We’ve seen it before – a major company was hacked, this database was leaked. It often doesn’t affect us more than a password change, but what if the attack is a little more directed? Say, directly at you personally? Surely, you think such a thing would never happen to me. I used to think like that too. But everything changed when the fire nation attacked, or well, until it happened to me.

Now, I don’t claim to have a high enough profile that I was targeted directly by name. I was just a convenient idiot. (Hey, if Fortune 100 companies get breached, you can’t blame me for my indiscretions, right?) I’ll walk you through my breach, what I learned from it, and how I plan to stop it from happening again.

It all started from setting up my reverse proxy at my house. As part of this setup, I installed a VNC server so I could access the desktop remotely. I made two mistakes. First, I didn’t make a password for VNC. Stupid, I know, but I figured it would only be accessed over an SSH tunnel and that should be secure enough. But the second and larger mistake I made? I let it set up UPnP on my router (which also changes firewall rules automatically). So you can guess what happened. I had one of my desktop machines open and available to anyone who wanted to connect, footloose and password free. One could also argue that allowing UPnP is, itself, a security risk, but I digress.

Within days, some enterprising individual found their way into my desktop. They could have messed with the reverse proxy settings, but this person had better goals. You see, they noticed I had Chromium on my desktop, so they opened it up. Here comes another small confession: I’m actually a pretty lazy person. So, I, like a lot of people, have opted to use Google’s Autocomplete. You know, to fill in passwords on websites automagically for you? Well, as it turns out, those passwords aren’t just stored locally in some encrypted fashion. They are stored with your Google Account. Specifically, at https://passwords.google.com. Once there, you can see everything. Every. Single. Password. Ever. From there, they were able to access my PayPal password, and hence, my PayPal account. They were able to process 3 payments before I caught on – thankfully, less than $200 total.

Once I realized what was going on, I sprang into action to stop the attack. Specifically, I shut down that proxy server remotely as I was not at home at the time. Then, I shut down every other machine in my house not knowing if anything else was compromised yet. I also shut down a remote server I run and wiped the SSH settings off my webserver. From there, I changed my Google password and expired every other session that was logged in. I enabled two-factor authentication for Google logins. I changed my PayPal password and enabled two-factor authentication there as well. I changed other important passwords like my bank account information, even without an indication that they were compromised. You can never be sure.

Now, I had received alerts on my phone via the PayPal app which is what tipped me off to this whole attack. However, I did not have any emailed receipts from PayPal for the illicit purchases. It makes sense, of course. The hacker had access to my email so he simply deleted them “permanently” from my trash folder, except that I know that isn’t permanent. Google has a nifty Missing Emails Form that you can fill out, and they will restore all your permanently deleted emails from the last 30 days. The form says to give them 24 hours, but I had my emails restored in less than one hour. I found from these emails exactly what sites were used, one of which being my GoDaddy account. A new website domain and hosting was purchased. I called GoDaddy to report this and they were kind and understanding, cancelling the order and reversing the charges. GoDaddy also has two-factor authentication available so I set that up too.

I’m still recovering from this attack. I’ve updated most of the important passwords, but I have over 500 listed in Google’s servers so it’s a long road ahead. As I update them, I’m deleting them from Autocomplete and will no longer use that feature. I’ve been creating long, unique passwords and storing them in KeePass. I changed my KeePass database password as well and made a new key, in case that was compromised. I’ve expired every SSH key I have and started recreating new ones. I also expired my VPN certs. I even killed my remote server and spun up a replacement since it was time for an upgrade anyways. I killed the UPnP rules in my router and killed remote access for now. The compromised machine that started it all, the reverse proxy, is offline until I reinstall the OS. I’m not taking any chances. I disputed the transactions with PayPal and my bank, and those are still pending. Even if they will reverse the charges, this was a costly mistake. I was complacent, and it got the best of me.

Caveat Utilitor

Comments