3. You Got Hacked

“I don’t do damsel in distress very well. It’s hard for me to play a victim.”

—SCARLETT JOHANSSON

Contrary to sensationalist news stories, malicious hackers don’t always launch attacks to make a political statement or to get attention: most do it for the money. They want your phone number or other personal information because they can use it to steal your identity (among other ways of monetizing the data) and anything in an account that uses your phone number as a login or for security questions. In this chapter, I’ll explain why someone might steal your personal information, how to prevent that from happening, and what to do if it does happen to you.

Names, usernames, and other personally identifying information are worth money on the black market. They get sold to data brokers, who add the info to bigger databases to be matched with more of your information. That pool of information is then resold to people who sell it yet again as people-finder services—and to people who make money off of identity theft.

How can malicious hackers use a single phone number to totally own your life? It might seem like dark magic involving voodoo candles and computer masterminds, but all an attacker really needs to do is figure out how to play different websites’ password resets off each other in a kind of daisy chain.

It’s almost child’s play. In fact, it took one attacker only one hour to destroy the digital life of Wired journalist Mat Honan. Before Honan could grasp what was going on, his attacker remotely erased (forever) everything on his iPhone, iPad, and MacBook, including photos of deceased in-laws and the first year of his daughter’s life. That attacker also deleted Honan’s Google account and took over his Twitter account to post a bunch of racist and homophobic tweets under his name.

Honan realized something was wrong when he was playing with his daughter and suddenly his iPhone restarted and asked for a four-digit PIN. He knew he hadn’t set the phone up with a PIN.

ONE COMPROMISED ACCOUNT TO RULE THEM ALL

Making an amazing bunch of passwords wouldn’t have saved Honan, because his attacker didn’t run a program to crack or brute-force his password. They weren’t using some crazy-advanced, hacker-voodoo program. The attacker simply reset the password on just one of Honan’s online accounts, thanks to a seemingly harmless piece of personally identifying information: a street address. Then the attacker went to town resetting and taking over the rest of Honan’s accounts.

Honan’s Amazon account went first, when his attacker fooled Amazon’s tech support into revealing part of a credit card number in his billing information. The attack was easy enough: the attacker just called Amazon, gave Honan’s name and billing address, and added a new credit card to the account. Then, the attacker called Amazon again, said they’d lost access to “their” account (actually Mat’s account), and provided the new credit card number as proof of identity. Amazon let the attacker add a new email address to Honan’s account, and from there they just logged in, changed the main password, and started using the information saved in Amazon account to set to work on Honan’s Apple account.

When this particular attack occurred, Amazon showed customers the same four digits of their credit card numbers that Apple used to verify identities and release account information. The four digits that Amazon didn’t hide were the same ones that Apple hid, so the attacker had enough information from Amazon to get into Honan’s Apple ID account. Once in, they wiped his devices. Next, they used the information they had acquired to do a Gmail password reset, which gave them access to Honan’s Twitter account—their true goal. Game over.

WHAT HONAN DID WRONG

All Honan’s attacker needed to crack his Apple account was an email address, the last four digits of a credit card on file, and the card’s billing address. Honan’s Gmail and Apple accounts were linked, allowing the attacker to see the credit card digits from Honan’s Amazon account. The final piece, Honan’s billing address, was publicly available: a whois lookup* on Honan’s website (which lacked privacy controls that would have hidden his address) did the job.

Both Amazon and Apple have since closed the holes that allowed the devastating attack on Honan, but bad security practices are everywhere online. Honan lost his photos forever because he didn’t store backup copies elsewhere for safekeeping. He inadvertently gave his attackers access by linking his Gmail and Apple accounts. All his email addresses used the same user ID (mhonan), and the email address he used for account and password recovery was part of his Google account. His iPhone and computer were remotely wiped because he had set up Find My Mac, which a lot of people use.

Honan’s story sounds like a complicated mess, and it was, but you can learn from his mistakes.

HACK-PROOF YOUR LIFE

The good news is that Honan’s mistakes are avoidable. Here are some easy things you can do to try to prevent attacks on your personal information and accounts.

Make Your Address Hard to Find

If you have a website, make sure you have whois privacy turned on. If the company your domain or website is registered with doesn’t offer this feature, change registrars right away and hide that information. Next, remove your address from people-search websites. (Chapter 7 and the Resources section will help you do this.)

