Friend had site hacked

[Piney]

Greetings-

Thought I'd post this as a *reminder* about changing passwords and keeping one's account details in check. We all tend to get complaisant about online access and shopping-- the "it can't happen to me...." mode.

A friend runs a popular web site, that also has an online store. His email (from Google) got hacked, which lead to his site getting hacked. His customer's CC info was compromised, resulting in hundreds of fraudulent charges to his customer's cards. In addition, his personal accounts and information was also affected.

Here's his recent posting. I've edited names ect out.

=======
=======
Since my email account and online store was hacked I've taken a crash course over the last 4 days in keeping myself safe from hackers and i just wanted to share what i've learned. Hopefully this info will help protect one of you in the future.

My biggest mistake was using ONE email address for everything. HUGE mistake! Once the hacker was inside my email he was able to see "order alert" emails coming in from xxxxxxxx my online store. This prompted him to snoop for my admin login page on the online store of which there was a "resend password" button. Well, since i only used one email for everything the password was mailed to my email of which he already gained access to.

He also snooped thru my emails and saw that i had a godaddy, expedia, UPS account, my personal credit card company login and bank account login. Since i only have one email he was able to go to each of these websites and hit their "forgot password" or "resend password" buttons and retrieve my passwords. He then proceeded to change my passwords to everything and lock me out.

godaddy.com is where i have the domains for the site registered. Once in godaddy he shut the site down (some of you may recall it going down earlier in the week) and proceeded to try and transfer the registration to another company. Thankfully i was able to get a live person on the phone at godaddy and convince them i was the rightful owner of the domains so mike and i could take back control and get the sites back up and running.

At expedia.com he was able to see xxx and i have flights booked at the end of the month and proceeded to try and cancel the flights, but thankfully they were not cancelable or refundable.

So the valuable lesson learned and what i want to impress upon you is do not use just one email address for anything of importance. I now have separate private emails for each of the important things such as godaddy.com and the online store of which nobody knows the email address.

I feel like such a schmuck for making it too easy for this hacker. Its been a valuable lesson learned!

This hacker was extremely reckless in his actions which will make it easy for the FBI to trace him down. They are certain they can get him and assured me they have a team of the best computer forensics experts on the case.

Forget what this hacker has done to my personal life, what makes me most sick to my stomach is he may have your credit card numbers and has sold them off or is using them to make unauthorized purchases. So please call your credit card companies to check that no unauthorized purchases are being made. I'm extremely sorry for this inconvenience and i assure you xxx and i have gone thru great lengths to ensure this will not happen again.

And PLEASE, if you are using one single email address for important things like your credit card, bank account, etc. please consider setting up a separate email address for each of them.

=============

[westernamerican]

My PayPal Account was recently hacked and over $2,000.00 worth of charges were made to my account...fortunately, my card holder caught all the fradulent charges and stopped them I believe. PayPal did not do ONE THING to help stop this fraud! I have since cancelled my PayPal Account, my Credit Card Account and everything related thereto. This seems to be a common occurrence on PayPal based on what I have heard. I wish EVERYONE would cancel their account with this worthless bunch of people and save themselve the agony of having to deal with hackers..........

ADDITIONAL INFO: PAYPAL NOW REFUSING TO ALLOW ME TO CLOSE MY ACCOUNT ........... WHEN REQUEST VIA EMAIL WAS MADE TO THEM TO LET ME DO THIS AS THEIR SITE STATES I CAN, THEY WANTED ME TO CALL AND WASTE MY TIME WITH ONE OF THEIR IDIOT REPRESENTATIVE THAT I ALREADY KNOW ARE DO NOTHING PEOPLE BECAUSE OF THE ACTIONS THEY FAILED TO TAKE WHEN I REPORTED THE FRAUDULENT CHARGES ORIGINALLY...... JUST BEWARE OF PAYPAL IS ALL I SAY!

[KBCraig]

The real lesson there is not just to avoid using a single email address, but also to use real e-mail, not web-based mail!

Dittos about PayPal. I refuse to use them, because there are just too many horror stories.

[Hoppes]

Greetings-

Thought I'd post this as a *reminder* about changing passwords and keeping one's account details in check. We all tend to get complaisant about online access and shopping-- the "it can't happen to me...." mode.

A friend runs a popular web site, that also has an online store. His email (from Google) got hacked, which lead to his site getting hacked. His customer's CC info was compromised, resulting in hundreds of fraudulent charges to his customer's cards. In addition, his personal accounts and information was also affected.

Here's his recent posting. I've edited names ect out.

=======
=======
Since my email account and online store was hacked I've taken a crash course over the last 4 days in keeping myself safe from hackers and i just wanted to share what i've learned. Hopefully this info will help protect one of you in the future.

[SOME DELETED TO SAVE BANDWIDTH]

=============

May I offer up another suggestion? I never leave customer data (Credit Card Information, etc.) on a server or machine that is connected to the Internet. I would suggest to the friend to move confidential information off of Internet accessible machines immediately. Leaving confidential data online (especially now) could leave the organizaion or person open for increased liability from customers and other stakeholders. Such a policy and operational change will help erase that risk, or at least mitigate it to such a point that it is not a concern.

I hope things have gotten back to normal for your friend. The Internet is not a safe place to put your guard down.

Hoppes