On Sunday, October 30, 2016, I was hacked. The person was probably in the Philippians and he was an above average hacker. Somehow he knew that I had an iphone and that I needed my apple ID to do anything with my phone. He also knew that my recovery email was my gmail account so he would need to compromise both and gain control over them. He did that. Then he went to work changing all of the recovery methods so that it would take me a long time to get my accounts back.
History:
I have a bit of a history with online security. When I got my first Yahoo Email account, a hacker had taken over my account. It took over 2 months to get it back.
This time it was more sophisticated. He had automation. He had scripts. Hackers tools had evolved. Normally on Saturday nights I stay up later – as most people do. So by 3am, I was deep into a sleep and I wasn’t going to be waking up for a while. The Hacker started working:
3:00am CST – The Hack Begins. It started early on a Sunday morning. I was still asleep.
10:42am CST – I woke up.
When I woke up that Sunday morning and finally looked at my phone, I saw all of the emails:
“Your password has been changed.”
“Your recovery and account information has been changed.”
Those are some of the worst emails and notifications you can receive. Especially for anyone that has online accounts that hold so much personal information.
10:43am CST – I was only on my phone for a brief time and then he wiped it. He remotely wiped it and removed the “Find my iPhone” App. By doing this, it made the phone a brick. The phone store would not accept it in – I would later find out.
Who was this? How did this start? I saw that it had started happening around 3am so he already had an 8 hour head start. As I attempted to recover some of the accounts, it became more clear how bad this was. I tried my best to change passwords and reset recovery info, but nothing was working. Then he went after PayPal. Then coinbase. One by one my accounts were attacked. It was a terrible feeling. And it was embarrassing.
If you are in a sinking row boat, the first thing you do is try to stop the water from coming in.
One of the first emails that I see:
He was online. 10:40am CST
(He had signed in to my GMAIL account on his Windows PC. He was waiting for me to wake up and start to try and recover my accounts. )
My main phone was an iPhone 6S. I just happened to have a brand new iPhone 7 that I had gotten in the mail. I had 30 days to activate it and that would give me a chance to move everything over. But I did not have time. NOW, the device was already wiped by the hacker and he was going to go after all other devices (phones/tablets) under the Apple ID.
I had to get hold of Sprint right away:
Chat ID: 742627XXXXXXXXX772909
DATE/TIME: 2016-10-30 11:51:40 EST (10:51 am CST)
Your chat transcript:
Sprint : We received your information and will connect you with a Chat Specialist soon.
You : hello
You : klasdjfolqwejif
Henry R : Thank you for contacting Sprint. My name is Henry R. I am happy to help you today.
Henry R : I understand your concern.Henry R : I’ll be glad to help you.
You : my account was hacked
You : not sprint
You : but gmail and apple ID
You : i have a new phone and I need to activate itYou : asap
Henry R : I am sorry to hear that your account was hacked.
Henry R : May I please have your phone number on which you want to activate and the MEID number for your new phone?
Henry R : Please let me know if you’re still available to chat with me so I can continue to assist you.
You : 5154947555
You : where do i find MEID
Henry R : Let me help you how to locate it.
Henry R : What is the make and model for your new phone.
You : iphoine 7
Henry R : That’s great!
Henry R : From the phone please tap Settings>General>About to get the MEID number.
You : ok got it
You : XXXXXXXXXXXXXX
You : do NOT use my gmail
You : the hackers have it
Henry R : Excellent! Thanks.
Henry R : Sure, Brock, We will not be updating the email Id from our end.
Henry R : May I please have your 6-10 digit numeric PIN to access your account?
You : (PIN ENTERED)
Henry R : The PIN you provided doesn’t match the information I have for your account. Please answer your backup security question: (Next question asked)?
You : XXXX
Henry R : Thanks.Henry R : Brock, please turn off your new device.
You : one secondYou : ok its off
Henry R : Thanks.Henry R : Please turn on your new device.
Henry R : Once the phone is back on, dial 1-888-546-0314 and let me know if it was successful.
You : actually i should probably wait until i get my other ID’s backYou : otherwise they may wipe this one
Henry R : Oh, Okay.Henry R : Brock, I have taken care of the activation for you and our phone should be ready to use once you have setup the phone.
You : one second
Henry R : Sure, Please take your time. Henry R : How is it going?
You : slow You : i need to find out when my gmail account was created
You : im looking for that information
Henry R : Okay. Henry R : Brock, Does it gives you the option to set up your phone as a new phone without entering the email Id?
You : its an iphone so if i set it up then the hackers could wipe it You : if it wipes this phone then i am going to be in a LOT of trouble
Henry R : Brock, I can understand that, however, if the phone is set up without entering your email Id(Apple Id) that was hacked earlier the phone could not be hacked.You : ive already started that process
You : yesterday
Henry R : Okay. Henry R : How do you discovered that your gmail and Apple Id was hacked?
You : i am setting up a new email account
Henry R : Perfect!
You : i started getting messages and SMS that passwords were being reset
Henry R : Okay. Henry R : I am still with you.