Don’t Link Major Accounts

Some apps want you to link your Facebook, Twitter, Flickr, Instagram, and other accounts with them. The problem is, if all of those accounts are linked, someone needs to crack only that one app to have access to all of those accounts. If you do choose to link your accounts, make sure each is an information dead end for malicious attackers. And think twice before allowing online apps access to accounts like those hosted by Google and Apple, which probably contain a lot of sensitive information.

Don’t Use One Service for Everything

As tempting as it is to use one company and one email account for everything online (or as much as Google might try to make you), you’re much safer if you use different services for your important stuff. For instance, if you have Google Voice linked to your phone number, use Google Calendar and Google docs for work and personal stuff, have Gmail as your main email, and store all of your contacts and addresses with Google, then you’re screwed if your Gmail account is compromised. If you get hacked and lose your Google account, you’ll find it hard to get it back, and it can take days to do so. First you’ll feel violated and robbed, but then you’ll feel like Google is holding you hostage.

If this happens to you, keep reading: resources and information about the account-recovery process are provided later in this chapter and will help you start the process of getting your life back. But this is why it’s so important to prepare in case you get hacked. Protect yourself—diversify your stuff.

Back Up Your Everything: Your Contacts, Your Files, Your Photos

Back up everything. Use a secure backup hard drive that you keep at home (or in another safe place), or keep your backups on a computer that’s separate from all others. CrashPlan is an example of a backup service that copies and stores your files on a regular schedule, and it also comes as stand-alone software. Don’t use a friend or family member’s computer for backups because not only do you risk them looking at your stuff, but if they’re compromised, your stuff is at risk, too.

You might consider backing up your files to a cloud service like Dropbox, Box, or Amazon, but if you do, make sure to separate that account from all other accounts by giving it a different username and password.

Encrypt Your Computer’s Hard Drive

Encryption lets you protect your electronic information with a virtually uncrackable password, and Windows, Mac, iOS, and Android all offer ways to encrypt your local storage. Search online to find out how to turn encryption on for your system. Look for Apple’s built-in encryption program FileVault and BitLocker on Windows. Without encryption, anyone with a few minutes of access to your computer, tablet, or smartphone can spy on, copy, or steal your files, even if they don’t have your password.

Ultimately, you should watch your personal information like a hawk and keep an eye out for unusual activity. Something is probably wrong if your accounts start sending password resets you know you didn’t initiate or if you start getting account-recovery emails. And beware of account-recovery emails for accounts you know are not yours: these are probably fake phishing emails designed to trick you into clicking links and entering passwords, inadvertently revealing your information or allowing the installation of malware on your computer.

If things go wrong in spite of taking these precautions, you can still minimize the damage. I’ll tell you how in the next section.

WHAT TO DO WHEN YOU’VE BEEN ATTACKED

There are two main ways you can be the victim of malicious hacking: you can be personally targeted, or you can be the victim of a company that follows bad security practices.

NOTE To see if your information was released in a recent breach of a company’s website, visit http://www.haveibeenpwned.com/.

If you think your accounts have been attacked, try to access those accounts. If you’re able to log in, reset the passwords if possible, and check all settings carefully in case an attacker added a forwarding address for all of your email or changed your security questions. Check everything.

In particular, if your email account is attacked, follow these steps:

1. Change your password.

2. Change your username if possible.

3. Look through your inbox for unusual activity.

4. Check sent email for suspicious activity, and see what you find in the Trash.

5. See if any users or email addresses have been added to the account and delete any you don’t recognize.

6. Look for email forwarding. If you didn’t turn it on, turn it off.

7. Check every single setting. If you’re not sure what a particular setting means, search for it online. Also look for settings that just look wrong or out of place.

8. If any of your contacts have been sent emails that were not from you, contact them immediately. Warn them that your account has been compromised and not to respond to or click anything in those emails. Let them know too that you have the situation under control.

Follow any relevant steps in the list above for all of the accounts you can access. You may still be locked out of some accounts at this point, but don’t panic. You can get them back.

Recover Your Accounts and Data

Next, contact websites for which you’re unable to reset passwords, and follow their account-recovery processes. Many, like Twitter and Google, will have online forms you can fill out or other procedures to follow when you’ve been locked out of your account.

