RSA Conference: Hacking victims speak out on experiences

News by Dan Raywood

The use of the same email address for multiple logins can be a weakest link of authentication, and make you more of a victim if you are hacked.

The use of the same email address for multiple logins can be a weakest link of authentication, and make you more of a victim if you are hacked.

Speaking at the RSA Conference in San Francisco in a session titled 'We were hacked - here's what you should know', hacking victims Mat Honan, senior writer at Wired, and Matthew Prince, co-founder of Cloudflare, said that hackers had intercepted their personal email accounts. Honan added that using the same email address as a universal login is a single point of failure.

“For anything financial or for important data, you need to use an email address that is not public. I type something now that is not easy to find on Google,” he said.

Both men suffered hacking incidents: Honan was compromised when attackers got hold of his Amazon account to get his credit card number, which allowed them to get into his Gmail account and ultimately his devices, wiping content and photos and accessing his Twitter account; Prince via his stolen social security number, a text phone conversation, which gained access to his personal Gmail and ultimately, the corporate Cloudflare email account.

Prince said that the attackers were able to use a reverse proxy to redirect the 4chan website, a Cloudflare customer, to point to the attackers' Twitter account. “The damage was done and we dealt with the systems that were breached and used it to track them,” he said.

Both were able to get in touch with the attackers, and in both cases they were teenage hackers with political interests or gaming capabilities that Prince said he would have given an internship to had they asked for one. Honan likened the activities to teenage vandalism, which in the 1970s would have involved "hitting post boxes with a baseball bat". He said: “This was to get attention and respect. One kid was really smart and had not had a good life and this was one way to get notoriety and respect, and these people are looking for targets to make them famous.”

Prince agreed, saying that both men were in privileged positions to deal with immediately, but called on recovery tools to be more obvious to help users get their accounts back.

He said: “If we hadn't known who to call, this could have been a several days incident. We reached out to customers and people in our community and while it was an incredibly embarrassing security incident, you need an industry response. You can be a target but often it gets covered up, within an hour we had a blog post up. Not an easy decision as part of me wanted to bury this.”

Honan confirmed that it is "becoming more acceptable to admit a breach and talk about it".

Prince said: “We were asked whether we had lost customers, maybe there was one or two, but the next day we had the most sign-ups and 4chan said they were so sorry to hear about the situation. We need to take this extremely seriously, but being transparent and out there and disclose as much as possible is really important.

“We called every vendor and asked what additional security procedures they had that we could put in place. AT&T never called, but Google has been great. We added two-factor authentication and now the email address on my business card is not my actual email. It is a little bit of a hassle but you should secure any piece of digital life and ask vendors what are the most onerous steps they can add?

“For an hour I had hackers in my personal email – imagine that. I am surprised that is what bothered me more than anything.”

Honan said that all of the photos of his children were wiped from his computer, and it was 'extremely violating'. “Post-traumatic stress disorder is a little strong, but every time something goes wrong I freak out,” he said.

Honan said that he no longer uses the same login for everything and now backs up regularly, and said that while logging in is a pain, there is no good or bad solution. “We need to look at things other than passwords, in my case the person who got reset was in another country,” he said.

Prince complimented Facebook as "a model of a company doing a good job", but said that he was deeply sceptical of anyone who says that have the solution to this.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews