The Big Personal Hack That Almost Happened

SECURITY PERSPECTIVE: Fortunately I happened to be at my computer when somebody tried to take over my social media accounts, and I caught them in the act. But the story doesn’t end there.

Personal.hacks

The story really starts the day before somebody attempted to gain access to my social media accounts. I got pinged in an email from a credit-card issuer with the dreaded “Fraud Alert” subject line. I was already at my desk, so it took only seconds to look at the email and confirm that it appeared to be genuine. Then, instead of calling the phone number in the email, I called the customer service number on the back of the card itself.

I’d already looked up the name that appeared on the merchant account of whoever was doing the charging, and the site looked as if it was an attempt to obfuscate the actual company. One sure indication was a statement that the merchant name might not be the same one as from whomever I bought whatever it was. It was made easier because I hadn’t actually charged anything to that card in months, so I knew that any charge was fraudulent.

But what was interesting about the initial charge that triggered the fraud alert is that it was for $1.00. Then, while I was on the phone with the credit card company, another charge for much more money showed up on my account. I told the customer service agent that both charges were phony. Both charges were listed as fraudulent and removed from my account.

Charges of $0.00 Are Red Flags

Then, as I was about to end the call, the agent said that I should wait while she checked my account further. A few minutes later, she said that she’d found a series of 231 charges in January for $0.00. They hadn’t triggered alerts because they weren’t for any money, but they were apparently attempts to confirm whether my account was alive, which it was. The agent then flagged those charges as fraud and told me she was sending me a new card.

Then the next day I got a verification code from LinkedIn to confirm my password change. Thing is, I hadn’t changed my password, so the password change was an apparent attempt to get into my LinkedIn account. Apparently the person, who LinkedIn said was in Lagos, Nigeria, had recovered an old password from that site’s earlier breach and was trying to get in. But I had changed my password when I found out about the breach. Now, I changed it again and turned on multifactor authentication.

While I was at it, I went in and forcibly logged out all open sessions on LinkedIn, which would require that anyone trying to regain entry would have to log in with the new password. While I was at it, I removed all of the alternate email addresses maintained by LinkedIn.

Stronger Passwords, Changes in All Accounts

Forewarned, I then went to Facebook and Twitter and made sure I changed to new, stronger passwords, made sure two-factor authentication was turned on and made sure that all sessions were forcibly logged out. Then with Facebook, I disabled access to all of the various apps and services that were listed, including dormant apps from Windows Phone and BlackBerry. Shortly after I finished, I started getting verification alerts showing that someone was trying to break into my Facebook account, but that one was already secured by a unique, long and impossible-to-remember password.

After that, I placed a fraud alert with the three major credit bureaus and placed fraud alerts on all of my credit cards. Then I changed passwords on my shopping sites. I also changed the password on my password manager, just in case.

What I’ve done appears to be working. I haven’t seen any indication of successful penetration to any of the accounts I’ve changed, but I’ve turned on notifications so that any changes will alert me, and where possible, I’ve turned on two-factor authentication. My guess is that the Nigerian prince of legend will go find someone else who is an easier target.

I also took a few minutes to see which of my email addresses and which of my passwords might have been compromised by going to the Have I Been Pwned? website. The only passwords exposed were old ones that I no longer use but which had been used, in one case, on LinkedIn.

What Was Learned From the Experience

Here’s what I’ve learned from the attempted hack of my various online accounts:

  • If you get a fraud alert, pay attention, but that doesn’t mean you should click on the links in the email. Phishing emails are frequently disguised as fraud alerts.
  • Set up notification of any time your information is leaked in a breach. You can do this on Have I Been Pwned? or on other websites.
  • While you’re there, see which of your email addresses have been compromised and which of your passwords have been revealed.
  • If you get a notification of something like a password change (or even an attempt), then use that as a reason to change your passwords to something unique and different.
  • While you’re at it, take a look at your bank and credit card accounts. Seemingly minor things like charges or deposits for $0.00 are likely significant because they confirm your account information.
  • Look for other indications that something is amiss, such as bounced emails that you didn’t send. Any of these can mean that someone is trying to take over one or more of your accounts.
  • Use a password manager and multifactor authentication.

Make no mistake, I didn’t get hacked because I was lucky, but rather because I was prepared. I knew what to do, I had the phone numbers I needed handy, and I took action immediately, beating the bad guys to the punch. But it could easily have been the other way, especially if I’d been out of touch because of travel or vacation. The best thing anyone can do is to make sure that they’re prepared well before anything happens.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...