It began with dumplings.
When I got an email at midnight last March from Grubhub notifying me that my order from Dumpling Depot was on its way to an address 3,000 miles away from my location in New York City, I thought there must have been some mistake. And there was: mine.
Because I didn’t take a few basic internet security precautions, hackers robbed me of $13,103.91 worth of cash and prizes from three of my accounts over the next six months. And while this doesn’t make me, your Recode data privacy reporter, look very smart, I’m sharing my story with you in the hope that it will help you avoid a similar fate.
The person who hacked my Grubhub account last March ordered a black fungus salad with celery, a five-spice-marinated beef entree, and 12 pork dumplings (with chives) for a total of $26.84. At first, it was annoying but didn’t seem like that big of a deal: I notified Grubhub about the fraudulent charge and got a refund. Then I changed my password, sent an angry text to the phone number on the food order, and went about my life, foolishly thinking that this was an isolated incident. It was not.
Five months later, I logged into my bank account to find a substantially smaller number in my savings account than I expected. Sure enough, $9,000 had been wired away two days previously. During the subsequent, frantic call to my bank, I looked at my checking account and saw that $4,000 had been wired away from there, too — a discovery I declared with a variety of curse words. The woman on the other end of the line had a pleasant Southern drawl, which made her promises that I would get the money back seem extra reassuring.
She was right, although my access to all of my money was cut off for several days as the bank froze my old, violated accounts and created new ones. It took about two weeks before everything was fully up and running again and my $13,000 was restored. I don’t know if my bank got the $13,000 back or just fronted me the money and called it a loss. When I called them for an update and to demand justice, they told me they couldn’t tell me any details about the case because I was not the victim, the bank was. Obviously, things could have been a lot worse: I did get the money back.
But it wasn’t over. A month later, in September, I received an email from my credit card company informing me that it declined a $323.01 charge that Caviar tried to put on an expired card. Having a pretty good idea of where this was going, I checked my credit card and found that while the $323.01 charge was declined, two charges of $1.64 and $75.43 from Caviar had gone through. For some reason, my card transferred some (but not all) purchases made on the expired card that was attached to my account to my current one. And someone got away with $77.07 of rustic street food from one of Eater San Francisco’s top Oakland Vietnamese restaurant picks. Fortunately for me, the money was refunded to my credit card.
But just because I was lucky enough to get my money back in full, it doesn’t mean you will if hackers ever target you. And even losing that money temporarily was still a big, scary inconvenience: I had bills to pay and no way to pay them. I was terrified I would lose my health insurance coverage. I also had a few bill pay services linked to a closed account I didn’t switch over in time, and now I’m on some kind of scofflaw list at E-ZPass.
I don’t know if my bank, Grubhub, or Caviar were able to get any of the stolen money back. If not, they (and all the other businesses that cover hacked account expenditures) need to make it back somehow — and usually, customers end up having to cover those costs in some way. That means those thousands of dollars will come out of my pocket in one form or another. It will also come out of yours. Sorry about that.
I’m pretty sure I know how this happened, so I’m happy (and embarrassed) to share it with you so you’ll have better internet security hygiene than I did. Here are the three things I screwed up so you don’t have to:
1) Don’t reuse your passwords. And definitely don’t do it on dozens of different accounts.
Yes, I used the same password (or a variant of it) for most of my accounts, and I used it for almost a decade. I thought I had thwarted hackers by substituting certain letters and numbers for similar-looking special characters, but obviously they saw through this clever ruse.
This was probably my original sin. Somewhere, sometime, one of my online accounts got hacked, and my username, email address, password, and who knows what else was put on the internet for anyone to see and exploit. And once a hacker got my password, all they had to do was plug it (and its variants) into as many sites as possible until something clicked. The mini crime spree across multiple sites in the space of six months indicates that that’s exactly what they did.
Perhaps you, like me, re-use passwords — actually, half of you reading this do, according to this recent survey. If so, here’s what you should do: Check a site called Have I Been Pwned? to see if your information has been compromised. When I did, I saw that my email address is listed in no fewer than 15 different site breaches. I had assumed that every site where I’d created an account had taken adequate measures to keep my information secure and private, but my trust was sorely misplaced.
What I should have done — and what I do now, and what you should do if you don’t already — is use different passwords for everything. This isn’t as complicated as you might think. I have a password manager app that keeps all of my usernames and passwords in one place (I use LastPass, but there are several such services — some free, some not — out there). Now, if my password for one site gets out there, the damage is limited to that site alone. They’re pretty easy to use, and many of them have password generators to help you come up with unique, difficult-to-crack passwords for every account.
Yes, there’s always a possibility — albeit remote — that the password manager itself could get hacked. Security consulting firm Independent Security Evaluators found vulnerabilities in several password manager apps but still said password managers were “a good thing.” LastPass claims that it has only had one “security incident” in its 10-year history, and that its users’ passwords were not exposed. 1Password says it has never been hacked.
