The Aftermath of a Hack: Part I
What just happened to my life? I had money, and then I blinked. Suddenly, I lived in a financial wasteland.
How do you tell a story you don’t even really know? That’s what I’ve been struggling with for over two months. On May 18th, 2017, hackers stole the majority of my financial assets. I’ve spent the time since then attempting to survive while trying to make sense of it all. Every time I sit down to explain it I can’t. Every time I try to tell people how it affects me I give them the wrong impression.
I don’t know how to tell this story because I don’t know what happened, but through these posts—as well as other mediums in the future—I’m going to explore this experience practically, psychologically, and sometimes philosophically. I want to use this as an opportunity to learn more about how the world of personal security has changed and hopefully help others avoid what I am going through.
A Small (and Important) Request
Before we get into it, I just want to ask one thing:
Please be kind.
I’m going to be as honest, objective, and straightforward as possible and that involves exposing a lot of my own flaws and mistakes. You might feel bad for me or you might think I’m an idiot. Both may be warranted, but that’s not what this is about. This material is not about your opinion or mine, but to try and understand what happened.
I am writing this series of posts to both help myself and others. It’s absolutely fine if you don’t like them or think I’m stupid. I just ask that you keep that to yourself, as this is a very challenging time for me and I’m only trying to do what I think is best.
The added pressure of public criticism will make this infinitely harder—which I realize is a risk of making something like this public—so I hope you’ll at least help me out by being respectful with any comments or contact you have with me surrounding this issue.
I think that’s a good thing to do in general, but I’m asking for it here because I can’t afford to lose time feeling bad about myself because of something cruel someone said to me. I just don’t have that luxury anymore.
Finally, in the spirit of honesty and precision, I want to be clear that I am writing these posts in hopes of getting help. You’re under no obligation to help and I don’t expect that of anyone. I will explain how you can help at the end of this post (and any others that come after) should you want to do so. Please understand this is entirely up to you and not expected. I am terrible at asking for help, because I don’t enjoy putting my burden on others, but I feel I need help right now and it would be dishonest for me to continue keeping that to myself.
Welcome to the Fuchur
You may know me and you may not. You may know something about what happened to me and you may have no idea. I’ll do my best to cover the broad details so everyone is on the same page.
Back in the later part of 2016, I was working on a weekend-long art show that depicted an absurdist future (called The Fuchur). It was a wonderful experience, and as a part of it I had to learn a lot about cryptocurrency. We wanted to make the future world’s narrative as closely tied to reality as possible, so people would question whether or not we were making a joke or entirely serious.
New Ethereum’s Promise
As a result, I discovered new Ethereum (ETH) and used my essentially dormant Coinbase account to purchase some out of curiosity. At the time, ETH was only about $7. I noticed its value increasing, even though it was minor, and so I bought a little more. Then, suddenly, it has surpassed $40. I’d always regretted not buying more Bitcoin when I could have for $15 each.
I’d never imagined it would get to $600, let alone about $1,200 back in May. At the time I’m writing this sentence, one BTC is worth $2,762.43. It will inevitably be worth a different value by the time you read this. Cryptocurrency values change quickly, and sometimes those changes are also dramatic.
After the art show, I’d started focusing on catching up on everything I’d fallen behind on since it began. I didn’t take as much paid work as usual and I wasn’t earning enough money to stay financially stabile in the long run. I knew I’d need to start picking up more contract work in the near future, but I saw an opportunity in ETH so I figured I’d focus on both. I analyzed patterns in value fluctuations between ETH and BTC to get an idea of how ETH might grow over the next couple of years.
I was a bit too conservative, and Ethereum’s value started to soar in the way I’d expected but much sooner. Exempting the money I needed for the rest of the month, I put everything I could into ETH as investment with the expectation of removing a significant portion of it within a couple of weeks, after the value soared.
And it soared, far beyond what I expected. It stagnated at $80 for quite some time, but then pushed passed $100 per ETH. On June 13th, 2017, it surpassed $400 in value. Unfortunately, that was nearly a month after everything I invested was stolen by hackers.
I’m not one to put all my eggs in one basket, and I’m so cautious about my online security—having survived so many hacks in the past and written several articles about computer and password security—so I inevitably felt stupid after I saw my money was completely gone. But after the initial panic was over and I’d frozen my bank accounts to prevent further damage, I started to notice things that didn’t entirely add up to a clear picture of the circumstances. As soon as I thought I knew exactly what had happened, I’d come across contradictory information.
