kept getting attacked and defaced.
I’m fortunate in two parts:
- Firstly, nothing really serious happened, some annoying defacements and a lot of time was wasted trying to figure out how they got in
- I’d stopped using FTP a long time ago for important sites and only use SSH access with keypairs (no password access at all)
So they couldn’t actually get any raw server access, only WordPress admin panel access – which can cause some mischief but nothing that couldn’t be repaired.
What did I do to stop it happening again? I signed up for Passpack and went onto every single site that I could remember (especially those in the ‘hacked’ list of which there were 57 – yes FIFTY SEVEN of my login/password combinations) and changed them to secure passwords and saved them in Passpack.
I also went into the browser saved password list, and trolled through ALL those sites and transfered them to Passpack too with secure passwords, I ended up with about 87 sets of passwords in Passpack all with unique strong (12-15 mixed upper/lower with special char) passwords.
It’s actually really important to do this, not only for this scenario but if you use 2-3 combinations of passwords for everything, and one of the sites you use gets hacked and exposes your e-mail address password you’re pretty screwed.
But if you use a unique password for every site you use – you’re gonna be fine (especially if you turn on 2FA for all important accounts).
So yah, that’s my cautionary tale of being complacent online – I managed to keep my shit together because it’s what I do for a living (don’t panic and fix it!) but if it happens to you, you might not be so lucky.
So get your passwords in order and save yourself the stress of what I went through, or what I’ve seen of some friends who’ve completely lost control of their Facebook/e-mail accounts.