Post-hacking help?
January 14, 2022 9:41 AM   Subscribe

I might be the victim of hacking. What to do?

I am a member of an activist group. I was formerly the chair and had other positions.

We use Google Drive to keep a number of files. There had been a problem with things kind of disappearing from the account (apparently a technical glitch?) Then I somehow had a folder in my own G-drive account of stuff from the group account. (I have other stuff in my own G-drive.)

Yesterday, I got two notices that the vice chair and, separately, a former chair, were asking for access to my G-drive “Group Stuff Folder”. I shared the folder with the vice chair, and wrote to both of them that I didn’t want to be the keeper of the files.

The vice chair wrote me back. Apparently she never made the request in the first place.

Should I be concerned about this? How can I protect both myself and the group?
posted by NotLost to Computers & Internet (9 answers total) 2 users marked this as a favorite
You should be concerned and you should probably not OK sharing automatically in the future, but there is potentially and entirely innocent explanation - your vice-chair and chair could have tried to access the file while logged into a different gmail account, or you sent them a link to the version of the file in your own account (which they did not have access to) and Google prompted them to ask for access.

It seems like it's time for some data hygiene measures. When you say you use Google Drive to keep a number of files, how do you have this set up? I'm not going to have specific advice, but maybe someone else will.
posted by mskyle at 9:47 AM on January 14

I'd be quite concerned. The moving files seems weird - a good attacker would make more effort to be unseen - but the "I didn't request this" is a big red flag. Possibly wrong, people are often really unaware of what they're doing in systems, but either way - big red flag.

At minimum everyone needs to change passwords and make sure that MFA (aka 2FA aka 2SV) is enabled for all of your accounts. MFA should use push notifications/app approval or OATH TOTP (where you get a six-digit code from the app), not SMS, which is more easily intercepted by attackers. Anyone who has access to sensitive files needs to have this - if anyone doesn't, that's the vector the attackers will use. It's trite to say at this point, but security is only as good as its weakest link.

After changing passwords and ensuring MFA is on, look at the MFA credentials you have registered and delete any you don't definitively recognize. This will help prevent the attacker from maintaining persistent access.

You and the two other users should also review your sign-ins to see if there are any you don't recognize. That may help answer whether or not you were compromised.

Those are the immediate things I'd do if I were in your shoes - I'm sure other folks here can help with longer-term and Google-specific action items.
posted by Special Agent Dale Cooper at 9:58 AM on January 14 [3 favorites]

Right now: go to the shared-stuff folder and find out what email addresses it is shared with; remove any you do not recognize. Also ensure that the folder is absolutely not world-readable or shared to "anyone with the link." Spot-check some of the files too, just in case.

Now start making some contingency plans; I think this folder should have two co-owners at all times, to cover for illness, jail (I hope not but it happens), etc. Set calendar reminders every month or two to recheck folder permissions.

Anyone can fake up an email asking for access that looks like it came from a colleague but actually did not. In future, do not click from those GDrive emails; assess the request, then go to Google Drive itself and use the Share menu to grant access.
posted by humbug at 9:59 AM on January 14 [4 favorites]

You might want to look into moving off Google Drive and onto Keybase instead, which has a well thought out Teams feature that makes access controls pretty hard to get wrong and allows a team rather than an individual to be the owner of a shared files collection. Keybase offers quite robust identity guarantees as well.
posted by flabdablet at 10:03 AM on January 14

flabdablet, you're describing the existing Shared Drive feature in Google Drive, just for the record.
posted by sagc at 10:04 AM on January 14

Sure, but it's a lot easier to use a web browser to spoof an email address than it is to use a Keybase client to spoof a Keybase user account. If the accounts are being run in lockdown mode, the latter can really only be done via physical access to one of the account owner's devices.
posted by flabdablet at 10:05 AM on January 14

I shared the folder with the vice chair

Did she receive the access? Check on it: if not, it would confirm that you were the victim of a phishing attack and granted access to the attacker. If she does have access and nobody unexpected does, it suggests (but doesn’t prove) this to have just been a mistake.

(on its own “I didn’t request this” is hard to judge from here; it would be a huge danger sign coming from some people, and basically expected absent mindedness or tech-unsavvyness from others)
posted by ook at 1:19 PM on January 14 [1 favorite]

One other point to consider: if an attacker was able to access your documents, you need to assume that they made a copy of those docs. Shutting off access now is important but it really only protects new docs and changes made after that access is shut down. If any of the information in those files could be used against the organization or any individuals--incriminating documents, documents that can be used to damage reputation, banking information, SSNs, etc--start planning for that now.
posted by Special Agent Dale Cooper at 1:44 PM on January 14 [5 favorites]

The first thing I would do is use Google Takeout to download a backup of all the files stored in Google Drive. There's a chance an attacker with access to your data might decide to delete all your files - and backups are generally a good idea anyway.

Then I would secure my account as per Special Agent Dale Cooper's comment and do my best to ensure everyone else does the same. Like backups, this is something you should be doing anyway whether you've been hacked or not.

Then I'd start investigating whether this really was a hack, firstly by looking at the sharing permissions as per humbug's comment. Next, I'd show the email sharing requests you received from the vice chair and former chair to someone technical (they'll probably need to see the full email headers) so that they can determine whether it was a genuine share request or a fake email. If you want someone here to look at it, leave a comment to say so. I or someone else can explain how to display the full email headers, redact personal information etc.
posted by Busy Old Fool at 3:58 PM on January 14 [3 favorites]

« Older How do I do CBT-I remotely but not just through an...   |   A book query of the New England variety Newer »

You are not logged in, either login or create an account to post comments