Internet Identity Theft
November 4, 2005 3:39 PM Subscribe
How do you deal with your Internet identity being compromised? What do you do if someone has changed the passwords to every account you own?
My gmail account has been compromised, the specifics of how I'm not concerned with at the moment. I know this because when I woke up this morning and checked my email, I saw password change verification emails for EVERYTHING. PayPal, dozens of forums, Passport, Gmail itself.
I hurriedly changed my Passport password. Scarily enough, I was able to enter a new password without having to enter the answer to my secret question! I just had to click on the link in my email that the attackers had previously used. Talk about "security". Speaking of a lack of security, I now realised that I could still access my Gmail account despite the password, secret answer and secondary emails all being changed. Thank god for that cookie, although it worries me if I ever log into my account from another computer. I have alerted Google to this. (I have also asked them to change my password ASAP.)
I got in contact with moderators at many of the forums I frequent. My account has been banned upon my request pending "investigation" (I asked for this so the attackers could not pose as myself.)
Several gigabytes of hosted materials have also been deleted from my webhost, but I backed it up just a few days ago -- thank god. Hopefully that will be recovered soon.
I am asking of fellow mefites, what else should I do? Who should I contact? This is infuriating, real damage has been done. He has sent shocking emails to a girl I like quite dearly, he has compromised my PayPal account, he has deleted incredibly valuable data. This is in Australia, although any general recommendations would be more than greatly appreciated.
My gmail account has been compromised, the specifics of how I'm not concerned with at the moment. I know this because when I woke up this morning and checked my email, I saw password change verification emails for EVERYTHING. PayPal, dozens of forums, Passport, Gmail itself.
I hurriedly changed my Passport password. Scarily enough, I was able to enter a new password without having to enter the answer to my secret question! I just had to click on the link in my email that the attackers had previously used. Talk about "security". Speaking of a lack of security, I now realised that I could still access my Gmail account despite the password, secret answer and secondary emails all being changed. Thank god for that cookie, although it worries me if I ever log into my account from another computer. I have alerted Google to this. (I have also asked them to change my password ASAP.)
I got in contact with moderators at many of the forums I frequent. My account has been banned upon my request pending "investigation" (I asked for this so the attackers could not pose as myself.)
Several gigabytes of hosted materials have also been deleted from my webhost, but I backed it up just a few days ago -- thank god. Hopefully that will be recovered soon.
I am asking of fellow mefites, what else should I do? Who should I contact? This is infuriating, real damage has been done. He has sent shocking emails to a girl I like quite dearly, he has compromised my PayPal account, he has deleted incredibly valuable data. This is in Australia, although any general recommendations would be more than greatly appreciated.
I would file a report with the police. Not so much in the expectation that they would solve the crime, but as a way to record what happened.
Similar to filing a hit-and-run report with the police to give the info to your insurance agency, a government record of your electronic assualt could be invalueable.
Lastly, you should be concerned with how they got your password in the first place. If they did it once, they can do it again.
posted by Argyle at 3:47 PM on November 4, 2005
Similar to filing a hit-and-run report with the police to give the info to your insurance agency, a government record of your electronic assualt could be invalueable.
Lastly, you should be concerned with how they got your password in the first place. If they did it once, they can do it again.
posted by Argyle at 3:47 PM on November 4, 2005
No, but he signed up with the same email
posted by maledictory at 3:48 PM on November 4, 2005
posted by maledictory at 3:48 PM on November 4, 2005
Response by poster: Not at all. I have a different password at every website I go to (usually 8 - 12 characters, alphanumeric) but when I signed up for gmail it was a 6-character password. Somehow they got a hold of this and have been using the 'I lost my password' feature on every website they know.
I know this because they have been too lazy to even archive the emails with new passwords, let alone delete them.
posted by PuGZ at 3:48 PM on November 4, 2005
I know this because they have been too lazy to even archive the emails with new passwords, let alone delete them.
posted by PuGZ at 3:48 PM on November 4, 2005
Checking the server logs of your Web host for the date/time when this happened might be a place to start. Get the IP addresses and contact those ISPs with the information about what has happened. If the girl you like can print out those emails with the headers attached, there might be some valuable information there, too.
I'd almost suggest letting the mods of your forums unban you in the hopes that your hacker can go ahead and post as you, thereby revealing his IP, but you might not want to do that (and it might be too late anyway, since word has probably gotten out that you're onto them).
And yes, contact the police, see what they have to say about cyber-crime/identity theft in your area. The addition of Paypal to this mix, with your financial info being compromised, makes it very serious indeed.
