Monday, April 25, 2011

I've been hacked!

I was hacked today (or at least I learned of it today). Early this AM a SPAM was sent from my GMail account to all of the Contacts in my GMail -- which I believe is any address I have ever received an email from. Given all of the mailing lists I am on, this is a decent number of addresses. Since the email was DKIM-verified to come from GMail and it went to all my contacts, I have to assume someone was able to successfully login to my GMail. I have since changed my password a couple times, and turned on the 2-factor authentication feature. I would highly recommend everyone do this with their Google account if they have not. I also changed my password on every site I can think of, just for safe measure.

How did this happen? I have no way to know for certain, but I have a theory. The Sony Playstation Network has been down for several days now due to some kind of attack. My username for PSN was my GMail account and I was stupid enough to use the same password (or at least they matched last week, I may have recycled back to it). I mainly use PS3 and PSN for Netflix streaming. I suspect that when the site was first down last week that intruders were intercepting logins and they got the username and password. My main reason to doubt this theory is that hacking PSN seemingly was sophisticated to do, so why would they use the information they stole in such an amateurish way as to send an obvious SPAM that alerted me to the problem? I have to think they downloaded all my email and information before they did this. I wonder why they did not also change my password as it seems like they could have done so.

It is fairly disconcerting to wonder what private information, such as credit card numbers, that I might have in my GMail archive. For now, I at least think I have safely updated all of my accounts so that the passwords are different on every site.

Update (2011-04-26): Sony has now pretty much confirmed that this all originated with the hack of PSN. See this blog post: Of course it was still stupid on my part to use my GMail password anywhere outside of GMail.