Security Beyond Practicality
To understand why I say this, you need to first understand how meticulous I am about my online security. The strategies I’ve employed are absurd, which I say less as a joke now that they’ve proven ineffective in at least one situation. I’m still left wondering whether or not I could have done anything to prevent this.
I spent my efforts on protecting myself against known security flaws as best I could, but should that effort have been placed on trying to research the lesser-known concerns or protect against future attacks that have yet to be implemented? Am I even knowledgeable enough to do that?
Those questions often come to mind, but I haven’t had the headspace to make a conclusion yet. I doubt I have the information I’d need to feel confident about any conclusion right now, anyway.
But here’s what I did and, perhaps out of habit and uncertainty, still do:
All my personal accounts use unique passwords that follow a relational system, with the exception of low-risk accounts that I leave vulnerable on purpose so that if somebody does attempt to hack me they’ll likely get into those first and I’ll know to take protective measures immediately. For example, one of those accounts is a personal gmail address (firstname.lastname@example.org) that I only use to sync data in Chrome on shared computers and to sign up for shared or test accounts with other services. Nothing of importance is tied to it, and I deliberately put less effort into securing it to make it the more attractive candidate.
All my personal accounts also use unique email addresses (or, more precisely, aliases). I started doing this to filter out spam over a decade ago, using a single domain to help me sort my mail more efficiently, but doing so also made it much harder for anyone to intuit credentials for my other accounts. Sure, it wouldn’t be that hard to guess how something along the lines of email@example.com (this is a fake example, for the record) would translate to a bank account at Wells Fargo (again, this is another fake example, thankfully) but not always. I often used domain aliases (e.g. adamsotheremailaddress.com) and there was no perceivable consistency to those choices. I’d pick a domain based on what felt right, so even I’d forget what I‘d chosen from time to time.
The relational password system I conjured up is so absurd I am going to share an encrypted password with you with full confidence you’ll never figure it out. It’s not that it’s impressive or I’m some master cryptographer, but rather that you’d never be able to derive a pattern from my encoding method because there isn’t one. It’s like if you wrote all your passwords down in plain text in one file, but instead of the actual passwords they were actually inside jokes about your passwords with yourself.
For example, this is the encrypted version of my (former) Coinbase account’s password:
Alias’ second spirit animal excited by the pin of the error of George in the Alias’s first spirit animals U1U2RR3.
Even if you kind of know what I’m referring to in that sentence, you definitely have no idea how to translate it. I mean, I don’t even remember who the heck George is but fortunately there are a few redundancies in each statement in case I forget something like that.
I use two-factor authentication (2FA) whenever possible, split between Authy and Google Authenticator depending on what the platform allows and/or recommends. Coinbase initially recommended Authy so I used Authy. As if it were some kind of sick joke—and, so we’re clear, I think it’s very safe to assume the people at Coinbase aren’t so horrible—Coinbase sent me (and their other users) an email recommending a switch from Authy to Google Authenticator on June 2nd, 2017.
In case you’re forgetting the timeline, that’s about two weeks after my account was hacked. I do use SMS for some 2FA, but only when it is required. Aside from becoming less secure over time, as we’ve seen through others who were similarly targeted for their cryptocurrency, it’s slower, often fails to function properly, and—in my experience—provides neither a means of denying or approving an authentication request through the same system.
That’s the gist. Could I have done more? Probably. How many people do you know that do as much as I do? Probably very few, if any. My effort, however, doesn’t matter because it wasn’t enough. It didn’t help me protect myself this time, and I’m not entirely sure why. At first, the answer seemed obvious. As time and distance continues to increase, an answer seems almost permanently out of reach.
Indirection and Paradox
I can only describe the day of the hack as a series of strange events that kept me looking in every wrong direction until it didn’t matter anymore. Please understand this is conjecture, in my attempt to make sense of what happened. I could still be missing something obvious.
Maybe these hackers are highly intelligent and I had no chance in the first place. Perhaps they were idiots working as a situationally fungible group in another country and their employers were the intelligent party. I’ve imagined a variety of scenarios based on what little information I could collect in the aftermath, but I frequently reminded myself that none of them were supported by enough evidence to be true conclusions.
When the desire to understand a tragedy is equal the unlikelihood of finding the information necessary to understand it, you will struggle to keep that tinfoil hat off your head—but there’s never a more important time to remember the inadequacy of circumstantial evidence.
To follow along with the events of the hack as they unfolded for me without taking up hours of your time, I’m going to give you a detailed outline. If you hate details, just read the bold text.
