I’ve done alright out of crypto this year but I’m no whale and that hurt. My friend was in pretty serious trouble too —

The hacker later indicated that he had an old password of mine and my US phone number. Presumably he acquired the password through a broker who purchased them from a security consultant. Stupidly, the phone number was on my Facebook profile.

This prompted a rapid personal security audit which turned over two serious holes: The compromised password was used for my twitter account and the phone number was attached to an email account which was set as the recovery account to my main personal email.

Realizing that I might have other security holes I hurriedly sent out a mass email, forgetting to BCC.

Sorry Guys. Thanks for the support. No need to keep emailing.

Within hours, all of hackee’s accounts were locked, including his exchange accounts. What I could get to in a timely fashion was re-secured or disabled by administrators. Thankfully, as of this writing it looks like I was the only person to lose any money. Fantastic. . . Lessons?

Keep track of your accounts and don’t re-use old passwords. Ever. In the event that they are compromised you are going to be scrambling around trying to make sure no one is using some long forgotten messaging app or forum account to impersonate you. Using old, insecure passwords for unimportant accounts puts others at risk.

The way you think of an account does not map to how a hacker will. As above, an account you set up to try out a new service will have your name attached to it and likely some contacts, creating a powerful tool of impersonation. It may also disclose messaging history which can build up a profile of your mode of speech and history of interaction with other people. It’s not all about getting into your wallet.

Don’t mix security domains. By linking your phone number to any account, however trivial it’s intended use, you are mixing the world of custodians, liability, and insurance with the unforgiving digital Wild West. The two were not built to work together and should be compartmentalized.

For heavens sake, BCC. Email is tricky business - To, CC, BCC, Subject, Content, filling in all these fields leaves the head spinning. Nonetheless, just as a minimum level of competence is required to operate a motor vehicle before driving on public roads, so a minimum level of competence is required to use public internet services like email. I’m not even being tongue-in-cheek here. The same weekend as this incident I received a newsletter from a well respected blockchain entrepreneur who failed to use BCC. We had a chat about it. Thanks for the commiseration mate.