When it comes to password managers, at least I know I’ve entrusted my information to a place that promises it’s taken all available security precautions. I don’t think I can say the same for Disqus, LinkedIn, MyHeritage, or Tumblr, all of which were listed on Have I Been Pwned? as having data breaches that could have exposed my password.
If downloading and setting up an entire app to manage your password seems a little beyond your capabilities (or the amount of work you want to put in), many browsers and devices will now do this for you, even if these options are less secure. Mac devices have a keychain app; Google has its own password manager you can use with its Chrome browser; and Firefox has a password manager too. You know when you set up an account for the first time on a website and a prompt comes up on your browser or the device itself asking if you want to save your password for the site? That’s it.
If even that seems too difficult or tech-y for you, you can always go analog and write your passwords down in a notebook. There are different schools of thought out there on this: Some say it’s the best defense against hackers you can get and others say you should never, ever write your password down. Considering that most Americans keep track of their passwords by memorizing them (which indicates they’re only using one or few passwords for multiple sites, given the limitations of the human memory) or writing them down, I do think you’re better served by having unique passwords for every site written in a book (presumably one that you’ve stored in a safe location to which there is limited outside access) than you are using the same password all over the internet. Just keep in mind the disastrous consequences if that book were to ever fall into the wrong hands.
Another good thing about having your passwords in a central place? It’ll help you keep track of all the accounts you have. After the bank hack, I changed my password on every account I could think of. But I forgot about Caviar, which I used one time in 2018 because it was the only delivery service for the good cheeseburger place near me. So it was still there for the taking when my hacker got a craving for green papaya salad and braised pork belly.
Finally, change your passwords every once in a while. Recommendations for how often you should do it vary, but if you are like me, it’s time to realize that changing passwords once a decade is not frequent enough. How about once a year? February 1 is the (unofficial) Change Your Password Day. That’s coming up soon.
2) Put two-factor authentication on everything
Two-factor authentication, or 2FA (also known as two-step verification), means you need two ways of verifying your identity before you can log into an account, which helps protect you from hacks. One factor is your password. The other can come from an authentication service or via a text message. This way, a hacker might know your password, but if they don’t have access to your phone or the authenticator app, they can’t get into your account.
My bank didn’t offer 2FA by text — the method I was the most familiar with — but only through an authenticator called Symantec VIP. That involved downloading and setting up an app on my phone, which I took one look at, got suspicious that someone was trying to sell me something and make me put yet another unwanted app on my phone, and decided not to bother with. In retrospect, I really should have bothered! So should you. Authentication services are an increasingly common option because they are the most secure 2FA method, even if they take a few extra steps to set up (basically, downloading and installing the app in the first place). I use Google Authenticator, but there are several others.
Another method is via text, where you just tell the website your phone number and it sends you a text with a PIN code when you log in. This is easier, but it’s also less secure: A really determined hacker can get access to your text messages by hacking your SIM card. To give yourself an added measure of security against that, you can put a custom PIN code on your SIM card with your cellphone provider.
My bank does offer 2FA by text now, and I have it set up. But a lot of people don’t use 2FA at all. A 2017 survey showed that only 28 percent of Americans use it, while more than half of them had never heard of it. And a Google engineer said in 2018 that more than 90 percent of active Google accounts don’t use 2FA. Meanwhile, Google’s research has shown that 2FA blocks the vast majority of hacking attempts. Remember, this isn’t just about locking down your bank account: You can lose access to your Facebook profile, or have your Twitter account taken over by porn bots. If 2FA is available on a site you use, take advantage of it.
If the reason why you haven’t set up 2FA yet is that you think it’s too complicated, I strongly urge you to at least give it a try. Most sites have detailed, easy-to-follow instructions on how to set it up (usually found in the settings “security” section — here’s Facebook’s, for example), it’s only a few steps, and then it’s just a matter of getting a text or opening an authenticator app on your phone to get into your account. And if you save your login for future use, you only have to do it once.
3) Don’t save your credit card info on your account
The reason why the hackers were able to buy food on my credit card was because I saved my credit card info on those food delivery accounts. Lots of vendors you have accounts with will give you that “save this card for later” option, and I suggest that you not do this.
This is not always possible — Uber, for example, requires you to have a credit card attached to your account at all times. But where you can avoid saving your card on your account, you absolutely should. Yes, you will have to enter your credit card info every time you place an order or make a purchase, but that’s less of a pain than sending a series of increasingly panicked emails to various delivery services and calling your credit card company in the middle of the night.
In the end, none of these methods are foolproof and this list is not exhaustive, but they are a great place to start. And trust me, it’s better than the alternative. Do as I say, not as I did, and the next time a hacker gets a hankering for pork dumplings (with chives), you won’t be the one footing the bill.
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.