For example, Google will ask you questions that only you can answer, like which five people you email most often. After a day or so, you should receive an email that sends you to a page where you have to answer more questions about your Google account, such as the names of your folders, when you started using different Google services, and so on. Getting your Google account back can take at least 48 hours, often longer.

Google may not be known for customer service, and neither is Yahoo!, Hotmail, or any other “free” online business. But you’ll have to put up with them to get your accounts back, and here’s a short list of forms and phone numbers to get you started. (For help finding direct phone numbers that may save you a ton of time, check out http://gethuman.com/.)

• Amazon: Use Help ▸ Contact Us.

• Apple: Reset your Apple ID password at http://iforgot.apple.com/password/verify/appleid/, or find your Apple ID at http://iforgot.apple.com/appleid/.

• eBay: Call 1.866.961.9253. Tell them you’d like to talk about “Account—someone has used your account.”

• Facebook: http://facebook.com/hacked/

• Google: http://google.com/accounts/recovery/

• Microsoft (Outlook, Xbox, Hotmail, and so on): http://account.live.com/acsr/

• PayPal: 1.888.221.1161 (Outside the United States, call 1.402.935.2050.)

• Twitter: http://support.twitter.com/forms/hacked/

• Yahoo!: http://help.yahoo.com/kb/helpcentral/ or 1.800.318.0612

You’ll have to look hard to find support for some websites, and others may have nothing to help you. If you don’t see what you need in the list here, search online for “[website] account verification form” or “[website] account hacked,” or go to the website’s help or contact page.

When you contact a company, be prepared with your account details or other personal information. Don’t expect all companies to be uniformly helpful, no matter how big they are or how many fans they have. When Honan tried to contact Apple for help, Apple support was useless, even though he had AppleCare. He ultimately took his Mac in to an Apple Store while it was still being remotely wiped (the wipe takes a while), and an employee was able to stop the wipe from progressing.

Once you recover your accounts, follow the same steps as in “What to Do When You’ve Been Attacked” on page 36 for accounts you didn’t have to recover. Yes, it’s a pain, and it’ll take a while, but it’s worth your time and effort. For example, Honan had to borrow a friend’s computer so he could reset his Apple password. From there, he used iCloud backups to restore his phone and laptop. It took seven hours to restore his phone, but eventually he got his life back.

Attackers will often delete your data after they’ve gone through it, too. Don’t be surprised if you go into your compromised accounts and find that all of your emails, contacts, photos, and other data have been erased. By the way, if you ever have a hard drive wiped as a result of an attack, take your computer to a place that specializes in hard drive recovery to try to recover some of your data. Only go to reputable places, like DriveSavers, and expect a price tag around $1,500 or more.

Once you have your accounts back and secured, you may be able to restore your contacts and any other data from backups. If you don’t have backups, let people know what you’ve lost (like their contact information or files you’ve shared), so they can help you start getting your life back on track.

Even if you never get attacked personally, a company you trust with sensitive data could be breached, leaving your information exposed. In that case, follow the steps I describe next.

When a Service Gets Hacked

In February 2014, I reported for ZDNet.com that Comcast had been breached and the company had ignored the attack. I warned that Comcast customers were at risk of losing their email accounts to identity theft, with potential financial repercussions. Unfortunately, Comcast never told its users that their sensitive account information might have been leaked.

A lot of Comcast users asked me what they should do. I gave a checklist of minimum requirements to be safe and suggestions for users who want to be very, very careful. This is a good checklist of what to change after a service you use has been compromised.

At the very least, you should change passwords for the following:

• All services and email accounts belonging to the breached business, especially ones tied to your main account

• Services or accounts that use the hacked account’s email address as the username. For instance, if Comcast is attacked and you use your <name>@comcast.net email address anywhere, change the passwords to those sites.

To be extra careful, change these, too:

• The master account’s username (eHow has tutorials for services such as Comcast.)

• Passwords to any connected billing systems and to services with the same password as the one you used for the compromised service

• The username of any account that uses the compromised email address as its username

I also suggested that victims of a breach log in to any billing accounts connected to the breached service (like an autopay bank account or a credit card) and, if possible, add an alert for unusual activity. If a data breach affects you, it’s a good idea to personally monitor your connected billing accounts frequently for unusual activity. Even if you’re not a victim, make sure your autopay account has some kind of safeguard against fraudulent activity, just in case.

