08 December 2017

If you're trying to contact me: My e-mail address got hacked

My e-mail address, nick.brown@free.fr, got hacked earlier this week.  The hosting company "suspended" the account, which doesn't just mean I can't access it or send mails from it; it also means that if you send me a mail you will get a message that the user doesn't exist.

Their procedure for dealing with this is fairly... amazing.  If you read French, it's described here.  I had to send them an e-mail explaining what might have been the reason why I got hacked (virus or trojan on my PC, a password that wasn't long enough, reusing the e-mail/password combination as the login details for a site that itself got hacked, etc).  Despite their disclaimer ("Il ne s'agit pas ici de distribuer les bons points et les réprimandes"), it seems pretty clear that the point of the exercise is to cause people sufficient annoyance that they take more care in future, a bit like a mildly sadistic schoolteacher forcing a student to write 500 words on "why I will not forget to bring my gym clothes in future").  I posted about this in a French online forum and discovered that several other people have been victims of this too. My hosting company is screwing me over 1000 times worse than the hackers.

The account was suspended on Wednesday evening (6 December 2017 around 17:00 UTC, which is now more than 48 hours ago) and I sent the required e-mail straight away, but I haven't heard anything since. The technical support line is always busy, and in any case I don't know if they provide support for e-mail. The address to which I sent my "explanation" was abuse@theirdomain, so it is presumably in the hands of the e-mail server managers.

The problem, of course, is that for many people, losing access to their e-mail has the potential to be economically disastrous.  Yes, we can all do things more securely, but the hackers only sent out a few pieces of spam; the real damage is being done by the company trying to teach me a lesson.  And I have a certain amount of computer knowledge.  How is J. Random Customer, who just uses, meant to respond to that list of points is beyond me.

I don't know how long this will take to sort out. For all I know it could be forever, since the suspension is presumably triggered by an algorithm and I don't know if anyone is there to read mails sent to abuse@theirdomain.  This will be rather boring since I have about 30,000 e-mails in there - pretty much everything I've done for the last five or more years.

As a result of this, I'm starting to move everything over to a new Gmail address, "nicholasjlbrown".  This will take a while; I estimate that I have over 150 accounts with various sites out there that use my e-mail address either as the username or the contact address or both.  So if I ever lose the password to those I will be stuck; plus, if those sites send me a mail and it bounces, they might have a policy of deactivating the account.  So I'm going to have a very boring weekend updating logins (and discovering which sites didn't [yet] bother to implement a mechanism to change your e-mail address; to my surprise, PubPeer is in this category).

If you have been expecting to hear back from me, I might no longer have your address.  This applies in particular to people who have written to me in the last few weeks about things that have come up on this blog, so this post is to apologise in advance and invite you to recontact me at my new Gmail address.


No comments:

Post a Comment