More techie posters than I will surely have lots more great advice. Good luck to you, and of course be very careful in the future.
posted by Gator at 3:49 PM on November 4, 2005
I'd almost suggest letting the mods of your forums unban you in the hopes that your hacker can go ahead and post as you, thereby revealing his IP, but you might not want to do that (and it might be too late anyway, since word has probably gotten out that you're onto them).
And yes, contact the police, see what they have to say about cyber-crime/identity theft in your area. The addition of Paypal to this mix, with your financial info being compromised, makes it very serious indeed.
More techie posters than I will surely have lots more great advice. Good luck to you, and of course be very careful in the future.
posted by Gator at 3:49 PM on November 4, 2005
Response by poster: Checking the server logs of your Web host for the date/time when this happened might be a place to start. Get the IP addresses and contact those ISPs with the information about what has happened.
I will do this, thanks for the suggestion. What could an ISP possibly do in a case like this? Can they take them off the air for a few days until I have recovered all my accounts?
posted by PuGZ at 3:56 PM on November 4, 2005
I will do this, thanks for the suggestion. What could an ISP possibly do in a case like this? Can they take them off the air for a few days until I have recovered all my accounts?
posted by PuGZ at 3:56 PM on November 4, 2005
How much money do you want to spend on this?
The police will probably not do anything. However, you hire a lawyer, you can have your lawyer subpoena records from google, paypal, and so on and force them to look up, and hand over, the IP address of the attacker. They won't have a choice. They almost certainly will keep those IPs on file.
Hopefully some companies might be able to give you the IP if you just ask nicely.
Once you have that IP address, you can subpoena their ISP, and get their subscriber information, and then you can sue the subscriber. You'll probably know who they are. Whoever it was obviously knew you, and knew that you liked the girl.
This whole process might take months, and cost thousands of dollars. But if you want to get 'revenge' it's the way to go. This is what the RIAA does to get back at people. It's possible that the person used an anonymous proxy, but someone childish enough to do this sort of thing probably isn't taking enough precautions.
posted by delmoi at 3:59 PM on November 4, 2005
The police will probably not do anything. However, you hire a lawyer, you can have your lawyer subpoena records from google, paypal, and so on and force them to look up, and hand over, the IP address of the attacker. They won't have a choice. They almost certainly will keep those IPs on file.
Hopefully some companies might be able to give you the IP if you just ask nicely.
Once you have that IP address, you can subpoena their ISP, and get their subscriber information, and then you can sue the subscriber. You'll probably know who they are. Whoever it was obviously knew you, and knew that you liked the girl.
This whole process might take months, and cost thousands of dollars. But if you want to get 'revenge' it's the way to go. This is what the RIAA does to get back at people. It's possible that the person used an anonymous proxy, but someone childish enough to do this sort of thing probably isn't taking enough precautions.
posted by delmoi at 3:59 PM on November 4, 2005
Checking the server logs of your Web host for the date/time when this happened might be a place to start. Get the IP addresses and contact those ISPs with the information about what has happened. If the girl you like can print out those emails with the headers attached, there might be some valuable information there, too.
That won't do any good, as the emails were probably sent from google itself.
posted by delmoi at 4:01 PM on November 4, 2005
That won't do any good, as the emails were probably sent from google itself.
posted by delmoi at 4:01 PM on November 4, 2005
Also, I think you should realize that this bastard might not even reside in your country. If they live in Russia, etc, it will be all but impossible to do anything to them.
posted by meta87 at 4:11 PM on November 4, 2005
posted by meta87 at 4:11 PM on November 4, 2005
delmoi, mightn't there be an X-Originating-IP in those headers? I dont have gmail so I don't know if it works differently there.
I believe PuGZ is a high school student, so he probably doesn't have the resources to really right this tooth and nail on his own with lawyers, though.
My thought was to contact the ISPs directly with the IP address of the offender, gleaned from the server logs and possibly the emails, which might be a way for the ISP to trace the account of the person who dunnit. They might not be able to do anything more serious than canceling the person's Internet account, though.
Googling for "'identity theft' australia" brings up this page and this, among many others, most of which advise contacting the police right away, and documenting everything thoroughly.
posted by Gator at 4:15 PM on November 4, 2005
I believe PuGZ is a high school student, so he probably doesn't have the resources to really right this tooth and nail on his own with lawyers, though.
