I just spent hours – and I mean many hours, verging on days – cleaning up my on-line passwords. It all started by receiving an e-mail, threatening to release publicly personal, embarrassing information they had collected from a hacked e-mail account of mine, as well as videos they claim to have taken with the camera built into my computer, via malware software installed on my Mac. They asked for a ransom payment of USD 800 within 48 hours.
First Step
First step: disconnect the Mac from the network, just in case. Second step: think. Is this possible, or even probable? Possible, yes. Even though Macs are not primary targets for malware, a few do exist (maybe a dozen or so known viruses and the like). To show that they have hacked the aforementioned e-mail account, they claimed to have sent the e-mail from my own account. Of course the e-mail’s sender address was my own, but any five-years-old can fake that. So I checked the e-mail’s detailed headers, which show the path the e-mail had taken across the Internet, and – based on my limited knowledge on this topic – it’s possible. Assuming they actually had access to this e-mail account, no big deal, as there wasn’t any important information to find, as I don’t use this account often anymore, and I had moved out all received and sent e-mails to another account long time ago. And of course, access to the e-mail account only means access to the mail server, not my Mac.
However, I scanned the computer for any malware anyway, including booting from my drive with the backup I had made before migrating to the new operating system version a few weeks back. I used several different scanners, and none found anything. So far, so good. To be on the safe side, though, I wiped the hard drive and re-installed macOS, and I now am in the process of re-installing all programs, downloading them anew, ie. not installing from the backup. I had considered to do this before, when upgrading to the new macOS version, in order to have only the programs installed that I actually use, and to get rid of all the cruft often left behind in the form of preference files and the like, even if you uninstall a program no longer in use. But laziness prevailed. Ayo.
Password Hell
The major issue, however, is the password I had used for said e-mail account. It was, by today’s standards, not a very good one. Of course, I changed it immediately. But the password was of a form which I knew I had used, in different variations, for other on-line services. Ouch. (No, it wasn’t one of these!) Over the past 15 or 20 years, I had registered with many websites, for information download, or forums, or purchases, and I wasn’t always cautious when choosing a password. Guilty as charged. Luckily, I have been using a password manager program all these years, so I could go back and check. Good password managers, such as 1Password,1 check for duplicates, and can also check if a password was disclosed in one of the many system breaches worldwide, where personal information was obtained by hackers. I have known that some day I would have to clean up this, hm, password mess, accumulated over decades, but I also knew that this would be a major PITA. So I have pushed this work ahead of me. Procrastination. Once I even started a new password database, and for any new registration I would choose a better password, but now I realised that I really needed to go back and clean up the old stuff.
So I consolidated the old and the new password database, and set out to work. Checking every on-line login, and changing all passwords, even on sites that I don’t longer use. Close to none of the sites offer an option to delete an account, they sit there, unused for years, and are possible targets of attacks. So better have a unique password, just in case. It seems the many hackers out there these days have huge firing power – including using bot-nets of hacked PCs – to probe all kinds of accounts with leaked passwords, which is the most likely explanation for the possible breach of my e-mail account. I am through now with my clean-up, but it was a major pain. Literally hundreds of sites to visit, and interact with. Among them so many really, really bad websites, making my eyes hurt and wrecking my nervous system, a few even still asking to enter a password through an unsecured link, ie. http:// in lieu of https://!
This experience will scar my mind forever, I am afraid.
Bottom Line
I didn’t pay the ransom. I am sure they would have simply come back and asked for more if I did. And if the hackers have any incriminating information, they payment would probably not have changed anything anyway. It’s a week now since the deadline passed. With today’s technology it’s even possible to fabricate embarrassing videos of any kind, so bad things are still possible. There might be dragons. I reckon I need to ride this one out, see if anything happens, and deal with any fallout.
Anyway, I am through now. I also realised that the time of self-hosted mail servers and the like is over – especially ones that require user interaction – unless you’re deep into this field regarding knowledge and experience. The collaborative nature and openness of the Internet requires so many technical band-aids and correct arcane settings to be somewhat secure. No amateur dabbling anymore. I am in the process of moving all my e-mail accounts to Fastmail, where I can use my own domains, and will probably also move away from using Wordpress as a platform for this very site, instead simply use statically generated HTML pages. More about this later.
What a shit week. Ripe with lessons, though.