UPDATE: Hackers attempted to take over my domain but didn’t quite get away with it this time. Dreamhost was much more helpful this time than when I was attacked in 2013.
I’m 99% sure that my domain hosting and Twitter account are under attack right now. I can’t access either account and this is almost exactly what happened in 2013 when someone hacked half a dozen of my online accounts so he could get into @ruby thinking he could sell it on a hacker forum. This didn’t go well for him, but it was also an enormous pain in the ass for me.
I don’t know about you, but the past year has been a real wake up call for me about the importance of digital security. I used to think of hackers as bored teenagers showing off for their friends, or scammers sending viruses and spam to people by the millions. But today’s online outlaws are much more sophisticated.
Not content to just blast misleading links at us, elite hackers have started spear phishing. This is a tactic that sends an e-mail to an individual with unique, personalized information making it look very real, and convincing the user to click through to a website where they will enter their login credentials. Some hackers also use social engineering (not technology) to trick people into giving away critical information that can then be leveraged to compromise accounts.
Unfortunately, we need to worry not only about obviously sensitive information like bank accounts and e-mails, even seemingly inconsequential accounts can be exploited to provide an opening. Once a hacker gets into any of your accounts, be it iTunes, Etsy, or Pinterest, they can use that information to access other services.
The threat to our privacy is real, and we have seen that there are people who may target us and access our data not just for commercial purposes but for political use. People and organizations that are working for social change have every reason to be concerned about how our personal information, organizational data, and private communications might be used.
Good security is a pain to implement, but every inconvenience for us is an even bigger hassle for a would-be hacker. Start now from wherever you are, and make incremental changes to improve your personal and organizational security.
OK, Ruby, we’re terrified! What do we do?
There is always room for improvement of our security practices, especially as we learn more about the threats that are out there. Here are my recommendations for where to start.
Use randomized, unique passwords on every single site, and use a solid password manager like LastPass or 1Password to store them. Both have group options for setting up a whole team and sharing between them. Never send a password over e-mail or social media.
Use multifactor (a.k.a. “two-step”) authentication for your e-mail, social media accounts, and any other service that offers it. Individual Gmail users can start here. If your organization uses Google services, you can require this for all users.
Protect your website with HTTPS, especially if users are entering e-mail addresses and passwords. And use HTTPS Everywhere in your own browser to make your web traffic private.
Secure your laptop and phone by setting them to require a password every time they start or wake up. Bonus: encrypt the data on them as well.
Use a secure messaging app like Signal or WhatsApp for texting and calls on your phone.
Me and My Shadow is a fantastic site with fun, educational information and even trainings you can download and use about online privacy.
The Electronic Frontier Foundation has been advocating for Internet users’ rights for many years. Their Surveillance Self-Defense site includes a Security Starter Pack and covers a wide range of topics thoroughly.
So my Instagram account got hacked early last week. I’m not sure when. I found out when someone sent me this screenshot on Tuesday showing my photos with a different profile, which seemed to be marketing porn.
I submitted support tickets to Instagram on Wednesday and again on Thursday but never got any reply. Strangely, a few other friends said that they were also hacked this week! But they were able to get access back in less than a day after contacting support.
Finally, I used a professional network I’m in to see if anyone had contacts at Instagram. This connected me to someone, but he was on vacation! After I bugged him, he eventually connected me to someone else, and she was able to get my account restored on Saturday afternoon. They are both political staff there, not the help desk.
I still don’t know how it got hacked so I don’t know if there was a breach at Instagram or if someone got my password. I would very much like to know, and I also find it unacceptable (but sadly not surprising) that their tech support didn’t even care to reply to me or to stop a malicious hacker compromising their platform.
This whole thing caused some unpleasant flashbacks to The Great Hack of 2013, but my security is much better now because I use truly random, computer-generated passwords (and a password manager) and I always utilize multifactor authentication when it’s an option. So I immediately changed a few passwords that were overdue anyway, but I don’t see anything else suspicious on other accounts. Still keeping a watchful eye open…
Last night, someone (probably Isolate, the same loser who did it last time) tried to hack into my online identity.