My thought was to contact the ISPs directly with the IP address of the offender, gleaned from the server logs and possibly the emails, which might be a way for the ISP to trace the account of the person who dunnit. They might not be able to do anything more serious than canceling the person's Internet account, though.
Googling for "'identity theft' australia" brings up this page and this, among many others, most of which advise contacting the police right away, and documenting everything thoroughly.
posted by Gator at 4:15 PM on November 4, 2005
demoi, et al- Conceivably, based on the "Message-Id" header, you could be able to trace an email to the process that originated it. Or, I'm sure their db logs every password reset request- you just look for the originating IP of any requests in roughly that range.
Convincing them to actually DO it, though, that's where an official police report comes in handy.
posted by mkultra at 4:34 PM on November 4, 2005
Convincing them to actually DO it, though, that's where an official police report comes in handy.
posted by mkultra at 4:34 PM on November 4, 2005
Also, I think you should realize that this bastard might not even reside in your country. If they live in Russia, etc, it will be all but impossible to do anything to them.
Yes, but 2-to-1 the thief is someone PuGZ knows - it's not someone who does this regularly, as s/he has left a trail very long, and has mostly done malicious things, rather than financially beneficial things. On the less-techy I'd think very carefully about who amongst your acquantances has the means/motive to get your gmail account password. I know, for example, that a few of the hooligans in my computer lab in high school would just wait till someone accidentally auto-logged into a website, then would take advantage of that fact for malicious purposes.
posted by muddgirl at 4:38 PM on November 4, 2005
Yes, but 2-to-1 the thief is someone PuGZ knows - it's not someone who does this regularly, as s/he has left a trail very long, and has mostly done malicious things, rather than financially beneficial things. On the less-techy I'd think very carefully about who amongst your acquantances has the means/motive to get your gmail account password. I know, for example, that a few of the hooligans in my computer lab in high school would just wait till someone accidentally auto-logged into a website, then would take advantage of that fact for malicious purposes.
posted by muddgirl at 4:38 PM on November 4, 2005
I agree with muddgirl; there's a good chance that the perpetrator is someone you know. I haven't tested how Google handles logins, but if the password change were made on your own computer, that would explain how your cookie could remain valid afterward. Think carefully about who could have had unsupervised access to your computer. Then ask yourself which of those people might have a problem with you (or with this girl--maybe the point was to hurt her and you were just the convenient opportunity to do it??).
If your computer doesn't already have a strong master password and/or strong user password, do that too. Even if this particular attacker does turn out to be remote, this is a scary reminder of how much destruction can be wreaked by someone with physical access. Yikes.
Considering the PayPal account has been compromised, any linked bank accounts may also be vulnerable. And what if he's also recovered passwords to sites where your credit card # is on file? Or to your bank's site? Honestly, if it were me, I'd close all those accounts immediately, file an identity fraud alert with credit bureaus, and report to the police. In that order. Starting over with new bank/credit accounts is a nuisance, but nothing compared to what this creep would be able to do to mess up your life if he gains access to an open account.
posted by nakedcodemonkey at 5:11 PM on November 4, 2005
If your computer doesn't already have a strong master password and/or strong user password, do that too. Even if this particular attacker does turn out to be remote, this is a scary reminder of how much destruction can be wreaked by someone with physical access. Yikes.
Considering the PayPal account has been compromised, any linked bank accounts may also be vulnerable. And what if he's also recovered passwords to sites where your credit card # is on file? Or to your bank's site? Honestly, if it were me, I'd close all those accounts immediately, file an identity fraud alert with credit bureaus, and report to the police. In that order. Starting over with new bank/credit accounts is a nuisance, but nothing compared to what this creep would be able to do to mess up your life if he gains access to an open account.
posted by nakedcodemonkey at 5:11 PM on November 4, 2005
This is in Australia
Just checking, do you mean that you are in Australia or that you have determined that the attacker is in Australia?
posted by winston at 6:28 PM on November 4, 2005
Just checking, do you mean that you are in Australia or that you have determined that the attacker is in Australia?
posted by winston at 6:28 PM on November 4, 2005
You'd obviously want to track yourself back to moments where perhaps your information was compromised (e.g. you might have told someone or made it easy for them to guess a password and/or log-in name). In finding the source, for example, you might save a lot of time and effort. Good luck, mate.
posted by sjvilla79 at 7:56 PM on November 4, 2005
posted by sjvilla79 at 7:56 PM on November 4, 2005
Response by poster: I have discovered, with the help of a forum administrator, that this is indeed someone I know. In fact, it is a personal that goes to my old highschool (and to answer your question, yes, I am a highschool student.)
