Hacked!

As email, documents, and almost every aspect of our professional and personal lives moves onto the “cloud”—remote servers we rely on to store, guard, and make available all of our data whenever and from wherever we want them, all the time and into eternity—a brush with disaster reminds the author and his wife just how vulnerable those data can be. A trip to the inner fortress of Gmail, where Google developers recovered six years’ worth of hacked and deleted e‑mail, provides specific advice on protecting and backing up data now—and gives a picture both consoling and unsettling of the vulnerabilities we can all expect to face in the future.

At Google I asked Byrant Gehring, of Gmail’s consumer-operations team, how often attacks occur. “Probably in the low thousands,” he said. “Per month?,” I asked. “No, per day,” followed by the reassurance that most were short-lived “hijackings,” used to send spam and phishing messages, and caused little or no damage, unlike our full-out attack. My wife and I, having heard from half a dozen friends who’d recently had similar problems, had innocently imagined that we all were part of some general upsurge in Gmail attacks. In our grandiosity, we thought it was perhaps even aimed at journalists. But according to the experts, while there are more e‑mail attacks worldwide than a year ago, it was mere coincidence that people we knew had been hit around the same time. On average, half a dozen accounts are taken over every two or three minutes, round the clock, including now.

Why are so many accounts so vulnerable? Again we were naive in the assumptions we’d made about our own case. We’d just returned from China, where everything about Internet use in general and Google services in particular is insecure and fraught. Had some malware made its way onto our computers? What about that time my wife entered her Gmail username and password on a public terminal at the airport in Zhuhai? Might it have had a keystroke logger, recording names and passwords for later misuse?

Perhaps it did, but that didn’t seem to be our problem. As in the great majority of hacking cases, my wife had been using the same password for her Gmail account as for some other, less secure sites, where her username was her Gmail address. (Who hasn’t done this?) And one way or another, a list of e‑mail addresses and associated passwords from one of those sites had made its way to hackers. A possible source was the notorious Gawker hack of 2010, when more than a million e‑mail addresses and matching passwords for people who had registered on Gawker sites were stolen. “If you have ever used the same password in more than one place, you have reduced your overall safety record to whichever site had the lowest amount of protection,” Jones told me during my visit. Yet this is an overwhelmingly common practice. An analysis of posted username/password combinations after several recent hacks showed that in two-thirds of the cases, if you knew a user’s password for one site, you knew it for another.

It’s possible, too, that my wife’s password was simply “guessed,” though in a different way from what laymen might assume. Guessing less often involves social engineering—trying your birthday or your hometown or your relatives’ names—than “brute-force attacks,” in which a hacker’s computer tries every word or combination of words in existence, in a variety of languages, to see if it finds a match. From most officials, I heard reminders that if a password can be found in a dictionary, that password is not safe. Andrew Kovacs, communications manager for the Google security staff, added: “And those tricks about changing E’s to threes and O’s to zeros? Sorry to tell you, but the hackers have thought of those too.” Several of the people I spoke with pointed out that brute-force attacks have recently become much more effective, as hackers have taken advantage of the powers of new computer-graphics chips, which can handle certain kinds of computations even more quickly, and with more parallel processes running simultaneously, than a computer’s central processing chip can. These turn out to be the computations necessary for producing password hacks.

My wife’s password was judged as “strong” when she first chose it for use with Gmail. But it was a combination of two short English words followed by numbers, so if it didn’t leak from some other site, it might just have been guessed in a brute-force attack. For reasons too complex to explain here, even some systems, like Gmail’s, that don’t allow intruders to make millions of random guesses at a password can still be vulnerable to brute-force attacks.

Once her password got out, it ended up, according to later sleuthing by officials at Google, in the hands of someone possibly in Cote d’Ivoire but probably in Nigeria. My wife and I could again flatter ourselves that we were the objects of Chinese state security, but the probable truth is more mundane—“it’s like being the victims of pickpockets,” as Jay Nancarrow, of the Gmail team, put it. Why Nigeria? All of the people I spoke with had thought about this question—“I think about it every day,” Bryant Gehring said—and no one had a fully convincing answer. Their hypotheses involved some combination of talent, opportunity, and lack of legal controls. “They have the Internet, they can get rich this way, there’s not really a lot of government enforcement,” Gehring said. “For a lot of crafty people, it can be the best way to make a living.” That could apply to a lot of places, but it seems to be most relevant to West Africa.