Earlier in the week, I’d installed the Windows 10 Creators Update on my home server that I built as part of a Hackintosh Pro series I did for Lifehacker. It used to be a workstation, but it made more sense to run Windows when it become a standalone server. Also, I’d been writing about virtual/augmented/mixed reality at the time and that‘s not coming to the Mac until approximately September of this year when High Sierra is released.
You can’t really write about VR unless you experience VR, so it made me finally want to jump into Windows again. But as it often goes with an older machine you built yourself when utilizing an operating system you have less experience with, the update didn’t pan out and I had to perform a clean installation.
The clean installation took place the night before the hack, and I wrapped up app installations in the morning so I’d have things like Chrome, VNC, my server scripts, etc., installed on the server. One of my podcasts records at noon on Thursdays, so rather than leave the machine online and unfinished I shut it down. In approximately the middle of recording the show, we experienced a power outage for about five minutes.
Because this is common in the area, should the wind blow gently in just the wrong way, I have UPS’ hooked up to pretty much every important piece of technology I own. I only mention this because the server was somehow on after the power outage—except I didn’t notice because the monitor was off and it didn’t occur to me that the power outage would cause the machine to boot up. After all, it was hooked up to a UPS so, as far as the server knew, it never lost power in the first place. Nevertheless, something turned it on and I don’t know what, why, or how.
After the recording I had a meeting for an AI project I’ve been working on for months, that I love so much I am going to finish no matter the consequences. I’ve probably made the poor decision numerous times since the hack to prioritize this work over most everything else because I find it so exciting. If I don’t have a challenge I’m not happy, and when you get hacked it’s kind of hard to expend your limited willpower on avoiding something that will make you feel good.
We concluded the meeting sometime between 4:00 and 5:00 PM which is when I first noticed something suspicious. I received a text message from a company I later discovered was Telesign (they don’t identify themselves as they’re a third-party 2FA provider) with a 2FA login code. I don’t know if my excitement over the AI project had me distracted, or if I was just busy because I knew I had to wrap up work and get ready to go in about an hour.
At around 6:00 PM, my boyfriend and I made our way to Zumba class. (By the way, people like to tease me from time to time for doing Zumba but that’s ridiculous in the first place and this class, in particular, is amazing. If you think I’m stupid for considering Zumba one of the regular highlights of my week you’re very wrong. My Thursday class is ending this week so I’m feeling sentimental, and I’ve frequently experienced how people sometimes like to put a negative focus on irrelevant minutia so I just wanted to nip that one in the bud.)
On our way back, I noticed an email from Amazon letting me know I’d just purchased $3,000 worth of gift cards and they should arrive in five minutes in the inbox of some guy I don’t know. Don’t worry, I wasn’t driving the car while using my phone—I have rules for that, too. Also, I searched for references to the guy’s email and found a Twitter account that might as well have been a spambot of the cloth. It just spouted bible versus and praise for Jesus without showing any real intention. This may seem unimportant, but I don’t think it is.
I checked my Amazon account and the order hadn’t gone through. The hackers gained access somehow and so I changed my password after noticing they’d attempted to use an American Express card. This is strange because I don’t use one. After some research, I found out it was my dad’s. I have never used that card, and I still don’t know how they got its number. Since they associated it with me and an older address of mine, it seems more likely that it came from a public data dump of one of the many massive account hacks we’ve seen in this decade but, since it wasn’t my account, I can’t really make a guess as to which of my dad’s caused this to happen. I also don’t know how it became mistakenly associated with me. (In the interest of honest and precision, I do have an American Express account that appears to still be open but I thought it was closed many years ago. Either way, the number wasn’t the same and it had nothing to do with my dad.)
After securing Amazon, I went looking for other issues to make sure nothing bad happened and kept finding failed attempts. This gave me a sense of confidence and cockiness, as I felt like I was dealing with some really bad hackers who just couldn’t figure out how to do credit card fraud right. They had logged into my Microsoft account, too, and tried to buy a bunch of Xbox gift cards but those attempts failed as well. At this point, I started to figure out what was going on: they had gotten into the home server.
This took me a moment to reconcile because the server didn’t appear to be working after my boyfriend and I sat down to eat and watch a video stored on its local drive. We made the switch to Netflix because it wasn’t connecting and I assumed the machine was still off before realizing that thought didn’t make much sense. I knew they were utilizing one of the computers because I’d remembered logging into Amazon on at least one Windows desktop (we use a couple of tiny ones to handle things like Skype for podcast guests) and, naturally, I my Microsoft account was tied to my user on all of them. I didn’t necessarily know if they’d gotten into the server or another machine, but I knew it was one of them and assumed it was through VNC.
