Getting Hacked, Lessons Learned

I read Cody Brown’s blog post about getting hacked on Thursday of last week. I feel very badly for Cody and plan to send him some BTC once I get access back to my account. His post helped me avoid his fate.

I woke up Friday morning (central european summer time) and saw a bunch of emails in my inbox suggesting that suspicious activities were happening in my personal gmail account, my mobile phone account, and my two factor service.

I immediately thought “that’s the same attack pattern that Cody wrote about” and I was able to get to Coinbase and have them lock down my account immediately. The good news is nothing appears to have been taken from my Coinbase account although I don’t currently have access to it right now and thankfully nobody else does either.

Without getting into the specifics, I would like to tell everyone five things I learned from this awful experience:

  1. Call your cell phone provider and put a “do not port under any circumstances” hold on your phone number. I did this about six months ago and I think it may have saved me. It is way too easy to port a phone number and once a hacker has your number, they have access to two factor codes coming via SMS.
  2. Put two factor on everything you can. I did not have it on my old and dormant gmail account which is partially why it was vulnerable. Obviously I have it on there now.
  3. Check your password recovery settings on all of your accounts (even old and dormant email accounts) and make sure they are secure accounts (locked down phone numbers (#1) and secure email accounts (#2)). Once a hacker has access to one of your old email accounts, they can impersonate you digitally.
  4. Use Google Authenticator for two factor on your phone. I have used SMS and Authy in the past and my research yesterday suggests that Google’s Authenticator is the most secure of the two factor options out there right now.
  5. I keep almost all of my Bitcoin in Coinbase’s vault service which requires 48 hours and multiple approvals to make a withdrawal. If the hacker had gotten into my Coinbase account, they would have been able to take my Ethereum and a small amount of Bitcoin, but not most of it. I believe Coinbase should evolve their vault offering to handle all of the crypto assets they support, or possibly make the two day withdrawal/multi-sig feature available to all of their wallet offerings.

I am still a bit shaken up from the experience and a fair bit more paranoid from it. Which is a good thing I’m sure.

I hope my sharing this with all of you helps you make your online life a bit more secure because there are a lot of bad people out there working hard to hack into your accounts and do bad things.