On Monday, a hacker took control of our company’s general Gmail account and sent a scam email to at least several dozen people who have corresponded with us at [email protected].
We got control of the account back quickly, but not without a fight and not before at least the one scam email went out.
First, we want to apologise to anyone who received an email ostensibly from us entitled “My Predicament” that recited a bogus sob story about getting mugged. (“Send money immediately…”) Needless to say, we didn’t send this email.
Second, we want to apologise to anyone whose email address was stolen from us. The hackers did not gain access to our email newsletter subscription database — just our general corporate email account. But if you have corresponded with us at [email protected], it’s possible that you will be getting more lame scam-mail from these bastards in the future. We are deeply sorry about that.
Third, in the interest of helping other companies avoid a similar episode, we want to share as much information about what happened as possible.
For us, there were two big takeaways:
- First, some of our internal information- and password-sharing practices left us exposed to this sort of thing. We have already taken measures to improve them.
- Second, we experienced firsthand a lesson that we’ve been writing about for years: Any time you put information in the “cloud,” the tradeoff is that it’s out there for anyone to access, any time.
Around 1:45 p.m. ET on Monday, we started receiving emails from readers who had been sent scam emails from our Google account, [email protected]. These weren’t just typical spam mails with forged email headers — they were actually coming from our Gmail account.
They were typical Nigerian scam-style messages: “We’ve been mugged in London, they have all our money, and we need £1,000 to pay our hotel bill and get back home!” (See full message below.) Some readers — seemingly for their entertainment — engaged with the scammers, and got follow-up emails with more information.
After the second reader complaint, we realised something weird was going on. We tried logging into our Gmail account, and found we were locked out. The scammer had, smartly, changed the password. And, as we soon found out, they had changed a few more crucial settings, too.
We found Google’s form to let them know that our account had been compromised. We also emailed Google’s press department to let them know what happened, and to ask for any help they could provide.
Very quickly, we got our first email back from Google to reset the account. We went in and changed the password and thought we were done.
But the hackers were smarter and more prepared than that. It took several reset attempts, and a “quick, change-the-password-now!” phone call with a Google representative, before we actually had control back over our account.
What had happened?
The scammers who broke into the account had created a new (but innocent-seeming) OperaMail.com webmail address, which they had set as our “backup” address. This meant account-reset emails also got sent there, which seems to have allowed them to re-reset the password we had just reset.
They had set a Nigerian phone number as the mobile number Google should SMS when a password-reset was requested. This seems to have provided them another entry point during password-reset attempts.
They had forwarded all incoming email for the [email protected] account to their OperaMail.com account, and had it set to trash everything after forwarding. This was especially slick. It prevented us from seeing any Inbox messages until we discovered this trick hours later. It also allowed them to reset our password one time before we had a chance to; and it made sure they kept getting a copy of all our incoming mail, even after they no longer had direct access to the account. (So if this happens to you, be sure to check the “forwarding” and “filters” sections for anything out of place.)
They had emptied the trash, preventing us from seeing the messages they had sent and received during the time they had control over our account. This means we don’t actually know how many people got the scam message, who they are, or what their responses were. They got halfway through writing one last message, which we found in the “Drafts” folder, but that’s the only tracks they left — besides the correspondence that several readers forwarded.
They also deleted our Gmail Contacts, one of a few reasons we don’t know who they spammed.
Whose email addresses got stolen?
The scammers targeted our generic corporate account: [email protected]. If you have sent email to this account, it is possible that your email address and the name associated with your email address were stolen.
Importantly, there is no reason to believe your email account or other personal information is at risk. (Though it’s possible they’ll try to send you more lame scam emails in the future.)
The email addresses of those who subscribe to our daily newsletters were NOT stolen.
How did they do this?
At first, we thought this was a random, brute-force-style hack job. We thought the hackers had targeted a well-known, credible Google account they could use to get money from suckers. (By the way, does this work? Does anyone actually send money because of these emails? Apparently they must, or this would not happen.)
But then we heard later that one of our interns had recently had her personal Gmail account compromised. Her name also happened to be the name that our scammer was using to try to get money from people.
So how did they get access to our Gmail account from our intern’s Gmail account?
One of our intern’s jobs at the company is to check our Google Analytics stats. For that, one of our employees had, at one point, emailed her the login information for our Google account so she could get access to the Google Analytics stats. That email — containing our login and password — was in her personal Gmail account when it was compromised, and we now think that’s how the scammers got access to our company’s Gmail account.
We won’t be doing that anymore.
For reference, that email did not include the word “password,” but it did include “google” and “login” in the subject line. If we were a scammer, and we had access to an email account, the first thing we’d do is search for words like “password,” “login,” etc., and harvest as many logins as possible to other sites and services. Some may be handy for future email scams, whereas some may be helpful for bigger projects, like credit card fraud.
Indeed, when we later searched our Gmail account — the one that was compromised yesterday — for the word “password,” we found several emails sent to our staff containing the logins and passwords to various sites we use. These passwords are obviously being changed, and we won’t be emailing logins and passwords again.
What did we learn?
We’ll review the information we use our main Google and Gmail account for, and probably distribute it among more accounts to moderate risk.
We won’t email passwords to our colleagues or ourselves again.
We’ll change passwords more often, and encourage our employees to have strong passwords on their personal accounts. (Long strings of multiple letters and numbers, upper and lower case, special characters, changed frequently, etc.)
We’ll make sure as many password recovery techniques are employed as possible, including backup email addresses and SMS. (Knowing that someone could delete them anyway.)
The convenience (and low cost) of Web-based email and cloud-based document and analytics services are worth the occasional nuisance. But we’re more aware of the security risks now, and will be more careful with what information we post — and who we trust to have access to it.
Most importantly, we apologise again to anyone who was affected by this.
Henry Blodget, CEO
Dan Frommer, Deputy Editor
We Hope You Didn’t Get It, But Here’s The £1,000 Letter…
From: Silicon Alley Insider <[email protected]>
Date: Mon, Dec 28, 2009 at 1:40 PM
Subject: My predicament
It is with profound sense of sadness i wrote this email to you. I don’t know how you will find this but you just have to forgive me for not telling you before leaving. I traveled down to United Kingdom Yesterday for a short vacation but unfortunately,i was mugged at a gun point on my way to the hotel i lodged all my money and all other vital documents including my credit card and my cell phone have been stolen by muggers.
I’ve been to the embassy and the Police here but they’re not helping issues at all,Things are difficult here and i don’t know what to do at the moment that why i email to ask if you can lend me £1,000.00 so i can settle the hotel bill and get a returning ticket back home. Please do me this great help and i promise to refund the money as soon as i get back homm
Please do me this great help and i promise to refund the money as soon as i get back home.
I look forward to your positive response.
Don’t Miss: What a Nigerian Facebook scam looks like