The Background
Two years ago, I signed up for a free account with www.retailwebsite.com. I used my personal email address, chrispersonal@gmail.com, and Seahawks12 as my password. I don't want to have to remember a bunch of passwords for my online accounts, so I always use Seahawks12 for my password. I heard tech support at my workplace say a password should be more than eight characters and have letters and numbers in it. Go 'Hawks!
The Hack
Two months ago, retailwebsite.com was hacked. An adversary exploited a vulnerability in the company's SQL database and downloaded information on all retailwebsite's customers onto their personal computer. This customer information contained first name, last name, email address, password, shipping address, phone number, purchased item information, and dollar amounts for each customer's purchase history. The adversary then sold retailwebsite's customer information on the Dark Web to a number of hackers for hundreds of dollars in Bitcoin, a cryptocurrency that is difficult to trace. Retailwebsite.com tech staff first learned of this hack hours after it officially occurred, and they alerted upper management immediately after discovery, but customers were not quickly informed about the data breach. Risk Management and Information Security advised upper management to wait until the internal investigation was completed before emailing customers about the data breach, which could take up to six months.
The Lockout
One of the hackers who bought the customer information list off the dark web signed into Gmail with my email address and password. Since my retailwebsite.com password was the same as my Gmail password, the hacker was able to gain access to my inbox. Immediately they went into my Gmail account settings and changed the password from "Seahawks12" to something different they created. They also changed the emergency email address to an anonymous email account they have access to, and changed the emergency phone number to an anonymous voice over IP (VOIP) phone they have access to. Within five minutes, I have lost access to my Gmail account and am unable to login to view my email.
The Discovery
Now that the hacker has control of my email account, they searched my email for "amazon" and other retail websites. They discovered I have an Amazon account, as well as online accounts with WalMart, Target, JCPenney, and Cabela's. Naturally, all these online sites had my same Gmail account and Seahawks 12 as the password for credentials. The hacker then signed into my Amazon account, changed the password to something different of their own creation. Confirming the password was easy to do since they had access to my inbox. The hacker then changed passwords to the other online sites mentioned above.
The Purchases
The hacker, signed into my Amazon account, buys a few hundred dollars' worth of items using my credit card I have saved with my account, and ships the items to an Amazon Locker located in a town close to theirs and they use a burner phone with an Amazon app signed in with my account to open the locker containing the purchased goods. On the other online retail sites, the hacker placed an order in the parking lot for each site on their mobile device, paid for it with my credit card saved on my account, and picked up the items 15 minutes later in the store with the valid order number, and walked out with the goods.
The Surprise
I rarely check my credit card balance online, so I don't notice this purchase, and many other purchases, until weeks later when my monthly bill arrives. I rarely login to my bank's website to view checking account activity. I attempt to sign into my Gmail, and many other websites, and keep getting "incorrect password" when I enter Seahawks12 for my password. I call my bank's phone number, enter my account information with the dialpad and learn that, instead of thousands of dollars, I have $42 remaining in my checking account.
The Message
Obviously, the above series of events are fictional…please do not visit retailwebsite.com and please do not email chrispersonal@gmail.com. You probably will not enjoy the results. I created this allegory to provide the why I’m curating this newsletter. I want to avoid the above from happening to me, to you, to your elderly relative, to your teenager, to your special someone, and even to your yoga instructor.
Moving forward, I will be sharing with you everything I have acquired from years of research being fully-immersed in the world of online privacy and security. I will be confessing to you all the potholes and oopses I encountered while putting theory into practice. And I will be highlighting what has worked for me. But make no mistake: I do not have all the answers, and what has worked for me may not necessarily work for you or your family.
That being said, I would be honored to have you subscribe to my newsletter and join me on this journey of exploring online anonymity and pseudonymity.
— Chris