A friend of a friend recently had some accounts vandalized. Most of the following started as a response to her, with advice about how to handle this situation. I hope that some of it can be of use to others. She had accounts on several web sites. One was broken into. Those users with shared account names and passwords across several sites had their other accounts vandalized. Those who had different usernames but the same password between sites still had some problems—particularly if they had links in forum posts or image tags for signatures that revealed the links between accounts.
She changed all her passwords immediately after noticing the attack. It sounds like she did exactly the best thing she could have done, both before and after this violation. She kept different passwords for different places, and she changed her passwords immediately afterwards. Having a stronger password would not have protected her against this sort of attack, but it is something that would help her against other common attacks.
She did ask what could be done about this vandalism: are police or the FBI going to help? What about if there’s real money involved? Since there have been news stories covering the group responsible, why haven’t they been punished and their communities shut down? Is there some code of silence? Are they an online Mafia?
As far as the people who act like this: they’re not the Mafia. They’re hoodlums. They’re the electronic equivalent of kids egging a schoolmate’s house. Just like those kids, they attack those who are different with the goal of eliciting visible pain. They attacked her social groups because you’re artsy, cultured types and these jerks have a record of getting visible moaning and wailing out of such communities.
Her response, which appears to have been a quick clean-up and professional demeanor, may be her best defense: she’s not a fun target, so they’ll move on to pick on somebody else. Alternately, they’ll move on to 10th grade or meet members of the appropriate sex or otherwise find a less corrosive hobby.
Indeed, she’s identified exactly the relevant line for police intervention. The FBI, USSS, and even local police can and will care about such matters, just as soon as they cross the line into an interesting crime. A cop or a DA wants to leave a trail of big, interesting criminals. They will stop shoplifters, but not jaywalkers—and they’d rather catch car thieves. Just so, they’d rather go after people who are stealing thousands of dollars or applying for fraudulent mortgages across state lines. Scribbling graffiti over an artist’s work—or a hundred artists’ works—isn’t going to attract police attention. If there is demonstrable financial damage, she might have success talking to the cops if she mentions that dollar amount up front. Anything over $10000 can easily attract Federal help. I think $1000 is around the threshold for local police. It’s typical to bill your own time at your professional rate for clean-up work. So if she spent more than ten hours cleaning up her own computers and her accounts at others, or can surpass a few hundred hours of collective clean-up in her communities, she might find a sympathetic DA. If not, she probably won’t.
It’s important to remember that these are analogous to the local hoodlums who egg houses and knock over mailboxes. This is a gang of weak people who enjoy hurting others to gain a few minutes of perceived strength. The best that you can do is:
Keep offline backups. Update them regularly. “Offline” means that no amount of software hacking can hurt them or, through them, you: For example, mine are on a drive in a safe. It comes out of the same to be plugged into my computer only when the network is off. The safe is fire-resistant.
Use passwords that are hard to guess, even for someone who knows your real name and your login names on every site you use.
Use different passwords in different places. The administrators of sites like web fora and your communities are only human. They will make mistakes, and the tools they use will fail them. Your passwords and account data will be leaked. I expect about one of my own accounts to spill its data each year. I do not write down anything I don’t want to risk seeing published.
One good way to do this is a password schema. Consider a common phrase, like “Once I was the King of Spain.” You might use that to remember a password like “111IwtKoS.” Now you can replace arbitrary letters with references to particular accounts. For example, your amazon account might have the password “111Iw@KoS” while your paypal account might have the password “1$f11wtKoS,” where “paypal” reminds you of “dollar friend” and you remember the rest as your general password schema. Then you might change schemas once every year or so. To do that well, you’d have to maintain a list of everywhere you have an account—something best not to do on the computer itself, but not a terrible thing to keep in a drawer near your computer.
When you do suffer from attacks like this, clean up quickly. Present the online persona of a responsible adult and you’ll be treated like one, even by bozos like this. Don’t let them think that they cost you more than a minute or two of time, and they’ll find somebody else to pick on. That means don’t post responses to them in their fora, or even acknowledge it in your own spaces beyond a brief apology to your readers.
From what she wrote to me and how she wrote it, I have the impression that she already knows all of this. But I do hope that it’s of use to others. Most of all, remember that this isn’t a vast new Metaverse unconstrained by ordinary social laws. It’s just people talking and writing. They’re driven by the same needs as the people you meet in the ordinary course of life.