Notes

First Drafts, Conversations, Stories in Progress

Getting Hacked: Your Stories
Show Description +

Readers recall moments of crises related to data, identity, and money theft. If you have your own story to share, please send us a note: hello@theatlantic.com.

Show None Newer Notes

A reader recalls her mortifying experience:

My email was hacked years ago. The hacker had been accessing my account for weeks before I found out. The hacker corresponded with a couple of my former male acquaintances and forwarded them nude pictures I had sent to a man I was dating.

Neither of the former acquaintances said a word. In fact, they conversed with the hacker back and forth without my noticing it. The hacker was deleting the emails from the inbox and I rarely checked the sent folder.

One weekend morning, a friend called me to say he was getting strange messages from my email address. He said my account had been compromised that morning. Someone had sent out a mass email from my account with pictures, personal correspondences, and my password with an invitation to everyone to access my account. When I opened my email, I discovered that the person had forwarded the information to not only friends but also family, including my aunt. I was devastated.

Since then, I am leery about using email, and I’m done using it for personal business. Even though I do use two-step verification, I keep my email limited to professional messages and the occasional message to friends or family to give me a call.

I eventually learned the identity of the hacker: A male friend’s girlfriend had her friend hack my email because she mistakenly thought we were more than friends.

If you had a similar experience you’d like to share, please send us a note: hello@theatlantic.com.

“Here I was on a ship in the Persian Gulf, with very little connection to the outside world, and someone was running wild with my money back stateside.” That reader continues his long story below—but first, here are a few short anecdotes from readers. Stephanie writes:

Have I ever been hacked? Sure, lots of times. I had my identity stolen several times when I lived in California, even before the internet was a thing. One of those thieves opened credit accounts and went bankrupt, which made for a real mess when I tried to get my first credit card. About once a year, I have to close a credit account because of fraud. Usually, I am notified by the issuing card company of suspicious activity.

My father lost his life savings in several accounts when thieves stole his debit card and checks. One of my email accounts has been hacked. My Facebook page has been hacked. So yeah, I’ve had experience with this.

So has this reader:

Who hasn’t been hacked? I’ve had my checking account compromised in a major way six times in eight years and many smaller breaches, but I’ll just tell you about nos. 2 and 3.

The Atlantic

Suffering a data breach is like discovering that someone rummaged through your bag when you weren’t looking. It’s a jarring invasion of privacy, whether the information stolen is as impersonal as a Social Security number or as intimate as years of emails, texts, and pics. For years, The Atlantic has been covering cyberattacks that target individuals, companies, and even the U.S. government—and the ways those intrusions affect personal, financial, and national security. We’ve compiled some of our best coverage in a new landing page, “The Atlantic Revisited: Navigating the End of Privacy,” and below are brief descriptions of those 18 pieces from our archives.

Everything Is Hackable ...

