1 Good Reason – Social Marketing

STUPID – STUPID – STUPID!! (Said to self with a facepalm)

Chagrined doesn’t begin to do justice to my embarrassment. So I’ve decided to make lemonade out of the lemons I’ve been handed in this episode in life.

I had an account on Life Hacker and my stupid password that I use for a hundred other websites was hacked. Why? Because it wasn’t very tough.  It was easy for me to remember and I thought with letters and numbers it would be tough for others to hack. Evidently I was wrong.  I use different passwords for my bank and important financial accounts that aren’t used elsewhere.  I addition I have different passwords on LinkedIn and Twitter than on Facebook.  So my damage was limited to Facebook and things that could be gotten to with Facebook.  But it’s still royal pain in the ass.

I thought that I had changed my Facebook password from that simple password to something more complex months ago. But I never checked after I read about the Gawker, Life Hacker incident.  So now I’m paying for that and I’ve got to change passwords all over the internet.

So I decided to share my journey with you to show you how you can recover from something like this.

First how to detect the problem:

• I found out when one of my followers wrote on my wall.
• I don’t know that it’s likely you’ll find that out if someone doesn’t tell you.  I don’t think most people will check their Profile to see what messages they’ve been sending.
• Then I checked my wall postings by going to clicking on my “PROFILE” in the top right of my Facebook page.  There I found everything that I had posted and I saw something like this:
• The last 3 entries are the Spam or Phishing entries that the hackers inserted into my Facebook account.  They wrote on my friends walls with the short messages saying things like: “www.now-christmas.com” followed by a random string of 4 letters.
• I’m rather disappointed that none of the dozens of people who received the earlier hacker messages from my account on December 20, or December 25 told me about it.  It went undetected until December 28 when someone bothered to tell me.
• SO IF YOU HAVE FACEBOOK FRIEND WHO SEND’S YOU A MESSAGE LIKE THAT- TELL THEM TO CHANGE THEIR PASSWORD! If you don’t then you’re just letting someone else get caught by the phishing hacker guys.

Fixing The Problem:

• First I changed my Facebook Password!
• Then I checked my Facebook settings to be sure that my email address hadn’t been changed.    If the hacker changed the email for the account then they can simply hit, “Forgot my Password” and it will send a password reset email, to them!  (they hadn’t changed the email address or added any new ones.  They could have then changed the password again and locked me out.  Which would have been catastrophic.
• Next I went to my profile and started removing the messages the Hackers had sent.  Why?  Because I don’t want anyone clicking on them, or sending them to their friends.  I didn’t post new messages on each person’s profile because I’ve found in the past that it just confuses and upsets people.  I’ve posted a message on my wall telling everyone about the hack and warning them not to click any of the links.
• I’ve run a few different virus scans of my computer.  I use AVG to protect my main PC and Avast to protect my netbook.  I think using two different programs is good in case a virus defeats one of them the other will likely detect it.  In addition, whenever I’m worried I go to Trend Micro and use their free downloadable scanner as a third reference point.  I’ve gotten bad viruses before which hid out despite my antivirus programs so I like to triple check to be safe.  If you think you’ve been compromised I’d suggest that you do the same.  The scans found nothing.

Changing Passwords:

• In recent years I’ve gotten lazy and not used separate passwords on every site.  I’m going to change that and I’m going back to using a password manager.  I like RoboForm which I’ve used for several years.  Why do I like it so much?  It works on a USB stick so I can take it with me (although it doesn’t work with a Mac).  It stores a gabazillion passwords all of them encrypted on the stick.  It will generate random passwords easily and then store them for you as you create them on a new site.  It’s the easiest, simplest way to I’ve found to make different secure passwords for sites.  (Full disclosure- I’ve recommended RoboForm for years and never gotten so much as a shirt for it I have no connection to the company.)
• I’m in the process of changing passwords on all types of sites.  How am I finding these sites?  I’m using Twitter’s management of connected applications feature:  Go to your Twitter Account>Click Settings>Then Click Connections- you’ll see a list of every application that you’ve signed into using Twitter.  Now you can “Revoke Access” which means that application can’t access your Twitter account any more.  Or you can visit the application and change your password.

Unforseen Problems:

• Sometimes you can’t change your password- I’ve signed up for numerous services in the past year or two without using a password, I’ve just signed up using Facebook Connect or Twitter’s OAuth feature.  I went to several of these services today to change my password and found a bug on many of them- If you’ve never created a password on the site, you can’t change it.  Since I signed up with Facebook or Twitter I’ve never created a password.  When you hit the change password button- you can’t leave the current password blank- and it won’t accept your Facebook or Twitter password because it doesn’t know them, that’s how OAuth and Facebook Connect work.  So there’s a problem with many new site’s implementation of user password management.  I hope they get around to fixing that quickly.

How the Hackers Worked:

• Looking over the activity on my Facebook account the Hackers did a couple of sophisticated things I’m a little surprised at.  The first people they sent the Phishing messages to were people with birthdays at the time.  I guess they figured others would see the birthday messages and maybe click on the links.
• They went next after my friends with the most friends on Facebook.  So people I’m connected with who have thousands of friends of their own got messages next.  Again I’m assuming they are looking for maximum exposure for their messages so they can get more clicks.
• They only sent a dozen messages each day.  I’ve got 2415 friends on Facebook- I know how to send a message to each and every one of them, and I’ve done it few times.  I’m sure a hacker could have done it two.  But instead they went after my friends with the most friends, or greatest exposure.  Limiting their outreach allowed them to operate on my account undetected for 8 days.  Much longer than I would
• They didn’t mess with pages or businesses.  I have to access and management authority for several Facebook pages for businesses who are clients.  The hackers didn’t mess with anything on any of these pages.  I’ve checked the code (FBML) and lists of managers, etc and found nothing amiss.  So it appears they felt that would expose them too much too quickly.
• It appears they were mainly targeting consumers with Phishing scams.  The links lead to pages which appeared to be Google duplicates.  The pages don’t immediately ask for a Google login or anything else, so they may be defunct now, or it may be more nefarious.  If you know please let me know.

Now give me 1 Good Reason why you shouldn’t change your passwords today…

Share this:

Related Reasons:

1. Yahoo Groups Phishing Expeditions
2. So I’m Lazy- Is that a Crime?