A Lesson Too Late

It always happens to somebody else.  It's important, but we're always so busy.  I'm not a big target.  Whatever the excuse, there is always a reason that we can justify being lax on our security.  Well, these excuses had gotten the better of me for much too long, and it finally happened.  I got hacked.  The first indication was several "Delivery Status Notification" emails, and then several emails from concerned friends.  Luckily, I had my iPhone with me at the time, and when it started buzzing heavily, it got my attention and I went and looked into it.  When I got into gmail, I immediately went to the "Last Account Activity" and found an IP address from Tennessee had been logged into my account about 7 minutes ago, right about when the rejected emails started.  I immediately tried to change my password, but was unable to do so, as the password had been changed.  Fortunately, I had setup my phone as a recovery device for Gmail.  First lesson and thing that I would like to share with everyone: Make sure to setup the recovery methods for your email account.  Had I not had this, I may have been completely out of luck, or at the very least would've been severely inconvenienced in getting this resolved.

One benefit of being hacked, if you have to find one, is that it's a good way to clean out your address book of addresses that are no longer functional.  So I spent the evening going through each of the notification messages and removing the old addresses from my address book.  I also sent a mass email (using BCC, so that I didn't unwittingly share the email addresses of all my contacts with each of them) notifying them that I had been hacked and to not click on anything which had been sent recently.  Another benefit, if we're trying to be positive, is that I was able to reconnect with several people with whom I had not corresponded for a long time due to their responses.  I figured that this was about as far as it would go, but to be safe I went and changed the passwords to most of my web services that I use and went to bed.

After a day of work, I came home anticipating an evening of relaxing with the kids.  I sat down and checked my mail on my iPhone.  I tried to send my dad a quick note, and began getting messages telling me that I could not send mail.  I immediately went to my wife's desktop and tried to login through the browser.  No luck.  It had happened again.  I immediately did the same thing I had done yesterday and got the passwords all reset.  Two times in two days, though; something had to be done.  One of my friends, whose opinion I respect very much, had mentioned in his email letting me know I'd been hacked that he had previously setup 2 factor authentication for his Google account.  I had heard of this, but had always thought that this would be more of an inconvenience than any benefit that it would provide.  After 2 days of trying to put things back together, lesson two: Setup the two-factor authentication!  The basic concept, and this is going to severely simplify, is to login you need something that you know (your password), and something that you have (your phone).  This is similar to the VPN setup that many of you may have for work, with the RSA tokens.  I will admit, there is some pain with this method, as apparently there are many devices and applications which do not currently support the two factor authentication properly, but it's worth it for the piece of mind.  For each of the other applications, you can go in and generate a very difficult password for that application, and then enter it in once, and you again have access.

The last step that I learned is that you need to go through all your settings after an intrusion to make sure that no back doors have been left open.  Things to check are email forwarding, filters, other authorized websites and applications.  While you're in there, set your mail to always go through https.  It's a simple switch, and from my perspective, has almost no downside, but many benefits.  Google actually has a checklist that is pretty nice which goes through most of the steps that I have outlined here.

I would just like to urge each of you to take a few minutes now and setup some of these very basic security protections to prevent more serious issues later on.  It's a horrible feeling when you know somebody has access to all your friends and everything you've ever written or received in email.  Protect it!