Yes, I used a password on my VNC server and, yes, I know how little protection one provides. Honestly, I couldn’t tell you why I even opened up port 5900 on my router to provide access to the server in the first place. I never VNC into it remotely, but I guess I thought I’d want to if I ever went on a vacation again and didn’t get around to remapping the port. If you had to pick one negligent action I took, this should be it. I don’t remember doing this, but clearly I did.
It was hard to make sense of everything because I kept finding new activity pop up via notifications in Gmail, letting me know a purchased was attempted and failed. At least, this was the case in every single instance except with Coinbase. I mention this because the security measures employed by every single company that the hackers accessed easily thwarted them, whereas Coinbase failed in a rather extraordinary way. (More on that later.)
I saw purchases going through for varying amounts of Bitcoin and that’s when I noticed—hours after the major damage appeared to have happened —that the hackers had easily whisked away what, on June 12th, would’ve been worth nearly $50,000. At the time it was quite a bit less, but I hadn’t invested so deeply in ETH to watch it break $100. That was just the first milestone I’d been waiting for, but instead it marked the greatest financial loss I’d ever incurred in my life.
Butts for Coinbase
I immediately contacted my bank (Chase) to freeze my accounts, and while the representatives insisted on a frustratingly extended reporting procedure before actually locking everything down they got it done. They were remarkably accommodating and helpful in subsequent interactions. Coinbase, on the other hand, did not respond to my requests for support for about four days.
To be fair, this isn’t 100% accurate but I’ll explain that in a moment. I first would like to examine this amount of time in context. Generally speaking, most support requests with any service in this day and age is about 48 hours. Many promise 24 hours and it’s not unusual to get a response sooner. This, of course, relates to non-urgent requests. When it comes to fraud—especially when we’re talking about a significant amount of money—four days is not a reasonable time frame. Anything that might be considered a resolution didn’t arrive until June 5th—about two and a half weeks later.
I find this absurd and am extremely disappointed by the way Coinbase has treated me, but I don’t believe that’s just cause to ignore their possible circumstances or perspective. Of course, I don’t know what they are because they’ve failed to communicate with me in any meaningful way, but I think we can safely assume they’re under a lot of pressure and struggling right now.
I started finding complaints about horrible support from Coinbase customers dating back to about mid-2016. I don’t remember seeing much before that. In January, Coinbase co-founder Fred Ehrsam left the company stating that he’d likely be back in the cryptocurrency space after taking some time off. I’m assuming a lot here, because I have no other option, but when you factor in the volatility of centering a business around cryptocurrency it’s hard to imagine anything but a high-stress environment.
If you dig deeper into the history of Coinbase and customer complaints, you’ll find plenty of mistrust. You’ll even find a handful of law suits—some of the class action variety. Perhaps will take a deeper dive into this subject another day, but for now I’ll just offer my conclusion: I don’t get the impression that Coinbase was at fault in any of the law suits filed against them. It seemed more like a series of unfortunate circumstances, similar to my own—at least, in terms of eliciting a sense of unfairness.
As much as I’d love to depict Coinbase as an evil “bank” who cares nothing about their customers, I don’t think the circumstances are that cut and dried. Coinbase was one of the first companies to offer a simple cryptocurrency exchange. Being among the first is never easy and rarely successful.
(I’d love to have a discussion about that, too, but so this part of the story can someday end I’ll just ask you to compare the histories of Uber and Lyft and watch this TED talk by Bill Gross if the topic interests you.)
I can’t imagine the pressure that must come with running a company like that. I wouldn’t want that weight on my shoulders, nor the hatred that comes with the struggle to do a decent job. When I wrote for Lifehacker, I had an absurd amount of anger directed at me from readers. This was, fortunately, dwarfed by the more reasonable and positive responses most of my posts got—and some of the anger was rude but warranted, too—but anger is a novelty that’s difficult to ignore and some people were just downright cruel.
Some were funny, though, and to this day I wear their complaints like a badge of honor. (If you know me even a little bit, you know exactly what I’m talking about.) Communicating is a tough job and people misunderstand you no matter how much you intend to be clear. When bad things happen, honest communication is especially important.