And if you’re ever the victim of a company’s data breach, fill out the claim form on the Federal Trade Commission (FTC) website so you have something official in hand should your accounts be used for criminal activity. (Visit http://ftccomplaintassistant.gov/ and click Identity Theft.) If enough claim forms are submitted, the compromised company may be held accountable through class-action lawsuits, which you may want to join. Many companies have also begun to offer free credit monitoring to affected customers.

When a service that you trusted with your financial information experiences a data breach, watch your financial accounts closely. If you notice suspicious behavior, take action immediately. Learn more about this in the next section.

IF YOUR FINANCIAL INFORMATION MAY HAVE BEEN EXPOSED IN A DATA BREACH

If you suspect that your bank information, credit cards, PayPal account, or any other financial apps or services may have been compromised by a data breach, contact your bank and credit card companies about your accounts right away. Change your passwords for any at-risk accounts and ask the companies to monitor your accounts for fraud.

If a company won’t put a watch on your account (I’ve had customer service people at credit card companies say they don’t), be sure to write down the time, date, and person you talked to when you tried to alert the company about suspicious activity. Then, monitor your accounts for unauthorized transactions. The FTC recommends that you close any credit card accounts that you know have been compromised.

If you close a checking account, keep in mind that checks you’ve written may be returned, and recent transactions may bounce. If you use an automatic bill payment system or have set up debits from your bank account, update your account profile information to reflect your changes. Do the same for your PayPal account or similar online payment and banking accounts.

If you’re a US citizen and the information exposed includes your Social Security number, use the following information to contact the three major credit bureau companies and place a fraud alert on your report:

• Equifax: 1.800.525.6285; http://equifax.com/; PO Box 740241, Atlanta, GA 30374-0241

• Experian: 1.888.397.3742; http://experian.com/; PO Box 2002, Allen, TX 75013

• TransUnion: 1.800.680.7289; http://transunion.com/; Fraud Victim Assistance Division, PO Box 6790, Fullerton, CA 92834-6790

With a fraud alert in place, banks and credit bureaus will know they should contact you to verify applications for new accounts because of a higher likelihood for fraud.

If information from your driver’s license, state ID, passport, employer or student ID, Social Security card, or any other government ID is stolen, replace the ID right away and tell the agency that issued it what happened. That way, the agency can prevent someone else from using your name to get a fake ID.

Now that you know which accounts you should definitely change if you get hacked, let’s revisit one that you don’t have to change but might want to anyway: your email address.

HOW TO CHANGE YOUR EMAIL ADDRESS

Once you’ve reset your password and taken all the steps I outline under “What to Do When You’ve Been Attacked” on page 36, you don’t need to dump your email provider, but you may want to if you think there are security issues or if it will make you feel better. Maybe your email provider handled the security breach badly. If they ignored the problem or only told you about it after you heard about it elsewhere, it’s time to move.

NOTE Many people say that it’s better and safer to have your own domain and host your own email. That’s fine if you know how, but most people don’t—and that’s okay. Having your email at, say, Gmail, where it’s Google’s job to keep you secure, is a million times better than trying to learn to manage it yourself.

To change your email address, take the following steps:

1. Pick a new email provider, and set up a new account.

2. Set up email forwarding at the old email address.

3. Set up an “I’ve moved” autoresponse at the old email address.

4. Import your old email, and transfer your address book, calendars, any linked documents, and so on.

5. Make a list of accounts to update, including banks, payment accounts, social media, mailing lists, and so on.

6. Email all your contacts with your new email address.

7. Shut down your old email after six months.

I’ll walk you through each step in this section, so let’s jump right in.

Choose a New Home

Which new email provider you choose will depend on what features you’d like the new service to have, whom you’ll trust more than the old guys, and what you want in the new address itself. For instance, a Google address will have @gmail.com after the name you pick, but Gmail will also let you make emails appear to come from a completely different email address, one that you specify (from a different account that you import or from an alias that you set up in Gmail).

Here are a few email providers to consider:

• Gmail

• Microsoft Outlook

• Yahoo! Mail

• iCloud

• Hushmail

• Zoho Mail

Whatever your needs, make sure you can access your new email service from anywhere, including any computer, your phone, and so on. Don’t be tempted to use an address you were given by a school, a workplace, an organization, or an Internet service provider (ISP). These services aren’t a long-term solution, and you definitely won’t be as safe from malicious hackers as you would be if you used email hosted by Microsoft Outlook or Gmail.