  • The U.S. presidential election captured the interest of leaders the world over—even inspiring some to try and influence the outcome. The U.S. Intelligence Community accused Russia of trying to manipulate the outcome of the election, but experts are divided on whether the digital interference is just a 21st-century version of politics as usual, or if it represents an unprecedented level of meddling in U.S. domestic affairs. (“What the DNC Hack Could Mean for Democracy,” Uri Friedman, August 2016)
  • For millions of people in the U.S., the internet went down for hours one Friday in October. The culprit: A botnet made up of poorly secured DVRs and webcams. Someone had commandeered hundreds of thousands of the internet-connected devices, turning them into pawns in a coordinated attack against a critical piece of the internet’s infrastructure. (“How a Bunch of Hacked DVR Machines Took Down Twitter and Reddit,” Robinson Meyer, October 2016)
  • When the Office of Personnel Management was hacked last year, more than 22 million people had their sensitive personal information—including Social Security numbers, addresses, and, in some cases, even fingerprints—stolen. When the victims got letters in the mail saying their information was taken, they had to reckon with the new risk of identity theft, and take action to protect themselves. (“Your Data Is Compromised. (Yes, Yours.) What Now?,” Kaveh Waddell, July 2015)
  • An online tool offered by the Internal Revenue Service allows taxpayers to easily check their tax history, but for a while, it didn’t do a good job of verifying users’ identities. Hackers used personal information gleaned from other data breaches to trick the tool into divulging people’s tax documents, which helped them file around $50 million in fraudulent tax returns. The breach was initially estimated to affect about 115,000 people, but after further investigations, the government realized that the victims numbered nearly 725,000. (“The IRS Hack Was Twice as Bad as We Thought,” Kaveh Waddell, February 2016)
  • Executives and employees at Sony Pictures woke up one day in 2014 to find their dirty laundry posted online—and indexed for easy searching—after a group calling itself the “Guardians of Peace” stole a trove of emails, salary information, and other sensitive data from the entertainment company. The FBI pointed fingers at North Korea, but security experts questioned whether it was possible to know exactly who was behind the cyberattack. (“We Still Don’t Know Who Hacked Sony,” Bruce Schneier, January 2015)
  • When Ashley Madison, a website that helps adults find extramarital affairs, was hacked, it was more than just mortifying for the millions of outed users. It was an introduction to “organizational doxing,” the practice of stealing enormous amounts of data from a company or government agency and publishing it online, heedless of the collateral damage it will cause. (“The Meanest Email You Ever Wrote, Searchable on the Internet,” Bruce Schneier, September 2015)
  • A hospital in Los Angeles switched to paper records and started turning patients away after its computer systems were infected with a virus that locked up vital data—and demanded a $3.6 million ransom to return it. (“A Hospital Paralyzed by Hackers,” Kaveh Waddell, February 2016)
  • Nude photos of female celebrities ricocheted across the internet after they were stolen from the celebs’ iCloud accounts and released online. But despite years of attempts to pass legislation that would slap special penalties on people distributing explicit images of people without their consent—a practice also known as “revenge porn”—only a few states actually have such laws on the books. (“Why Congress Won’t Help Jennifer Lawrence,” Lucia Graves, September 2014)
  • When Deb Fallows found her Gmail account acting funny one day, it wasn’t just a temporary bug: A hacker had gotten into her account and sent fake distress calls to all her closest email contacts, asking for money. In the following days, Deb and her husband, Jim, went on a hunt to regain control of the account, recover years of lost emails, and figure out just what had happened. (“Hacked!,” James Fallows, November 2011)
  • How long would it take a fake smart toaster, sitting alone in the massive sea of internet-connected devices, to get hacked? Andrew McGill dressed up a rented server to act like a web-connected toaster to see if any hackers would bite—and  watched as the next 12 hours brought more than 300 attempts to take over the fake toaster. (“The Inevitability of Being Hacked,” Andrew McGill, October 2016)
  • Use a wireless keyboard at work or at home? Security researchers have found that many low-end models don’t use industry-standard security practices, instead transmitting between keyboard and computer with weak encryption—or no encryption at all. With the right tools, a hacker can spy on every email, password, and credit-card number being typed on a vulnerable keyboard nearby. (“Hackers Can Spy on Wireless Keyboards From Hundreds of Feet Away,” Kaveh Waddell, July 2016)

Have you ever been hacked? Were you, for example, one of the 22 million people caught up in the OPM breach? Have you had your email account compromised like Deb’s? Have your photos or other sensitive files been stolen? We would like to hear from you. Please send us a note about the experience to hello@theatlantic.com and we will aim to post it here in Notes (anonymously, if you prefer).

… So, How Do We Defend Ourselves From the Hacker Onslaught? Here are several pieces that approach that question:

  • A team of 600 Homeland Security Department employees (and 400 contractors) works with private companies to secure infrastructure and public utilities around the country, from major-league ballparks to water plants to banks. They prepare for attacks that might be delivered by a suicide bomber driving a truck—or quietly over the internet. (“Meet the People Who Protect America’s Critical Infrastructure, Steven Brill, August 2016)
  • China’s cyber army is one of the top two or three online threats to the U.S., experts say. But the best way to contain the danger may be to work with, rather than isolate, China’s leaders. (“Cyber Warriors,” James Fallows, March 2010)
  • The two groups most dedicated to keeping the internet safe are sequestered on opposite coasts: the government’s suited and military-uniformed policy wonks in Washington, and hoodie-clad hackers up and down the West Coast. Getting them to work together is crucial, but it isn’t always easy. (“Suits and Hoodies: The Two Cybersecurity Cultures,” Justin Lynch, February 2015)
  • One afternoon in late October, teams of college-age hackers assembled in a room in Washington, D.C., and assailed a model water-treatment plant with cyberattacks, quickly bringing it to a screeching halt. Recruiters from Uber, Northrop Grumman, and the federal government flitted from table to table, eager to snap up young talent to help secure their own systems against attacks. (“Inside a Hacking Competition to Take Down a Water-Treatment Plant,” Kaveh Waddell, October 2016)
  • Skilled “white-hat” hackers—security researchers who use their computer skills to protect organizations from online threats—are always in short supply. But to keep them from being lured into illegal hacking, companies may have to be willing to pay out bigger salaries and “bounties.” (“When Ethical Hacking Can’t Compete,” Donna Lu, December 2015)
  • Apple’s standoff with the FBI over a locked smartphone that belonged to one of the San Bernardino shooters showed off the quality of the iPhone’s security safeguards. Most phones on the market wouldn’t have stood up to the federal government’s attempts to hack them. (“Encryption Is a Luxury,” Kaveh Waddell, March 2016)
  • Trump does little to hide his disdain for journalists—or his desire to sue them when he disagrees with what they write. It’s more important than ever for reporters and activists to protect their data and communication from prying eyes, but these tips—which touch on encrypted messaging, managing passwords, and browsing the internet anonymously—are just as relevant for our average reader. (“How Can Journalists Protect Themselves During a Trump Administration?,” Kaveh Waddell, November 2016)

In that last piece, I sketched out some ways you can protect yourself and your data from the prying eyes of hackers:

Signal, a smartphone app, is the medium of choice for privacy-conscious communicators, and is probably the easiest way to call or text securely. Encrypting email using PGP is also an option, but it’s far more cumbersome.

It’s also important to make up complex passwords—and never to reuse a username and password combination for more than one site. Password managers like 1Password, LastPass, and Dashlane can create a different randomized password for every website, and remember them all so that you don’t have to.

Turning on two-factor authentication on every service that supports it—Google, Slack, Dropbox, Amazon, etc.—makes it much harder for hackers to get into your accounts, by requiring you to approve every login with a mobile device. And for those who need to browse the internet securely, a properly configured Tor browser allows users to poke around the web anonymously.

Do you have any additional tips for how to keep your data safe? Please send us a note: hello@theatlantic.com.

A reader responds to that disquieting question:

I’m no computer expert, but I’ve read that a risk of using an unencrypted router for your home WiFi exposes you to someone parking outside your house (or in the next apartment) and poaching your WiFi to access and download material for their own purposes, such as child-porn, which could be traceable to passing through your system.

Indeed, there’s this cautionary tale: “Innocent Man Accused Of Child Pornography After Neighbor Pirates His WiFi.” There’s this quick guide from PC Mag to help protect you from the same fate. Another reader adds, “There was this case in England in 2003”:

Last October, local police knocked on his door, searched his home and seized his computer. They found no sign of pornography in his home but discovered 172 images of child pornography on the computer’s hard drive. They arrested Mr. Green.

This month, Mr. Green was acquitted in Exeter Crown Court after arguing that the material had been gathered without his knowledge by a rogue program created by hackers—a so-called Trojan horse—that had infected his PC, probably during innocent Internet surfing. Mr. Green, 45, is one of the first people to use this defense successfully.

As for the question of “receiving” illegal images, I am reminded of the 1967 action of the Yippies, mailing joints to 3,000 randomly chosen strangers, with a letter pointing out that receiving drugs was a federal crime, and they might as well smoke it.

Earlier this week on The Atlantic, security expert Bruce Schneier took stock of our collective anxieties in the wake of the Ashley Madison hack. Is our online activity ever really private? A reader takes that worry a step further:

In a non-material realm where all data can be fabricated and easily transferred, what’s to prevent hackers from framing people?

The example I keep returning to is Internet child porn. In the case of criminal offenses like that, the presumption of innocence tends to get hindered from the outset by the severity of the charge. The mere accusation is enough to put someone under a cloud of suspicion, or to impeach their credibility. And it seems to me that anyone who can hack a computer network can also compromise someone's home computer to plant files on it.