My Gmail and Skype were hacked

My gmail account terrence.brannon@gmail.com and why Skype ID wealthsystem have been taken from me. How did it happen? Well, a person requested to add me as a friend on Facebook. I noticed he was a friend of my sponsor in a program so I was happy to accept. As I began to chat with him, he spoke of impressive credentials as a CEO and said he was looking to invest some money.

I immediately thought of a friend of mine who does well investing in cryptocurrencies. I told him about my friend and offered to make a Skype meeting but he declined and tricked me into entering my Gmail password at a phishing site:

And that was the beginning of the end for me. I received an email notification at my primary email address that google noticed suspicious activity on terrence.brannon@gmail.com – but by the time I went there, the thief had already setup 2-factor authentication on my account. Imagine that – without confirming any personal information (or even a PIN assigned at registration), they let a person in India take over an account which had never been used outside the USA. They didnt even require me to acknowledge that I approved of the new sign-ins.

And once you have someone’s email, taking over Skype is easy. Because you just goto Skype.com and say you lost your password and as long as you can receive the email to reset the password, you can change the password without knowing the original password. So then the attacker proceeded to harrass my contacts, asking them to send him money.

Lessons Learned

  1. Put a layer of control on your gmail by buying a domain and only using Gmail through the domain that you own. This way, if the person breaks into the email account, you control the domain that he broke into and can shut down the domain. This is similar to what I do with my cell phone number. My actual number I never give out. Instead I publish the Google Voice number. I recommend Zoho for this purpose – it’s free to have 10 users on your own domain! Killer
  2. map Skype to a junk email other than your main one. either that or map it to an email with 2 factor authentication.
  3. Distrust people you havent known for awhile?
  4. Distrust products you havent heard of?
  5. Dont enter your password at non-official sites.
  6. If you care about what is in a Gmail account, then put 2 factor auth on it. Because they have not really thought out the process of account recovery and it does not do a good job of insuring that the person changing credentials is the original owner.
  7. Only use products that have a customer service team you can contact by phone or live chat.? Gmail is “free” — well they make a lot of money selling ads to me. So it would be nice if they used some of that profit to hire a support staff.

Resources

  • Gmail Help Form –¬†https://productforums.google.com/forum/#!forum/gmail – the top of the forum links to the question “””

    My account may have been accessed by someone else, how do I secure it?

    “”” – but unfortunately all you are going to find is that you have to visit the accounts recovery page and wait 3-5 days before getting a response. A cold impersonal response by Email.

Conclusion

  • Kudos to facebook. Once I notified them that my account was compromised, I uploaded a driver’s license and had control over my account within 2 hours. So much better than Skype or Gmail in this case!
  • Down with facebook and all non-free software¬†¬†… this is the idea of Richard Stallman, who has real reasons not to use Skype also.
  • It really boils down to who you trust. Erecting a tower around yourself and being fully protected will never work. You have dependencies and its just a matter of what dependencies you choose to have. The more autonomous and decentralized and anonymous you are, the less you can depend on others, particularly government and corporations. The more you depend on goverments and corporations, the less sovereign you are.