NOTE When setting up an email address, remember that bigger companies generally care more about their email security reputation than do smaller organizations and often have more battle-tested and up-to-date security.

When selecting an email provider, choose a major company that offers web-based email, and make sure it uses Secure Sockets Layer (SSL) to send email securely. SSL establishes an encrypted link between a web server and a browser, creating a secure connection. You can tell when a website uses SSL because the address bar (where the URL appears) will show https instead of http. If a service doesn’t use SSL, it’s not taking your security seriously at all.

That said, there are downsides to using free, browser-based email services. The main problem is that certain changes, like redesigns, can screw up your entire inbox or worse. For example, what if Google decides to rearrange your address book because it thinks it knows what you need better than you do? If you pay for an email service and have your own domain name, you can switch providers and still own your stuff if something goes wrong.

And now a word about email addresses: pick one that will stand the test of time! If you pick one with a date in it, or something silly, people may not take you seriously when you send email about something serious. (For example, if you send an email asking to have revenge porn removed from an address that tells the sender you’re sexkitten2009, you might not get the response you were looking for.)

Once you settle on a service and choose an address, it’s time to start using your new email.

Set Up Forwarding

When changing email providers, find out if your current email provider will allow your old address to forward mail to the new one. That way, you won’t have to keep logging in to your old account to check your mail. If your old provider doesn’t forward, don’t panic: just set a reminder to check your old email address every day for a week, then twice a week for a month, and then twice a month until your six-month transition is over.

Whether you forward your email or not, set up an autoresponder (also called a vacation responder or autoreply) at your old address. Just write a short message telling senders that your email has changed and what the new address is. Every time anyone emails you, they’ll get a reminder to update your email address. But be sure to email your contacts directly, too, to let them know that your email address has changed.

Move In

Next, transfer your address book to your new account, or you’ll have to start collecting friends’ email addresses all over again. You’ll usually find that you can easily migrate your old contacts and emails to your new email address. Look for tutorials online that are specific to your old email service and the one you’re moving to. Email services try to make it easy for you to move in and difficult for you to leave, so the one who wants your business usually has workarounds for the guy who won’t let you go. If your new service sets up email forwarding automatically, you don’t even need to worry about setting up forwarding at the old account.

No matter what, definitely copy (back up) all your emails and your address book from your old account, just in case something goes wonky when you move them. Each email provider has slightly different back-up or download steps, so search online for the ones specific to your situation.

Some email transitions are really easy: for example, Outlook lets you migrate everything over from Gmail with just a few clicks. Go to Settings and look at Accounts in both services. Go into your old email account, and look for the setting to establish forwarding and create autoresponses (such as vacation responses) to start sending mail to your new address. In your new email account, find where it lets you check mail from or add other accounts to start having your old account’s email routed to your new address.

Adding an account should import all of your old email into your new account, and you’ll start to get any new emails that come through. Once you’re happy with all your new email account settings, turn your attention to your other online accounts.

Update Your Accounts

Log in to each of your online accounts, from Facebook to your bank, and update your email address. This process will probably be the biggest chore of all, so be systematic: make a list and go through the accounts, one by one.

To help create your list, search your old email account for terms like subscribe, account, and login. If you use a password manager like 1Password, you actually have a list of sites already, tied to your passwords. (And don’t forget to update the information about your new email address in your password manager!)

Tell Everyone

Now use your new address to send an email to everyone in your address book, including friends, relatives, and business and school associates, telling them your new address. Say something like this:

Hi there. This is my new email address, and I’ll be using it from now on. Please update your address book. Thank you!

Send the message to yourself (again, with the new address) and bcc everyone else on your list. The bcc part is extremely important. If you don’t put everyone in the bcc field, all recipients (that’s everyone in your address book!) will see everyone else’s email addresses, and if anyone hits “reply to all,” they’ll email the other recipients, too. Most people think this is a huge invasion of privacy, and it will make almost everyone really mad at you.

Now enjoy your new email address. Hopefully it’s a with better service than the one you left. Leaving an old, outdated, or problematic service behind can help you feel safer and more in control, as well as give you the great feeling of moving on.

In the next chapter, I’ll explore more about why it can feel good to start fresh with a new service.