/ 16 October 2011

How a hacker ruined my life and then tried to sell it back to me

A hacker has been occupying my email account for the past week. And he or she may still be there. A disembodied intruder, this person has been stalking my inbox, replying to messages, signing off with my nickname and refusing to let me in. They have been going through my personal history and making judgments about my character. In the weirdest twist, the hacker even started writing to me. If it wasn’t so unsettling, it could be the plot of a black postmodern comedy.

It started when my phone went crazy in the middle of a crucial meeting. About 5 000 contacts received an email from my account saying that I’d been held up at gunpoint in Madrid. My internet-savvy friends sent SMSes to say I’d been hacked, while my elderly, migrant and more vulnerable friends wanted to know where to send the cash. According to the story, my cellphone and credit cards had been taken and I was badly in need of money. There was a number to call to reach me at my hotel — presumably chargeable — and a Western Union account had been set up in my name to wire a transfer.

Suddenly you’re hit with an organisational bombshell — drop what you’re doing; freeze your bank account; answer anxious calls; lose crucial, last-minute messages; miss work deadlines; irritate bosses; reset all email-based passwords; forget to pay e-bills; irritate friends who think you’re ignoring them. The realisation dawns that the email account is the nexus of the modern world. It’s connected to just about every part of our daily life, and if something goes wrong, it spreads. But the biggest effect is psychological. On some level, your identity is being held hostage.

Out of sheer frustration, I fired off an email to my occupied address labelled “to those who hacked my account”, laying out how I felt and asking for my contacts. Shockingly, I got an almost instantaneous reply. The hacker said they would return my address book for £500. It was unreal. There I was, sitting at my laptop, alone in my flat, receiving emails from someone claiming to be me. Whoever it was must have been sitting watching my account and responding in real time. Who else was this person replying to in the same way?

I wrote back straight away, saying that I didn’t have those kind of finances and pointing out that I had no reason to believe the deal would be kept even if I did send the money. I couldn’t help but end with a rhetorical: “Do you ever feel even slightly bad about what you are doing?”

Just for a minute, the hacker seemed anxious to prove that he or she had some sense of morality. According to this individual, it “didn’t feel great” to be a hacker. They said they didn’t have a choice. I immediately asked why. They said their life “wasn’t as nice and sweet” as mine. In what I guess was supposed to be a gesture of magnanimity, this individual said that they would release my contacts for just £300, and even offered to send me 20 contacts upfront as a sign of “goodwill”. You could tell this person thought they were being reasonable — they insisted that their actions weren’t as bad as robbing people on the streets.

What next?
What I wanted to reply, but found difficult to articulate at the time, was that hacking can be worse than that. When someone holds you up in the street, you lose a set of isolated possessions and then get to walk away. But if someone colonises one of your chief platforms of interaction with the world, there’s always a feeling of “what next?” They can read your most intimate emails and potentially pass them on. A simple search would allow them to find out not just my address, but also those of my friends and family — something that crossed my mind when I registered my case with the police.

Apparently about 3 000 people reported such scams last year, but too few of these are brought to justice. The police haven’t even returned my call for a full report. When I did eventually get access to my account back through Gmail a week later, I found that the hacker had personally written to more than 30 people who had asked about my problems in Madrid. The intruder said I’d had a “terrible experience” and signed off with my nickname, “Row”. The fact that someone could be so callous to people who cared about me — all in my name — left me furious.

I was lucky. The only reason I was able to regain access to my account was through chance — a friend of a friend works at Google. Until then, my hacker had given me better feedback than Gmail and Google, following my attempts to get in touch with them. The company that presents itself as the friendly face of the web doesn’t have a single human being to talk to in these circumstances. The UK office just cut me off and, after a friend waited 20 minutes to ask the head US team if there was anything that could be done to help, they received a simple “nope”.

When someone did bother to look into my problem, it only took five minutes to fix. The hacker had doubled the verification process on my password so I couldn’t get in. Once Google disabled it from the inside, I was able to reset all my security checks without a problem.

Even now, I’m not sure it’s over. In one last message, addressed from myself just two days ago, the hacker wrote: “I see you got the account back. Sorry for the trouble.” I never replied, so I guess I’ll never know what this individual’s circumstances were. But I feel the need to understand them. Perhaps we believe that if we find reasons for things, we’ll feel safer. Perhaps it’s about restoring a bit more faith in human nature. Either way, my hacker seems to have disappeared back into the 21st-century ether. Although, of course, they could be reading this now. – guardian.co.uk