You : ok i am here
Henry R : Have you completed setting up a new new account?
You : yes You : i have a new email account
Henry R : Perfect! Are you now able to setup your iPhone?
You : not yet
Henry R : Okay. Henry R : As I understand you are in the process of setting up the iPhone, right?
You : yes
Henry R : Perfect!
You : im on the phone with my identy security company
Henry R : Please let me know once you have completed setting up the phone.
Henry R : Okay.You : ok
Henry R : Brock, We have taken care of the phone activation for you.
You : ok
Henry R : If you face any problem with the services after you setup the phone you can chat with us anytime. Henry R : Thank you! for investing your time on this chat and together we have fixed this for you. Henry R : We take pride in providing the best customer service possible to our customers. I hope you feel valued and served.Henry R : We appreciate you being a customer, and we want to make sure your queries are taken care of. Please advise, if I can do anything else to make your experience better with Sprint.Henry R : Since you?re not available to continue our chat, I am ending our session. I?ll leave a note on your account about our conversation for the next Specialist that helps you.Henry R : You?ll receive a transcript of our chat within a couple of hours at the email address you provided for this session or your sprint.com email address if you signed in prior to chatting.
I couldn’t finish my conversation with Harry. I was on to the next thing.
For future reference, here are some things to keep in mind to further secure your online accounts:
WHAT YOU WILL NEED:
- Recovery Email Account (do not give to humans. Systems only. )
- AUTHY and GOOGLE AUTHENTICATOR (2FA systems/apps)
- Main Email Account (give out on a limited basis)
- Alternative Email Account (give out to Stores)
- Audit Logs, Notifications
Next I had to talk to Coinbase:
10:54am CST – Talking to Coinbase
Once you have secured your accounts, make sure you have 2FA (two factor authentication) set up on each of them. I thought I had done that, but I was wrong.
Between 11:48am CST and 12:30am CST – Done with Coinbase.
Sunday 10:47am CST – Gmail account is recovered. 5,400 emails received and sent. He was using bots and scripts.
Sunday 11:01pm CST Was on the phone with Lifelock and chatting with Sprint.
Facebook had 2FA and the hacker never got in. I was able to keep up some communications over FB Messenger during this attack.
I had 2FA (two-factor authentication) set up on most of my accounts, but once my phone was erased, my Authy app no longer worked.
He used iMessage feature that I had turned on to begin mirroring my phone onto his phone and began texting my contacts. (Including my wife at the time – now ex-wife)
This is an actual screen shot from her phone. The last 2 yellow messages were not sent by me. Employees at the Sprint Phone Store said this was not possible.
(The phone number in the screen shot is the hacked phone number. I would suggest staying away from it.)
Later on I had her grab this screen shot. The last two in yellow were not sent from me or from my actual phone. It was being sent from a phone/device that the hacker had control over and was somehow able to send on my phone line (which Sprint told me can’t be done in which I responded by saying yes it could be.) I now have a new phone number – which has only happened 1x in 10 years.
Luckily for me, my ex-wife hated bitcoin so she didn’t have any nor did she have access to any of my wallets.
I got my gmail account back by following their recovery process and then one day later I lost it again.
11/3 10:40PM CST – I tried setting up 2FA on the APPLE ID:
Also, Microsoft Account (email) does not allow changing of a password under a short period of time.
Due to the secure nature of this, I cannot go into every detail on here.
The next Saturday (Nov. 5, 2016) I was in the Sprint store and I got a new number. I was able to recover my apple ID and I have put further security measures on it to make it even more secure than I already had on it.
Here is what it looks like now when someone would try to sign into my Apple ID account:
Multiple screens on the iphone that prompt you if you or anyone is trying to sign into your account on any device.
Hopefully this wouldn’t appear on the device that the hacker is signing in. If so, your account is compromised and you need to go back to the beginning and work with Apple Support to secure it.
The only reason why Apple Support got me my account back is that I still had an old Apple device laying around. It was an old iPhone 4S and I was able to charge it and get it connected to my WIFI. They sent a 6 digit security code to that device and I was able to prove that I had it in my possession.
As I started to get my accounts back 1 by 1, I noticed something strange.
When I was looking through my iCloud account, I noticed some strange pictures.
It seems that the hacker’s kids were playing with his phone and had managed to upload pictures and 1 video up to my account. Since getting my account back, he has not been able to log back in and delete them.
I found pictures and I also found this video:
So … I’m keeping all of these now as evidence.
Location Picture 1:
Location Picture 2:
Secure your accounts. Double check the security that you have on them. All of them. Look at setting up 2FA and not the SMS type to your phone. The hacker was able to stop my phone from getting text messages and he routed them all to his phone. (that was mirroring mine.) It is a lot better if you take the time now – rather than having to do clean up later.
I wonder if these kids know that their dad is a hacker… I wonder if they realize I am posting their pictures all over the internet?
If it can happen to me and other people within IT, it can happen to anyone. I don’t claim to be an expert in IT security, but I thought I was better protected than I was.
I am writing this in hopes that someone will see this and take Account Security more seriously.
