For those of you who are wondering, I am not in London, I was not mugged, and I don't want you to wire me money.
Both my Facebook and Yahoo accounts were hacked this morning, and I'm now intimately familiar with the anxiety of small-scale identity theft. I say “small-scale” because so far, the accounts have only been used to deliver the old London mugging scam. Fortunately, most of my contacts have had enough exposure to this sort of thing to know better.
About 10 a.m., I got a phone call from a friend who'd seen me a couple of days ago and knew I wasn't in London. Then another. And another. At one point, I had someone on my desk phone, someone on my cell, and my second line flashing an incoming call.
(In the meantime, unbeknownst to me, a suspicious firend was having a Facebook chat with someone claiming to be me, spouting the same story. When he insisted the imposter call, the conversation ended. It's transcribed here.)
I assume e-mail was pouring in, too, but there was no way for me to know. My password had been changed. When I used the e-mail recovery function to wrest control, it was changed again within four minutes and the e-mail address associated with the recovery deleted. Great. Now the asshat had my work e-mail address.
Our CIO directed one of our IT consultants to do nothing for the next two hours but watch for anomalies and secure every corporate account I had access to, which turned out to be quite a few. Meanwhile, a panicked Twitter post paid off. Yahoo's director of Canadian PR called and promised to put me in touch with the company's concierge service. Ten minutes later, we were securing the account. (As of now, I haven't heard back from Facebook, but to say they're “looking into it.” I've locked the account since; I don't know how effective that's been.)
Cassie, my concierge, explained the spooky part that had been worrying me: how the scam artist changed the password a second time. Another e-mail account was associated to the Yahoo account, so when Yahoo sent an alert notfying me of the passward change, the scammer got it, too. Little security hole there for Yahoo — that notification should only go to the account selected for password recovery, since it has a link allowing a password change.
I am trying very, very hard to turn this into a learning experience rather than let the anger and frustration consume me. It's a teachable moment. What have I learned?
* I am an intelligent Internet user. I do not answer e-mail from people I don't know. I don't register for forums. I have minimized the information I give out on Facebook. Someone still got my password, whether by keylogger (possible) or by gleaning enough information from Facebook and other sources to make an educated guess at my password.
* Not so intelligent: Using the same password on multiple accounts.Especially since the password contained some personal information to make it easier to remember.
* You know how experts keep telling you not to write down your passwords? Don't listen. If you have six accounts and can remember all their passwords, they're not strong enough. Write 'em down, keep 'em in your wallet. And consider a password manager like LastPass or 1Password. There's the added bonus of evading keyloggers, as the application generates the password, not the keyboard.
* For individual account passwords, use a random password generator like Free Password Generator.
As for the asshat who tried to punk my friends, listen: If you're trying to con people, at least have the guts to do it in person. I'll be ready, and you'll be sorry.