Unfortunately, things have taken a turn for the worse. I came home from work an hour ago to discover that my entire Gmail account has been wiped clean; emails, labels, address book. The lot.
I am, understandably, furious about this. I shall go to the police, but what can I tell them now? My records of all this were in that inbox and are now gone. I truly hope that Google is as "evil" as everyone is making them out to be and has copies of all my emails.
I was silly enough to use my Gmail account as a backup for programming work I do and as such I have lost several thousand dollars worth of work. :-(
I will keep you posted as the situation changes, I will be phoning the police in a few minutes.
posted by PuGZ at 11:12 PM on November 4, 2005
Unfortunately, things have taken a turn for the worse. I came home from work an hour ago to discover that my entire Gmail account has been wiped clean; emails, labels, address book. The lot.
I am, understandably, furious about this. I shall go to the police, but what can I tell them now? My records of all this were in that inbox and are now gone. I truly hope that Google is as "evil" as everyone is making them out to be and has copies of all my emails.
I was silly enough to use my Gmail account as a backup for programming work I do and as such I have lost several thousand dollars worth of work. :-(
I will keep you posted as the situation changes, I will be phoning the police in a few minutes.
posted by PuGZ at 11:12 PM on November 4, 2005
(I have also asked them to change my password ASAP.)
Unfortunately, things have taken a turn for the worse. I came home from work an hour ago to discover that my entire Gmail account has been wiped clean;
I take it your cookie doesn't keep you logged in at this page?
Because you can change your password immediately without "asking" google to do it, if you can get to that page.
posted by juv3nal at 11:46 PM on November 4, 2005
Unfortunately, things have taken a turn for the worse. I came home from work an hour ago to discover that my entire Gmail account has been wiped clean;
I take it your cookie doesn't keep you logged in at this page?
Because you can change your password immediately without "asking" google to do it, if you can get to that page.
posted by juv3nal at 11:46 PM on November 4, 2005
you should get your computer screened for trojan horses ASAP (in the meanwhile change all your passwords from another computer that you know is clean and protected. NOT from yours).
the complete changing of passwords suggests this is someone who had access to your computer to grab all your account information and passwords. you have to clean this out of your computer or you will still be vulnerable.
posted by mirileh at 12:25 AM on November 5, 2005
the complete changing of passwords suggests this is someone who had access to your computer to grab all your account information and passwords. you have to clean this out of your computer or you will still be vulnerable.
posted by mirileh at 12:25 AM on November 5, 2005
Response by poster: juv3nal: I can access that account and believe it, it's the first thing I checked! That is how I knew my password had been changed for Gmail -- I could not enter a new one! My secret answer has likewise being changed, thus I have to resort to pleading my case to Google.
I am guessing that this person from my old school somehow discovered my father's middle name (a very silly secret question I realise, in hindsight) and used that to compromise my account.
This answers your post, mirileh. Regardless, I have checked for trojan horses on both my PC and the others in the house -- but it returns nothing.
posted by PuGZ at 2:37 AM on November 5, 2005
I am guessing that this person from my old school somehow discovered my father's middle name (a very silly secret question I realise, in hindsight) and used that to compromise my account.
This answers your post, mirileh. Regardless, I have checked for trojan horses on both my PC and the others in the house -- but it returns nothing.
posted by PuGZ at 2:37 AM on November 5, 2005
Response by poster: In regards to the current situation: I made my way down to the local police station and filed a report. Unfortunately (but expected), they cannot do much other than record my visit, but they have passed on contact details for the Computer Crime Squad in the city. I will be meeting them come Monday morning.
With the help of a very kind forum administrator, we tricked the perpetrator into making a test post on the forum, thus catching his IP (for use in identifying him later, although I already have two. The more the better!)
I must say this has made (thus far) for an interesting experience, I will be sure to document it somewhere in an attempt to frighten people into creating stronger secret questions. :-)
posted by PuGZ at 2:41 AM on November 5, 2005
With the help of a very kind forum administrator, we tricked the perpetrator into making a test post on the forum, thus catching his IP (for use in identifying him later, although I already have two. The more the better!)
I must say this has made (thus far) for an interesting experience, I will be sure to document it somewhere in an attempt to frighten people into creating stronger secret questions. :-)
posted by PuGZ at 2:41 AM on November 5, 2005
This thread is closed to new comments.
posted by ryanrs at 3:45 PM on November 4, 2005