In “The Chilling Story of Genius in a Land of Chronic Unemployment,” this past May in TechCrunch, Sarah Lacy portrayed a number of the hackers she had met in Lagos. In other circumstances, she said, the best of them might have been like Sergey Brin or Max Levchin, the immigrants who co-founded Google and PayPal, respectively. They were that clever and technically gifted. Or, more modestly, they could have been like the engineers and managers I’ve met over the years at Google, Microsoft, Intel, and other companies, at least half of whom were born and raised overseas. But these hacking entrepreneurs couldn’t get out of Nigeria, and so they dealt with the outside world via “Mugged in Madrid” messages. Shreyas Doshi, a Google senior project manager, said that the company had run analyses to see how much money the scams might produce. “With a variety of assumptions, we believe they could easily make about $500 a day, if not more,” he said; that many people fall for these scams.

The greatest practical fear for my wife and me was that, even if she eventually managed to retrieve her records, so much of our personal and financial data would be in someone else’s presumably hostile hands that we would spend our remaining years looking over our shoulders, wondering how and when something would be put to damaging use. At some point over the past six years, our correspondence would certainly have included every number or code that was important to us—credit-card numbers, bank-account information, medical info, and any other sensitive data you can imagine.

The long siege of identity theft could still happen, and I have put all the credit-card companies on alert. But a few months into our post-hacking life, we’ve seen no indication of trouble, and according to the Google officials, the hacker would depart from past patterns if he began using the data in the way we most feared. “We haven’t had a major incident with credit-card [numbers obtained from scanning Gmail] yet,” Bryant Gehring said. The economics of hacking are constantly changing, so we are still on guard. But security officials at Google and elsewhere said that for talented hackers in Lagos or Abidjan, it is generally safer and more rewarding to collect money at Western Union, which can be done virtually untraceably, as opposed to poring through e‑mail archives in search of data to create identity-theft schemes. Why, then, did the hacker bother to erase all the archives? “Because he—or she—was a good hacker,” Gehring said. “He wanted to make it harder for you to get in touch with all your contacts and warn them not to send money to Madrid. You remember their names but probably not all their e‑mail addresses.” Many e-mail hackings, whether on Gmail or another major system, involve deletion of mail that arrives after the hijacking; only a destructive minority involve a complete zeroing-out of the archives like what happened to my wife.

Presented by

James Fallows is a national correspondent for The Atlantic and has written for the magazine since the late 1970s. He has reported extensively from outside the United States and once worked as President Carter's chief speechwriter. His latest book is China Airborne. More

James Fallows is based in Washington as a national correspondent for The Atlantic. He has worked for the magazine for nearly 30 years and in that time has also lived in Seattle, Berkeley, Austin, Tokyo, Kuala Lumpur, Shanghai, and Beijing. He was raised in Redlands, California, received his undergraduate degree in American history and literature from Harvard, and received a graduate degree in economics from Oxford as a Rhodes scholar. In addition to working for The Atlantic, he has spent two years as chief White House speechwriter for Jimmy Carter, two years as the editor of US News & World Report, and six months as a program designer at Microsoft. He is an instrument-rated private pilot. He is also now the chair in U.S. media at the U.S. Studies Centre at the University of Sydney, in Australia.

Fallows has been a finalist for the National Magazine Award five times and has won once; he has also won the American Book Award for nonfiction and a N.Y. Emmy award for the documentary series Doing Business in China. He was the founding chairman of the New America Foundation. His recent books Blind Into Baghdad (2006) and Postcards From Tomorrow Square (2009) are based on his writings for The Atlantic. His latest book is China Airborne. He is married to Deborah Fallows, author of the recent book Dreaming in Chinese. They have two married sons.

Fallows welcomes and frequently quotes from reader mail sent via the "Email" button below. Unless you specify otherwise, we consider any incoming mail available for possible quotation -- but not with the sender's real name unless you explicitly state that it may be used. If you are wondering why Fallows does not use a "Comments" field below his posts, please see previous explanations here and here.

The Blacksmith: A Short Film About Art Forged From Metal

"I'm exploiting the maximum of what you can ask a piece of metal to do."

Video

Riding Unicycles in a Cave

"If you fall down and break your leg, there's no way out."

Video

Carrot: A Pitch-Perfect Satire of Tech

"It's not just a vegetable. It's what a vegetable should be."

Video

An Ingenious 360-Degree Time-Lapse

Watch the world become a cartoonishly small playground

Video

The Benefits of Living Alone on a Mountain

"You really have to love solitary time by yourself."

Video

The Rise of the Cat Tattoo

How a Brooklyn tattoo artist popularized the "cattoo"

More in Technology

More back issues, Sept 1995 to present.

Just In