That is, primarily, why I have been so adamant in my partial defense of Coinbase throughout this ordeal. Those of you familiar with my Twitter “campaign,” in which I tweeted pictures of butts at them until they finally offered a non-generic response, might find this strange. But I’ve talked about it on one of my podcasts (Supercharged) on numerous occasions and sent full transcripts of my interactions with them to any journalists interested in writing about these hacks so they could form an objective opinion.
If I can find the time to redact private information, I want to add them to this series in full—not just the excerpts we’ll get to later. There is nothing in the email threads that will make me look better. At best, it will do nothing to sway anyone’s assessment of what happened. At worst, I think I’ll come across as angrier and they will demonstrate most of my negative sentiments already expressed here.
I want to do all of this because we live in an era of disinformation and I refuse to contribute to it knowingly. Just as Coinbase’s circumstances do not excuse the way they’ve treated me, I am not justified in misrepresented a company just because I feel wronged. I can only do so much in either direction because of their lack of communication, but I hope my assessment has felt fair so far. It’s hardly conclusive, for the previously stated reasons, but it’s the best I can offer under the circumstances.
I want you to take a look at message thread to the left. It contains the first response I received from Coinbase, via Twitter direct message. Please note the date is May 22nd—four days after the hack occurred. Now, I want to share what I originally wrote to sit alongside that image:
I want to be very precise about one more thing: the support exchange with Coinbase began within 48 hours, but that was when their Twitter team requested my account details and suggested I email support.
I have made such efforts to give Coinbase the benefit of the doubt that I actually remembered their first contact incorrectly. I wrote this account prior to gathering the including images and taking many of the screenshots. I have tried so hard to see them as better people that I actually convinced myself they addressed my situation twice as fast. This is one of the many reasons optimism is a double-edged sword.
Their support team requested my account information via Twitter several times, too, even though I’d already supplied it prior to their first request. I don’t think their Twitter support team is made of chatbots due to the slow rate of response, but the level of assistance provided makes it hard to be absolutely certain of that. But again, that’s just my optimism trying to find a reason they’re not a terrible company. I seem to have an addiction to giving everyone the benefit of the doubt even when there is no doubt to be found.
Is it foolish to search for the best in people, no matter what they do to convince you that you’ll never find it?
The support email thread, which concluded on June 5th, consisted of Coinbase fishing for information that I felt was asked with the sole intent of finding a reason to blame me for the problem.
I gave them a detailed account of what happened and provided context that I hoped they’d read so they wouldn’t draw the conclusion they ultimately did, which felt a lot like “actually, you screwed us, so go $#%! yourself”—but in somewhat more polite fashion. They actually wrote to me and said that I let a hacker in via VNC, the hacker logged into my Coinbase account, and the hacker took my money and ended up costing Coinbase nearly $1,700 because of my negligence.
According to that message, the liability belonged entirely to me.
Perhaps you’ve noticed, but this isn’t a short story. In Part II, we’ll discuss my interactions with Coinbase. It’ll get posted to the Awkward Human Blog—just like this post—so keep an eye out there.
Or, since it’s up already, just go read it.
How to Help Out
You have no obligation to help me, but here’s how you can if you’d like to. More than usual, I’m on the lookout for new clients. You can learn more about the kind of work I do these days on my personal site if you’re not familiar. If you are someone who could use my services, or know someone who I might be able to help out, please let me know.
You can also help support the work I’m doing through Awkward Human via Patreon. We create shows, games, stickers, software, and more. I, and those who work with me, are learning as we go. We’re not really making much money yet through this kind of work, but we’re growing slowly but surely. The work I do at Awkward Human means a lot to me because we focus on ways to help people and improve the world through fun and entertainment.
Lastly, I’m working to turn this story into a more robust web series/podcast that you can watch or listen to rather than read. I know how long and detailed these posts are, and I know I probably wouldn’t get through them anytime soon (or at all) if I were the reader. I need sponsors to be able to afford the cost of producing the episodes and also afford to take the time to work on them. I already have the first one taken care of, so that’s going to happen, but we have nine more to go. If you’re interested in sponsoring this, or discussing sponsorship for a handful of other projects we’re trying to complete, please get in touch. Rates are reasonable, and I will love you forever. :)
But…What’s Your Contact Info?
To get ahold of me for only pleasant reasons, please use the contact form on my personal site. This is better because it’s much easier to make sure those messages don’t get filtered out of my horribly overstuffed inbox. I’m asking you to use the form because I don’t want to overlook your message.
But if it’s really important to you, shoot me an email at firstname.lastname@example.org. I really hope you don’t, though, because I’d actually like to receive your email and not lose it to a filter or the spam box.