I Got Hacked: Lessons Learned

I’ve always known it could happen to me, but I didn’t really know how to protect myself—or maybe I just didn’t have a big enough budget to worry about it, so I lived in denial. But it finally hit home.

When a hotel wifi, or Starbucks, or any open restaurant, says, “Beware, this is not secure,” they mean it.

I was just minding my own business, working on my laptop as I always do when I travel, happy to have wifi at all, because when you’re self-employed, and don’t have a big company providing you with security or IT services, you just do what you can, and hope for the best.

But on this trip, when I accessed the wifi on my laptop and phone, as usual, the Big Bad Hacker guy found me. I say “guy,” only because when I saw the Yahoo verification emails flashing before my eyes—and before he deleted them out of my account, because, yes, he was IN my account—the first one said “Charlie” was linking my account to his. Then it was “Pat.” Then it was a woman’s name, and I lost track after that.

We were in San Francisco for a trade show and the SPIE Music Jam at PianoFight--I sang and briefly played the keyboard--so we were up very late. The hacker sent my partner an email around 7:30 A.M. Talk about a rude awakening.

Yes, it is your world’s worst nightmare (other than the anesthesiologist stealing your fentanyl during surgery, so you wake up and feel the pain, but can’t scream, which I also read about today). Someone is literally taking over your online identity and you have no power to stop them. Scheduling jobs with your kitchen contractor, then deleting emails, so you have no idea it even happened. I’m still missing a full week of emails that he deleted, presumably to cover his tracks, and I don’t know how many others might be gone—and worse, never arrived.

If I didn’t respond to you within the last week or two, please email me again!

Anyway, I pictured it to be a man, or maybe a whole room of men, sitting around a table, or a group of tables, hacking me and all the other vulnerable, innocent people, who are just trying to make a living, and stealing our livelihoods, our personal and financial information. I later found out that they were in San Francisco, at least that’s where my suspicious-activity alerts said they were. He apparently was using Verizon on a Samsung phone. I was able to capture several IP addresses.

And. They. Have. No. Conscience. While. They. Do. It.

I didn’t really have time to get angry about it. And I’m am very grateful that I have a partner who has a computer security company on retainer for his business, who I was able to call for help as soon as it happened.

We were able to force the hacker out of my primary email account after a couple of hours of changing passwords multiple times. The only way to get him out for good was to change it remotely—not on my laptop, where he might have had some kind of keyword logging accessibility and could see what I was typing as I changed my passwords (we weren’t sure what he had access to).

I want to give a shout out to Steve and Carl at 7Circuits.com for helping me out. They responded immediately, with good nature and humor and capability, and have done so repeatedly in the days since as other related issues have come to my attention.

But even then, the hacker still eluded us, and continued to hack.

He somehow found an old Hotmail address I’d created, literally 16 years ago, and as soon as we forced him out of my regular email, he started sending a series of emails to everyone I’d ever emailed on my regular account (since 2002) on the Hotmail account.

I’m not sure if the Hotmail account had gone dormant and he resurrected it, because it had my name in it and he could pretend to be me, or what. But it was so old I’d forgotten it had ever existed. When I created it, I had not published my first book yet, and who knew then that anyone would ever care who I was. I made it close to my name and my other account, so it would be easy to remember: If it popped up in your emails, it was crotherr@hotmail.com. But that was the hacker contacting you, NOT me.

First, he asked my friends—and professional sources—for a favor. Then, if he got a fish on the line, he asked them to go out and buy gift cards for a sick friend with “Liver cancer,” because I was travelling and I couldn’t do it myself, but I would reimburse them when I returned. The whole email had no punctuation and most people who know me know I use punctuation and that I also wouldn’t capitalize Liver. But I digress.

If it went further, he apparently asked the victim to scratch off the goop, take a screen shot of the numbers underneath and send them to him so he could cash them in without any chance of being caught. Sadly, a well-meaning family member was scammed. Another friend I’ve known since junior high school also tried to send money, but I was able to stop him before the transaction could be completed.

Please beware of ANYONE who asks you by email or by phone to go out and buy gift cards for any reason.

Others engaged with the hacker, to try to elicit information or mess with him on my behalf or out of their own desire to screw with this bad person. I was told to advise folks not to do this, because it only opens YOU up to the phishing scam, where he can then get access to your information and start sending out emails to everyone in YOUR address book. Everyone you’ve ever emailed from that account. You would not believe how many people, some of whom I haven’t spoken to in eons, emailed, texted, and called me – “Is this you?”

Anyway. I have literally changed my passwords multiple times, and created a bunch of new ones (they tell you not to duplicate passwords, but geez, how creative can you be when you’re under the gun? And don’t forget to write them all down.) I’ve added two-step verifications, which was too hard to do on my own before, but I now see that living with the “I don’t know how to do this” attitude just doesn’t cut it these days. So I learned.

