Something a bit different this week: I’ll be writing about the unexpected - and unpleasant - experience of getting hacked last month1, what happened, how it felt and how I got my accounts back. Have no fear, we’ll be back to more normal topics next week.
Sadly2 this hacking wasn’t due to the Chinese, or anything exciting like that, just a hacker who wanted to extort money from me using a compromised password. So if you read no more of the post than this, make sure your passwords are up to date, strong and not compromised - because believe me, you don’t want to take chances.
It began one Tuesday afternoon. I briefly checked my personal email to see several emails from Facebook saying that an unfamiliar person had logged in and changedmy password - and to click on a particular link to notify them if it wasn’t me. I was at work at the time, so I only had time to quickly do that. Facebook locked the account and that - for the time being - was that.
On my way home, I saw the same thing happening to LinkedIn. This time I was on it more quickly and was able to notify them, get in myself and change the password. I got a few more emails for sites I don’t use - Tictoc, Tinder, ac ouple of others - that suggested the hacker was trying out a number of popular sites to see if I was on them. That evening I spent about two hours going through all the accounts that had the same - or similar - password to the one that had been compromised, changing it and, where possible, turning on two-factor authentication. I submitted a request to Facebook to get my account back and thought I’d come off lightly.
Unfortunately, I’d forgotten something fairly crucial. My email account had the same password as Facebook.
The next day, I started getting more messages from Facebook. It seemed my account had been restored but, waiting for this - and with access to my email account - the hacker had seized control again, changing the passwords and locking me out once more. Very soon after this, I got a notification that the account had been disabled for breach of conditions. After that, a notification that my email account had been compromised, and sending emails disabled (fortunately I could still receive and read them). When I tried to log in online the language had been changed to Russian!
Shortly after this, the most disturbing bit happened. I received an email, from the hacker - but sent as if it was from myself to myself - which claimed he had implanted a Trojan into my computer and had control over. Unless I paid him $200 in bitcoin, he was threatening to delete files, reveal my personal information and online. The email was cleverly worded to get under skin and make you worry - clearly hoping people would pay up quickly to make them go away3.
The one silver lining in all of this was that my phone seemed to be uncompromised. I was able to look up what was happening and found that this was a common scam: the most likely circumstance was that the hacker wasn’t actually in my computer, but just pretending to be. They’d compromised the email account, but no more. When I thought about it, that made sense. If they were really inside, presumably they could have already done more damage - and, when I reread the email, I realised there was nothing actually specific to me in it, and a few things that weren’t quite right. This was a huge relief; losing files would have been the biggest fear.
Using a secondary email account I got in touch with my email provider4 who was able to get me back into the account and reset my password. I deleted the noxious email and tried to think no more about it - and went through again to double-check that this time I really had secured everything else I could think of. I crossed my fingers that he really hadn’t got into my computer and hoped for the best.
A couple of days passed - and it turned out I had indeed fended him off. I’d got everything back - with the exception of my Facebook account. That was to prove more problematic.
Although I tried to restore it, I seemed to be in a Catch-22 situation where I couldn’t reset my email address and password because the account had been disabled, and I couldn’t appeal against it being disabled because it was no longer associated with the email account. The help pages were complex and largely circular - there was no number to call or email address to email. I eventually submitted a help request using their (very hard to find) service; it claimed that I would hear back within 48 hours. 96 hours passed. Nothing. My wife also submitted a help message using her account. Still nothing.
A week passed. I had been looking online, and finding numerous horror stories about people who never got their accounts back. And after 28 days it said it might be deleted. I realised how much I had on their, unbacked up - chiefly memories of the children. Sure, I could have opened a new one - and in the grand scheme of things, this is very much a first world problem - but I still didn’t want to lose it.
At this point I got lucky. I know an ex-colleague who used to work as a SpAd for DCMS, and therefore new people in Facebook. He introduced me to someone in their public affairs team, who linked me up to someone who - after asking for copies of various pieces of ID - restored my account. I’m very grateful to them, and it feels churlish to be critical, but I can’t help thinking of all the people who aren’t fortunate enough to ‘know someone’ in this circumstance.
As it stands, I’m now back into all my accounts. I lost no money, and nothing worse than a bit of heart-ache and time. I now have two-factor security on everywhere, as well as better and more secure passwords.