Last night I received an unsolicited password reset e-mail from Twitter. I ignored it but kept a watchful eye. A few moments later I got a slew of messages from Yahoo.
7:32pm: Password reset requested. (Ignored.)
7:53pm: ruby62@mailinator.com [a service commonly used by spammers] was added to my account.
7:55pm: My password was reset.
7:56pm: My actual e-mail address was removed from the account.
Then they took my cell phone number off the account and changed my security questions. I braced for impact, hoping that that multi-factor authentication that I added to all my accounts after being hacked in May would withstand the assault.
And it did! I sent messages to Yahoo via Twitter at 9:36pm and via their webform at 9:47pm, and at 11:35pm they acknowledged it but only via e-mail to my unused Yahoo address. It looks like someone also tried to get into an old Dreamhost account from a former client, but the account was already suspended.
Today I was able successfully reset my password and remove all the junk settings. I already had 2-step authentication turned on for this account so I’m not sure how it got hacked anyway, but I’m glad it didn’t go too far.
Although it was very likely the same teenager from Las Vegas doing the hacking, whoever it was made it seem like they were logging in from Europe:
I have finally finished compiling my detailed timeline of how I got hacked and then unhacked myself. It includes the exact times that I received password reset messages, when I wrote to support, when they wrote back to help, when they gave me the finger, etc.
I’ve got it all in a spreadsheet.Now, how can I display this publicly? I’d love to make a timeline like this http://www.simile-widgets.org/timeline/ Or is there a Google widget I could connect to a Google Doc Spreadsheet?
This would also make great fodder for any reporter who wants to help people understand and avoid this, and/or to write about how shockingly unresponsive certain companies can be (cough, Twitter) when their own services are compromised.
In the chaos of the day I chalked this up to the ongoing tangle left by last week’s hacking, so today while I was at a computer I made sure to fully authorize Hootsuite using the 2-step verification that I enabled for @ruby about a week ago. It seemed to work. This evening I tried again to use Hootsuite from my phone and found that I still can’t send from any of my Twitter accounts. So I asked @hootsuite, and amazingly, they said:
@ruby We are unable to guarantee full functionality with Twitter 2-step verification at this time. ^TF
Now I know that Twitter only enabled this feature less than 2 weeks ago, but here I am – a paying customer of Hootsuite (through work) – and now that I have enabled better security on ONE of my accounts, I can no longer post tweets from ANY of my accounts from my phone.
Amazed again that huge companies that rely on their web services don’t seem to care much about the security of their accounts. They should be pushing US (customers/products) to get more secure, not the other way around!
So right after my Twitter account was hacked I learned that Twitter had finally implemented 2-step authentication just days earlier. I have now turned it on, of course.
But the really gigantic part of getting hacked was losing control over my entire Dreamhost account including several websites, e-mail addresses, and domain names. Today I learned that Dreamhost also offers 2-step authentication. But they are not doing much to encourage people to use it. I Googled and was able to find these instructions and am so relieved to have this in place now.
I already had this enabled for Google and Facebook, but now that I’m looking at it, there are many other services that offer 2-step (a.k.a. 2-factor) authentication, including Dropbox and Paypal. LinkedIn just started using it this week. I’m a little annoyed that I had to go looking to find out about many of these.
So here’s my list so far who supports 2-step:
Google
Facebook
Twitter
Dreamhost
LinkedIn
Dropbox
PayPal/eBay
Did I forget any? The best way to find out if your favorite web service supports this is to Google “2-step” and the name of the service.
I think this makes it pretty clear how seriously Twitter takes their security: The guy who hacked my account is still happily tweeting away about the latest social engineering methods and how it was my fault that he hacked into my personal accounts so he could try to sell @Ruby on hackerforum.net.
Better late than never, Twitter added two-step authentication for accounts last month, but it’s clear they aren’t really concerned about their users when they do nothing to help protect users like me or @Mat, even when we know people are targeting us, and let genuine security risks chill out indefinitely.
twitter.com/isol8te
Please share this post if you agree that Twitter should take action against “Isolate” and any users who are known to have hacked other people’s Twitter accounts in the past.
So 
