H4cked Off: Sumner's been hacked again

Computing's security expert's weekly blog

I’ve been hacked. Again. And this time everyone knows, because the hacker used my account to message everyone I know in an effort to extort money.

I used to play online fantasy nerdfest World of Warcraft (part of the recovery programme involves confessing to this wherever possible).

The first time I was hacked, the blackhats took control of the account, changed the password and drained it of everything of value (to the tune of roughly £250).

I managed to kick that habit, but evidently not tighten up my personal security procedures, for on Friday last week, a hacker managed to take over my Hotmail account. And my Gmail account. And Facebook.

There’s a lesson there, and it’s "don’t use the same password for everything, especially if your insecure free email service is your also login".

OK, so I’m not going to win any journalist awards for my "Hotmail not entirely secure" scoop, but it’s possible to reduce the risks to acceptable levels.

I don’t know how the hacker got hold of my password, but I can guess. The internet is replete with forums bursting with experts willing to offer advice on just about any subject.

And when I need advice, it’s often to those forums that I turn. I use (more accurately, used to use) my Hotmail account as username, and my actual Hotmail password for the password. So over the years, anything up to 100 administrators of various forums, from the large and official, to the one man in his bedroom, can easily gain access to my account.

I’m often "banging on about security", as my news editor tells me, so it’s embarrassing to have my highly deficient data protection habits exposed like this.

But hopefully I can serve as a warning to others, in much the same way as my life story, which I plan to publish under the title "Don’t do this". I first noticed something was awry when the phone calls started on Friday afternoon.

Was I really in a Spanish internet café "with tears in my eyes" having been mugged? Had I really been relieved of my wallet and mobile, but kindly left with sufficient change to email everyone I knew?

My Hotmail browser was still open, and I was able to watch the hacker at work. He sent out the mass spam (before kindly deleting my entire contacts list). I watched as the replies from my friends flooded back. They ranged from the disbelieving to the incredulous. Everyone could see I had been hacked. As if I’d ever admit to crying.

What followed was an odd game which I think might make for an interesting TV show, perhaps on cable. Both the hacker and I responded to the replies as fast as we could, both using my Hotmail account.

“Yes I really am stuck in Spain, send money!” “Ignore that, I’ve been hacked, that’s not me!” “No, ignore him, he’s the hacker, have you sent the money yet?” And it was happening in real-time on MSN Messenger: “Hi Craig, did you get my email?” “Craig ignore this, I’ve been hacked, block me.” “Don’t ignore it, I need the money for my flight home!”

It was scary, intrusive and violating. And in hindsight, sort of funny. I sent a message to the hacker, entitled "To the hacker", so there couldn’t be any doubt.

Resisting the impulse to spew out an arc of hot invective, I politely pointed out that my friends weren’t falling for it, so could I please have my account back? The message went into the deleted folder, unread. He didn’t have to bother deleting it, he was making a point. Since I still had access to Hotmail (which is a security flaw in itself), I was able to conduct a damage limitation exercise. I exhaustively swapped my membership of every internet service over to another email address, starting with those with access to my credit card, like Paypal, Ebay and Amazon.

Odd that the hacker locked me out of Facebook, but not anything that could offer him a direct pecuniary advantage. My compromised Hotmail account started filling up with advisories, which I quickly deleted so the hacker couldn’t use them to block my efforts.

Obviously I also changed all my passwords. I now have everything back except Hotmail. Interestingly, Facebook showed me a map of where my account was accessed from, as it suspected it wasn’t me.

It was somewhere near Ontario, Canada. Then Gmail gave me the IP address used to access the account in the hours I was frozen out. One quick traceroute later, and I had the details of a Canadian ISP. I have since emailed them about the incident, and am awaiting their response.

Of course the hacker could easily have used a proxy, but I get the impression he (or less likely, she) isn’t all that smart. For a start, he seemed more interested in blocking me out of Facebook than hacking something which could provide a more direct route to cash. One final impression I’m left with is that Gmail is better than Hotmail. I began the account reclamation procedures with both on Friday afternoon. I had my Gmail back the next day. I’m still waiting for a response from Hotmail.

Also, it’s a security flaw that the hacker was able to open a session with a new password, but my session with the old password wasn’t booted out. When I got my Gmail back, besides providing me with the suspicious IP address, it presented me with a handy button to close all other sessions. I’m grateful to Hotmail for not having a similar tool, as it enabled me to work quickly to save myself a few headaches. But if and when I finally get the account back, it’s going to be effectively useless without a similar feature.

One final thing. Does anyone know any good tricks you can do with a hacker’s IP address?

Stuart Sumner

Senior Reporter and security expert