It has been a long, strange morning. A hacker stole my accounts and purported to be me, asking everyone in my contact list to send him money since he had been mugged in the UK and couldn’t get home. I was able to regain control of most of my accounts, although one e-mail account and my Facebook account were deleted in the process. ALL MY CONTACT LISTS WERE ALSO DELETED. So, I had no way to know who most of the attempted victims of the scam were.
Anyway, I apparently broke too many security rules and left myself open for attack. Some things I learned:
- Take advantage of the contact export features of your e-mail provider to make regular backups!
- Pick a different password for EVERY site you use. I suspect the attacker gained access to one system and used the availability of my e-mail address and password to hop into other accounts.
- Use GMail–by proving my true ID through knowledge of my account usage, Google made it relatively painless to get my account back. They also allowed me to see an export of recent activity and KILL all sessions besides the one I was in. This ensured that the user who no longer had a valid password could no longer access the system. Yahoo, on the other hand, was difficult to navigate, and though I filled out a form, nothing happened. The e-mail account I lost completely was a Yahoo account.
I knew better, but let my guard down. Don’t be me!