I also alerted my bank and changed my online ID to a new unique one, then we took a walk on Mt. Tam during a lull during which I mistakenly thought I was rid of the hacker. At some point I also posted on Facebook, Instagram and Twitter that I was having these problems. I wanted to warn people not to send this guy any money, but I also thought someone might offer some good suggestions.

As it turned out, this was a great step to take, because a friend from college actually works for Microsoft, which now has control over Hotmail accounts. He saw my plight on Twitter and offered some suggestions. I didn’t even know who he was at the time. Just a stranger offering some help, I thought.

I’d tried calling Microsoft myself, but could not reach a person. Imagine, a $126 billion corporation with no human beings answering phones. Meanwhile, the hacker had blocked me out of my own account Hotmail and Microsoft accounts, and all my efforts to respond to the security alerts, where I could report the suspicious activity, were being kicked back. I didn’t think there was anything left for me to do, but let it continue. Thankfully, my friend was able to reach some muckety-mucks in legal and get the email account blocked. I’m so grateful to him.

I don’t know why the hacker picked me. If he’d looked more closely, he would have seen just how many lawyers, prosecutors, detectives, former FBI agents, the sheriff, the prison system—all these law enforcement people—were in my address book. But that’s because criminals are living like we do, I guess, moving as fast as they can, living in denial, before they get caught on the line.

It was tough to try to stay ahead of him, because he was fast. But I thought he was out of my accounts. I’d closed any financial online accounts as a precaution, scanned my computer for malware and any other virus or issue, and we thought all vestiges of the guy were gone.

Then, last night, I realized that no one was getting back to me after I’d been emailing them all day. In fact, not for several days, unless my email address was in a group email or it came through Twitter or my website, which is why I didn’t notice at first.

Turned out that he was gone, but he’d left his dirty little footprints in my email account Settings. We’d erased the sub-account he created, and also some filters, but we missed this one important item. Anytime anyone hit “reply” to my email, he had forwarded that response email to the Hotmail account. So for days I hadn’t been getting email responses and didn’t even know it.

Thankfully, a friend (a former FBI agent – the hacker should have picked his victim better!) alerted me to it. Bollocks!! But I removed the forwarding (don’t forget to save the changes) and I felt like a security expert. Kill him!

So, my message here today, is this: Do what you can to protect yourself now. Trust me, this was no fun, and I’m lucky it wasn’t worse. Our Lyft driver told us this happened to him in an airport in Germany and he ended up losing thousands of dollars. Get help if you don’t know how to do it yourself.

Oh, and by the way, I know all the people who told me to call the police to report this were trying to be helpful, but that is not the right thing to do. Local police can’t do anything unless someone steals your identify and steals money directly from you. In this case, because the hacker stole money from a family member online, there was nothing the police could do. They told me to contact the FBI and file a complaint on a website, which I did. Here is the website: www.ic3.gov.

Even though I had managed to capture the hacker’s IP address, which the hotel security told me was a Verizon account, the Verizon fraud rep said she couldn’t do anything, because they need a subpoena to investigate anything. The hotel was also useless. They just told me they’d got no other complaints from other guests, and they were sorry for the inconvenience.

Was I chosen because I’m a New York Times bestselling author? Probably. Sadly, people think that all authors are wealthy and have wealthy friends. To this, I say, HA.

It was random, but it also seemed somewhat targeted. Perhaps after they Googled me? A contractor recently told me he thought I was famous, just like the Kardashians, but that was an enormous joke to me, because that is only how it looks to certain people who have no idea what my life is really like. It was funny when it happened, but now, I fear, this is one of the consequences of looking famous to outsiders.

Just fyi, I am not rich, and neither are my friends. And with AB5, we are losing our freelance gigs, or they are becoming unbelievably bureaucratically cumbersome, as we speak.

I’m still waiting to see if the FBI responds to the complaint I filed. I sure hope so, because I’d like to see this sucker punished. That's FBI headquarters in Washington, DC, in the photo above. Hope they give me a call!

Here are some tips I’ve gotten this past week, but will not even try to explain the technology:

--Get a vpn while traveling or to use in coffee shops, which is kind of personal network. My expert recommends Cyber Ghost, which costs about $3 a month.

--Use a mobile hotspot to stay out of the insecure public areas on the internet where anyone can see you there and get into your email. This will use up a lot of data, so make sure you have a good plan. I will be changing mine to accommodate the hotspot I didn’t know was working already.

--Download the Eset mobile security app on your phone.

--Set up two-step verifications on your most important sites, like social media, your email, and other sites that have access to your financial information.

--Remain calm but stay alert, call your bank to flag your account, and be ready to drop everything to respond to creeps like this.

--Alert and warn everyone that it isn’t YOU, so they don’t get scammed.