Some Lessons
One of the ironies was that it was some of my oldest and most core accounts that had the password that had been compromised. More recently5, I’ve become more security conscious and used stronger, and more varied passwords, but 10-15 years ago, I used the same one for most things. I’d clearly used it on some site somewhere, which had been compromised - and then the hacker tried their luck.
My other big mistake was not having two-factor authentication on my social media or email accounts. I had it on banks and similar - but always felt it was too much of a hassle for others. That was a big mistake: it can make a huge difference, so it’s worth turning it on for anything that matters.
I also got lucky in some areas. I don’t use Facebook to log in to anything else, so gaining access to it didn’t help the hacker much. It doesn’t have my bank card in it, either, so he couldn’t spend my money on adverts6. And my really important accounts - banks and the like - had different passwords.
I was very impressed by how rapidly the various sites (a) notified me that things were compromised and (b) shut down the account. I checked a lot of friends and only one person I know received any spam from me7. This was really quite impressive. And with the exception of Facebook, I was able to reaccess and reactivate them pretty promptly. On the other hand, it’s not good I was only able to get my Facebook account restored through back channels.
So what’s my advice? The usual really. Be smarter about passwords; don’t use passwords for important things to sign up for other sites8. Don’t tell anyone your password. Change it now and again9. Definitely, definitely, turn on two-factor authentication10.
And perhaps most importantly, if you do get hacked, don’t panic. Follow the steps to try to secure things and don’t get freaked out by any emails of messages from the hacker. They’re trying to scare you - that’s their business. They want you to make a mistake, or pay up - and at that point they have you. Provided you have access to some other means of using the internet (or a friend who does) you can find good advice on there as to what to do, and whether or not their claims are likely to be correct.
I’m pleased I came out of it relatively lightly. I know a lot of people aren’t so fortunate. So keep safe and protect yourself out there.
And finally
I’m pleased to say that the winner of the first quarterly paid subscribers poll on ‘What should I write about next quarter?’ was:
How elite benevolence hurts the middle classes: A look at how policies developed by the elite are frequently targeted upon the most disadvantaged, in a way that harms the middle classes and helps preserve elite dominance.
So I’ll be writing a ‘long read’ on that this quarter - probably in May.
If you want the opportunity to vote on what I should do a ‘long read’ on each quarter, you can do so if you upgrade to a paid subscription. And if you want to nominate topics for the poll, you an become a ‘founding member’.
Please only do so if you really want to and can comfortably afford it - being a reader is the most important thing, so please don’t feel any pressure to do so. But this is my way of saying ‘thank you’ to paid subscribers, given that all posts are free to read.
Not this substack account. Other accounts.
Well, fortunately, really.
Of course, anyone who does pay up is immediately flagged as a good target and will be repeatedly targeted again.
I’ve never been gladder to use my university’s alumnus mail, which has an excellent and very responsive human help service.
Even before the hacking.
He tried.
If you did, then apologies - it wasn’t me!
Yes, I know all the official advice says to use a different password for everything and not to write any of them down - but with several dozen sites I’m not even sure how you’d manage this. I’ve now got several tiers; enough that if one site gets compromised others won’t (e.g. different ones on different email addresses and social media sites), the really important ones, and then a couple I used on casual sites - retailers and the like.
Not sure how often, but I won’t be leaving mine over a decade again.
I’ve been told that using an authenticator app is better than a mobile.
Yes, "use a different password everywhere" is one of the common pieces of advice. I don't see how that's possible unless you also follow the common advice "use a secure password manager" - where the idea is you just memorise one very strong password and let the app generate meaningless different passwords for everything. I know some people who speak very highly of LastPass. I could never be bothered with that, but the Google password manager is integrated with Chrome and Android and very easy to use. So like you, I have some old insecure passwords I use on sites I signed up for long ago, although I have checked nothing important is on any of those. I have a few memorised very secure passwords for banks and my Google account, which also all have 2FA. And everything else is random generated gibberish I don't remember and don't need to because I never need to type it myself, just let my browser or phone auto fill it.
Often a good starting point for most is to secure your email account with a unique good password and ideally multi-factor authentication. As you found, if they can get into your email (which is made more likely when its the same password as something else) then it makes sorting out other things much harder.
NCSC have some good guidance - https://www.ncsc.gov.uk/section/information-for/individuals-families