Last night, someone (probably Isolate, the same loser who did it last time) tried to hack into my online identity.
Last night I received an unsolicited password reset e-mail from Twitter. I ignored it but kept a watchful eye. A few moments later I got a slew of messages from Yahoo.
7:32pm: Password reset requested. (Ignored.)
7:53pm: firstname.lastname@example.org [a service commonly used by spammers] was added to my account.
7:55pm: My password was reset.
7:56pm: My actual e-mail address was removed from the account.
Then they took my cell phone number off the account and changed my security questions. I braced for impact, hoping that that multi-factor authentication that I added to all my accounts after being hacked in May would withstand the assault.
And it did! I sent messages to Yahoo via Twitter at 9:36pm and via their webform at 9:47pm, and at 11:35pm they acknowledged it but only via e-mail to my unused Yahoo address. It looks like someone also tried to get into an old Dreamhost account from a former client, but the account was already suspended.
Today I was able successfully reset my password and remove all the junk settings. I already had 2-step authentication turned on for this account so I’m not sure how it got hacked anyway, but I’m glad it didn’t go too far.
Although it was very likely the same teenager from Las Vegas doing the hacking, whoever it was made it seem like they were logging in from Europe:
I have finally finished compiling my detailed timeline of how I got hacked and then unhacked myself. It includes the exact times that I received password reset messages, when I wrote to support, when they wrote back to help, when they gave me the finger, etc.
I’ve got it all in a spreadsheet. Now, how can I display this publicly? I’d love to make a timeline like this http://www.simile-widgets.org/timeline/ Or is there a Google widget I could connect to a Google Doc Spreadsheet?
This would also make great fodder for any reporter who wants to help people understand and avoid this, and/or to write about how shockingly unresponsive certain companies can be (cough, Twitter) when their own services are compromised.
So, on Monday I attended an historic protest at the North Carolina General Assembly. My phone was in-hand nearly the entire time (see goofy pic), as my main goal was documenting the civil disobedience and arrests of five elected officials from Orange County, NC. However, I found myself only able to retweet others from the Hootsuite app I use on my Android phone. I could post with other apps like Instagram, but my tweets (as @ruby and as @orangepolitics) just sat in Hootsuite’s outbox.
In the chaos of the day I chalked this up to the ongoing tangle left by last week’s hacking, so today while I was at a computer I made sure to fully authorize Hootsuite using the 2-step verification that I enabled for @ruby about a week ago. It seemed to work. This evening I tried again to use Hootsuite from my phone and found that I still can’t send from any of my Twitter accounts. So I asked @hootsuite, and amazingly, they said:
We are unable to guarantee full functionality with Twitter 2-step verification at this time. ^TF
Now I know that Twitter only enabled this feature less than 2 weeks ago, but here I am – a paying customer of Hootsuite (through work) – and now that I have enabled better security on ONE of my accounts, I can no longer post tweets from ANY of my accounts from my phone.
Amazed again that huge companies that rely on their web services don’t seem to care much about the security of their accounts. They should be pushing US (customers/products) to get more secure, not the other way around!
So right after my Twitter account was hacked I learned that Twitter had finally implemented 2-step authentication just days earlier. I have now turned it on, of course.
But the really gigantic part of getting hacked was losing control over my entire Dreamhost account including several websites, e-mail addresses, and domain names. Today I learned that Dreamhost also offers 2-step authentication. But they are not doing much to encourage people to use it. I Googled and was able to find these instructions and am so relieved to have this in place now.
I already had this enabled for Google and Facebook, but now that I’m looking at it, there are many other services that offer 2-step (a.k.a. 2-factor) authentication, including Dropbox and Paypal. LinkedIn just started using it this week. I’m a little annoyed that I had to go looking to find out about many of these.
So here’s my list so far who supports 2-step:
Did I forget any? The best way to find out if your favorite web service supports this is to Google “2-step” and the name of the service.
I think this makes it pretty clear how seriously Twitter takes their security: The guy who hacked my account is still happily tweeting away about the latest social engineering methods and how it was my fault that he hacked into my personal accounts so he could try to sell @Ruby on hackerforum.net.
Better late than never, Twitter added two-step authentication for accounts last month, but it’s clear they aren’t really concerned about their users when they do nothing to help protect users like me or @Mat, even when we know people are targeting us, and let genuine security risks chill out indefinitely.
Please share this post if you agree that Twitter should take action against “Isolate” and any users who are known to have hacked other people’s Twitter accounts in the past.
I’m not going to post everything that has been going on yesterday and today (yet) as the hackers are reading my Tumblr. I have to share some amusing and quite public links.
Meet my hacker “Isolate.” This is the person who hacked most of my digital life so he could try to sell @ruby for $80. I alerted Twitter about his account this over an hour ago. It’s obviously fine with them to hack other people’s accounts AND brag about it with their service.
Poor guy is concerned that I am giving some clueless teenager credit for his brilliant social engineering hack. Don’t worry d00d, it’s pretty obvious when you read the conversations at Hack Forums where Isolate first asks what it’s worth (the page has been removed, but I saved it), then trades it to —— J —— (Jacob Glickman) for a YouTube ID. Then —— J —— tries to sell it even though the other hackers are telling him that it belongs to someone else (me) and even tell him to read my Tumblr.
Jacob then contacted me offering to get me back the account. He even tried to get me to e-mail him by putting his address in my Twitter bio. Not only was it not his to give, he would never have been able to restore my posts and followers, as Twitter eventually rightfully did.
Here is the best of all, —— J —— now files a complaint against Isolate for ripping him off! Have fun, you guys!
Last night at about 12:30 am I recovered access to my web hosting account at Dreamhost. This contains personal and professional websites and e-mail accounts for me, and several former clients and employers. Importantly, this allowed me to get back the only address through which Twitter would talk to me.
So early this morning I was able to recover access to @ruby, hurrah. There’s a little bug where on my profile I have no followers nor following:
But on my followers page, I see all the correct numbers:
Hopefully this will all be cleared up soon. I cannot strongly enough express my gratitude to all the people that spoke out and even fought for me in the last couple of days.
Stay tuned for future posts about the losers who did this. I have some really funny e-mails and things to share.
I am back into my account! I think the social pressure helped, so thanks to EVERYONE who has been sharing my story.
Next up, restoring my Twitter profile, including the content. This looks promising:
A few people now have contacted me about the hacker forum where my Twitter name (with no tweets and no followers) is now available for the low, low price of $70!
You have to register on the forum to see it, but the URL is http://www.hackforums.net/showthread.php?tid=3508538 in case you’re curious.
My friend Christina actually logged in. She says the person selling it presents as a 17 year old male form NY, and he says the person who hacked me traded the ID to him. Then my friend Jackson also logged in to the forum and took these amazing screenshots: