On Saturday my personal email account was hacked, and I quickly realized how much this impacted Stonemaier Games. The shock of this experience hasn’t worn off, but I want to share what happened so you can prevent this type of situation for yourself.
Feel free to jump around in this post to the content that is most useful for you. The full story is a bit long, so here’s the truncated version:
- A hacker (or hackbot) gained access to my personal Google account through my computer, where I’m always logged into this account. Two-factor authentication didn’t help; within minutes they changed my password, phone number, and recovery options. I lost access to my personal email, many Google Sheets, and our YouTube channel.
- The hacker’s primary target appeared to be the YouTube channel. They changed all 1600 of my videos there to “private”, added some cryptocurrency videos, and linked to a bunch of other unrelated videos on the landing page.
- Through a monumental effort from many people in the Stonemaier Games community, 9 hours later Google and YouTube kicked out the hacker and restored my access to the account.
That’s the really short version. I think I can best share the full story as a video, which hopefully will remain here (YouTube was confused by all the reports it received about the channel on Saturday and, despite restoring my access on Saturday night, proceeded to shut down the channel on Sunday evening. It’s back up now).
Prevention and Security
- Don’t download and install anything that someone emails you (friend or stranger). I thought I was clever enough to identify this type of trap, as I’ve avoided hundreds of emails with suspicious links. But all it took was one to slip past my guard.
- Add 2-factor authentication to everything, especially financials and any account you use every day. It might be a little annoying to get a text or check your authentication app every time you log in to a sensitive account, but it’s worth the extra step.
- Check your account recovery settings, especially on your Google (or equivalent) accounts, and have several of them in place (not just your phone number).
- Make sure that someone else has access to every cloud-based document you own so they can make a copy if you lose access to it.
- Have a second email address so there’s some way to contact or be contacted if your primary email fails. If possible, add this email address to relevant accounts so you have another way in if you lose access to your primary email.
- Use your company email address for everything related to your company. I know this may seem obvious, but if you’re like me, it’s a lot easier to click “sign in via Google” or “sign in via Facebook” than to type in your work email and create a new password. I literally spent 9 hours on Saturday discovering every account and cloud-based document tied to my personal email.
Steps to Take If You’re Hacked
- Act quickly. When I imagine hacks like this happening, it’s all automated and over within a matter of minutes. But at least with Saturday’s hack, because they focused on YouTube instead of other accounts, the speed with which I changed passwords and secured those accounts actually seemed to matter. I started with financials, social media, and Shopify, updating emails, passwords, and adding layers of security. I then went through all other accounts I use regularly.
- Report the hack. For Google, if you’re trying to access your account and nothing is working, it will ask you to submit a form to start the restore process. For YouTube, follow these instructions and also tweet @TeamYouTube. I reached out to the Stonemaier Games community on Discord to see if they could help; they were amazing to report the YouTube videos and find connections with Google/YouTube. I also reached out to my coworkers, accountant, and financial advisors to inform them of the hack (the very first thing I did was contact our web developer, as I wanted to make sure the hack didn’t impact Stonemaier Games).
- Scan, restore, and refresh. I scanned my computer with both Windows Defender and Malwarebytes, then I restored my computer to the day before the hack. I also completely refreshed Chrome.
- Find other ways to access important cloud documents. One of the worst moments of the day was when I realized that I had lost access to Google Docs that I’ve spent years crafting and populating. After a brief panic attack, I realized that at least one other person had access to most of these documents, so I asked people to give access to my work account and/or make a copy of the documents.
- Post-recovery. After I regained access to the account, after changing passwords and adding recovery options, I went through the settings to make sure the hacker hadn’t left any forwarding addresses or back-door access. Sure enough, there was an unknown email address listed as an account manager on the YouTube account. The YouTube account required quite a few revisions, as the hacker had added some content and changed all of my videos to private (I deleted the content they added, removed the links they added, bulk changed all of my videos to public, then had to adjust a few videos back to private).
I must admit that the whole day (and weekend) are a bit of a blur, so I’m probably missing some important steps. Please mention additional recommendations or your experiences in the comments.
Overall, as fortunate as I am that the hack was limited to 9 hours and that so many people were supportive in a dire time, the experience was incredibly invasive and violating. Rather than feeling like something that happened, it feels like something that is still happening. I hope this never happens to you, and this gives me a new level of empathy for anyone with any type of trauma.
Related videos from other creators who were hacked:
***
If you gain value from the 100 articles Jamey publishes on this blog each year, please consider championing this content! You can also listen to posts like this in the audio version of the blog.
36 Comments on “I Was Hacked This Weekend”
Leave a Comment
If you ask a question about a specific card or ability, please type the exact text in your comment to help facilitate a speedy and precise answer.
Your comment may take a few minutes to publish. Antagonistic, rude, or degrading comments will be removed. Thank you.
I can only imagine the trauma of this. IT security sucks in a huge way; the best we have for account security is FIDO2 (YubiKey and similar), and even that isn’t proof against a determined attacker.
I second the 1Password recommendations; also, make sure that your recovery options are well secured, as weak verification questions will become a back door into your account.
Frankly, I’m only half joking when I say that we should go back to the days of the Apple II…
I’d also suggest using a different password for every single account. I highly recommend 1Password for Teams (or Families for individuals who are not running a business) which allows you to issue an account to every employee and you can control and share passwords between team members. And they can in turn have a private vault to use for personal passwords as well. They have a “Watchtower” service that lets you know when a site is compromised so you can change your password. And when every site has a unique password, that means you only have to change one when a site is compromised. While this may or may not have helped in your specific situation, it does help with many ways hackers can get you. (1Password is the only company I’d personally recommend or use. Others are not as secure and have been hacked themselves.) 1Password also supports 2-Factor codes (like google authenticator) and auto-fills for you, and works on phone/computer and Mac/PC.
Thank you so much for the recommendation and for describing what 1Password is and how it works. I’ll look into it!
Great advice! I work in Infosec and use 1Password as well.
I completely agree and highly recommend 1Password! Very trustworthy company and great app. Have been using it for years.
So sorry this happened. A similar thing happened to the Major League Wiffleball YouTube channel a few weeks ago and they talked about how scary it was for them on their Podcast. They fell for what seemed like a legitimate sponsorship agreement and suddenly one bad link and everything was changed within minutes. Luckily they were able to recover everything but they talked about how stressed they were as well. Just goes to show how careful we have to be nowadays, they’re becoming harder and harder to detect. Glad you were able to recover everything and thanks for the tips!
Thanks Isaac! It’s scary how many people this has happened to.
I’m so sorry this happened to you, Jamey. Thanks for the helpful tips. I already use LastPass. Your post (along with an email from my local computer repair shop about “The Mother of All Breaches”, link below) has inspired me to do a password overhaul for all my key accounts soon.
https://truefort.com/mother-of-all-breaches/
Thank you for sharing this!
You may have been tricked by a spoofed file extension on an email attachment. There are a handful of dangerous filetypes, not just exe files.
Make sure you have Windows set to show filenames.
Even then, hackers will put a right-to-left reading override in the middle of a filename so it looks like you may be opening a document or picture, but the end of the filename is reversed so important_documentab.pdf could actually be an executable file.
https://www.malwarebytes.com/blog/news/2016/09/lesser-known-tricks-of-spoofing-extensions/amp
https://www.howtogeek.com/127154/how-hackers-can-disguise-malicious-programs-with-fake-file-extensions/
Thank you, Peter!
I’m really sorry to hear this Jamey and I am glad to hear it didn’t take too long to get everything back given the circumstance.
On the Google Docs side of things, if you don’t already have it setup then I would suggest looking into running Google Drive. With Google Drive you can set it to download your Google documents to your PC automatically which will keep a local copy on your computer. This would give you a local backup if you ever lose access again and also allows you to then back them up to another source if you wish to.
Thank you, Frank! We have Google Drive but not a local backup–I’ll look into that now.
Sorry to hear this. The hack is copying all session tokens from your browser so they can bypass the login screens on the sites that the session is valid for. Google needs to lock its sessions to a list of IP’s (not sure how on mobile). Cloud storage is not backup, always backup your google drive/email. A YouTube account needs to have high number of views to enable live streaming, so they want to just stream scam people (Telsa/SpaceX live streams are plagued with this.) At least they are nice in hiding videos rather than deleting them.
Do you have a recommendation for backing up Google Drive (for docs/sheets/etc)? My email is backed up in two places (Outlook and Backblaze).
My FB account was hacked and Facebook automatically disabled my account. I had to pay for Instagram verification JUST to be able to talk to a support about my disabled account. This is on a business account that has paid Meta thousands of dollars in ad money. Absolutely ridiculous.
I even had 2FA on my account with Google Authenticator. How these hackers gain access to accounts, I have no idea…
I’m so sorry to hear that, Wonmin. After that experience, did you find any way to secure it even more?
No unfortunately, I changed my passwords, got a new credit card, but Facebook support has been incredibly difficult to work with and has been incredibly unresponsive in reversing the fraudulent charges. I had to go through AMEX and my bank to get the charges reversed.
Stay (digitally) safe out there!!
I’m so sorry this happened, and I’m so glad you were able to recover with minimal long-term damage (hopefully).
For separating out your work and personal emails, one other recommendation I would make is to create separate Chrome profiles for work and personal. This essentially allows you to run two separate Chrome browsers that don’t talk to each other at all. Then you can log into your work email on your work profile and your personal email on your personal profile, and your personal email will never be used by default for something work related so long as you’re doing it in the work profile. I’ve been doing this for years and it has saved me a lot of headache and helped me keep a really strong line between work and personal.
Thanks for that recommendation! I actually don’t use Chrome for email (I use Outlook), but I still see the value of having two separate Chrome browsers (I currently have 2 profiles but just use one browser).
Wow! That sucks! Glad you were able to regain full access to everything!
Sorry to hear! If you haven’t stumbled across “Google Advanced Protection Program” yet, I’d highly recommend turning that on. Get two hardware YubiKey 2FA tokens with NFC (one for backup in your physical safe). I’d do the same for iCloud (setup hardware 2FA). A bit of an annoyance, but the highest level of security you can get.
Google Advanced Protection Program: https://landing.google.com/advancedprotection/
Apple iCloud: https://support.yubico.com/hc/en-us/articles/7449189070620-Protecting-Apple-iCloud-with-YubiKeys
Thank you for these recommendations!
Pressing F to pay respect.
My view of humanity continues to sink deeper into the muck and the mire.
The people responsible for crap like this need to be held accountable. But they never seem to be.
Fortunately I don’t think the hackers are representative of most humans. I wish they could be held accountable, but I highly doubt anyone could track them down.
As an IT professional, here’s a couple more tips:
1. Check the domain name (the part of the email address after the @ sign). Google now requires senders to authenticate with either SPF or DKIM, so it’s a lot harder to spoof a domain name, and remember that the Display Name, the friendly name that shows up can be set to anything, is not a reliable test of authenticity. This is how most spammers send emails.
2. Use best practice backup policies, such as a the 3-2-1 rule. This entails having 3 copies of your data, stored on two different types of media, with one copy kept off-site. There are inexpensive automated tools that can do this for you.
Sorry this happened but to you.
This is great advice! I currently use Backblaze, and I need to look into their email backup services.
It’s also recommended to use a password manager that is not the browser (such as 1password or dashlane). It will allow you to have different strong passwords for each website.
Thanks for that recommendation!
This happens far too often, from individuals right up to fortune 500 companies. I sorry that it happened to you. You’ll probably get a ton of advice, but one thing that might help going forward is a company wide password manager (like Dashlane). You can assign people access to various website access, and they will never actually know the password. I’ve been in the IT biz since the mid 90’s and have an old-school approach to dealing with IT infrastructure (not trusting things to the “cloud”). I hope you are able to bring in someone who can help you lock down your business and properly structure access to the various resources you use. The feeling will be like a break-in at your home. We had it happen once and we ended up moving (just a rental at that point, so easy to do). I’ve also helped a new client after their system was encrypted. It was a lot of work and is still something I worry about for my clients today.
That’s exactly the feeling I’ve had since Saturday morning. I appreciate the recommendation about Dashlane and beyond!
Thanks for sharing! I wonder if it was easier for you to regain access since you are a “public figure”. Otherwise, how would Google know that you are the real Jamey while trying to recover the account?
I don’t use Google sheets, all my spreadsheets are via Office and on my hard drive, but you always need backups, and backups of those backups!
It is suggested to have 3 copies of everything: the original, a local backup, and a cloud backup.
I think Google is about to see the changes made to the account and simply revert them (without me needing to prove anything). That way, even if it was me who made the changes, I could regain access via the previous password and settings. I’m not exactly sure what is required for their verification, though.
I used Backblaze for file backups (files on my computer), but the hack did not impact them as far as I know.
Thank you for documenting this so thoroughly. It’s really important for other impacted people to realise they are not alone, and that there are always solutions to be found.
Also, I hope this information reaches as many people as possible as PREVENTION rather than as a remedy when it happens.
Glad you’re back! :-)
I hope so too! Thank you so much for your support this weekend.