I’d love to say it was a dark and stormy night, but the afternoon of August fourth started off like any other. I was busy working when I received an email on my personal email account, we’ve all gotten these sorts of emails, they say something like, “Thank you for subscribing to our newsletter, click the following link to confirm your subscription.”. I didn’t recognize the name of the newsletter, so I deleted the email and decided to get back to work. A few minutes later, I got another similar email and while I thought it was a bit strange to get two Emails from newsletters I’d never heard of before, I deleted that one as well. About ten minutes later, Emails wanting me to confirm my subscription to various Email newsletters and mailing lists were coming in by the dozens and my phone was going crazy pinging me with notification after notification. I had no idea what was happening, or why it was happening, or what to really do about any of it and so I started deleting Email after Email. It soon became apparent that Emails were coming in way faster than I could delete them; I was clearly under some kind of attack, for some reason I didn’t understand.
It can be scary when this sort of thing happens, unsolicited Emails coming in like a constant flood with no end in sight. I’m generally a pretty calm person, but I was feeling an increasing sense of panic: Would I ever be able to use my Email address, the one I’ve had for over twenty years again? Would I need to change my Email address with all my online accounts and services and if so, where would I even begin with that? After feeling completely hopeless about all this for a few minutes, I decided to become a bit more proactive. After all, this was my Email address and I was going to do whatever I could to defend it. First, I created a number of messaging rules to try and cut down on the incoming stream of messages. For those who may not be familiar, just about all Email services and applications allow users to create rules which can move or perform an action on messages based on their content or some other trigger. In my case, I created a quick rule that would filter any messages containing the words “click” or “confirm” or “subscribed” directly to my deleted items. I realized this was only a temporary fix as eventually I actually will want to subscribe to something and I’ll likely have to confirm that subscription, but for the moment, these rules had an immediate impact on cutting down the incoming flood and made me feel like I had a tiny bit of control over the situation. Between the multiple rules I created and manually deleting Email, I soon had my inbox in some semblance of order. By the end of the day, over 2000 messages were either deleted manually by me, or by the rules I created.
While most of the messages had to do with confirming my supposed subscriptions to various newsletters and mailing lists, I did also receive an Email from Hilton confirming my reservation for Friday evening. Figuring that this too was spam, and still terrified that I might need to change my Email address with hundreds of individuals and accounts, I deleted this message as well and didn’t give it another thought, that is, until I got a push notification on my phone from the Hilton app pertaining to my apparent up-coming stay. That certainly got my attention, and I opened the app to find that in fact I did have a reservation on my account for that very evening, at the Hampton Inn Birmingham/Trussville. According to the Hilton app, me, and another guest, with a name I didn’t recognize, had booked a room using my Hilton points and, to cover an additional $5 which my points apparently weren’t enough to cover, an additional credit card, also not mine. I immediately contacted the hotel directly and tried to explain the situation to one of the most unsympathetic people I’ve encountered in years. She told me that she encounters “people like me” all the time, people who come up with stories like this to try and circumvent the hotel’s last-minute cancellation/no refund policies. I explained that this was not the case here, but she had already hung up on me. I contacted Hilton’s customer service and after explaining the situation to two customer service agents, I eventually got one of them to understand that this was a fraud situation and I really needed to speak with a fraud specialist. Eventually, after explaining the situation yet again, Hilton finally opened a fraud case and told me I would hear something back in a few days. Not wanting anyone to get a free stay while the fraud stuff worked its way through the system, I again called the hotel directly and got the same unsympathetic woman as before, yay me. 😦 I let her know that a fraud case had been opened and explained that I was only calling to let her know in case someone actually tried to use the reservation. I certainly didn’t have to call the hotel a second time, I was just trying to do a good thing.
“I’ll let the front desk know.”, she said before hanging up on me for the second time.
From all this, I’ve learned a few lessons which I’d like to share. First, to the lady at the Birmingham/Trussville Hampton Inn, not everyone is guilty until proven innocent. Sure, maybe you do get quite a few customers trying to circumvent cancellation policies, but taking a few moments to listen to me, and to look at the way this particular fraudulent reservation was constructed, might have helped you to see that this isn’t always the case. Having never encountered a situation like this before, I really could have used your help and guidance, not your judgement. If ever I find myself in Trussville, wherever that is, I certainly know where I will not be staying.
Second, no matter how many times we hear it over and over and over again, password security really does matter. Use strong passwords always and don’t be afraid to change them from time to time. If keeping track of multiple passwords is a challenge, know that there are numerous password managers available, (some free and some paid), that can help. Password managers can even help generate complex passwords for you; modern browsers even have utilities integrated to help make this task even easier. No matter what kind of password you might be able to come up with in your head, it’s probably not as good as generating unique, randomly generated passwords for each site, service, or app you use. Maybe the accessibility of various password managers might make for a good future blog post? Another good best practice is to enable 2-factor authentication wherever available. For those who have never used it, 2-factor authentication generally requires that in addition to providing your login credentials such as username and password, you must also provide a code which is sent to your mobile phone or other device. This additional code changes frequently and generally can only be used once. While this may seem annoying, the idea here is that even if a person was to obtain your username and password, such as in a data breach, they would not have physical access to the device needed to get the additional code. Ironically, I did have 2-factor authentication enabled on my Hilton account, but while it didn’t help in my specific scenario, it’s still a best practice that I highly recommend.
Third and probably most important, no matter how bad it may seem if you’re unfortunate enough to find yourself in this sort of situation, try and remember that it’s not the end of the world, as I thought it might be for a few panicky minutes. I admit, it was scary watching Email after Email come in, with no idea of why or of what I could do about any of it. And the prospect of suddenly needing to change my Email address everywhere, with no plan in place, seemed absolutely daunting. Truth is though, this all would have been incredibly doable. Annoying, yes, but still doable. One thing that I’ve started doing which others might want to do as well, is to create a list of everywhere my Email address is being used, either as my login ID, or for communication purposes. The list is definitely not complete, but it gives me a place to add to as I think of other sites and services that might have my Email address on file. My thought is that if ever I want to change my Email address, whether planned or unplanned, I’ll have an organized list from which to start.
Ultimately, I’m still not exactly sure what happened or why. If I were to hazard a guess, it would be that somehow, my Hilton password was discovered on the “Dark Web”, and to mask an attempt to use my Hilton points to conduct a fraudulent transaction, a flood of Email was generated. Whether this was the intended tactic or not, it almost worked as had I not gotten the follow-up notification from the Hilton app on my phone, I would not have given the reservation confirmation Email another thought, figuring it was just one of many unwanted messages that flooded my inbox. This has definitely served as a reminder to me to be ever vigilant about password security, and I hope my writing this post will encourage others to do the same. Any tips or tricks you use to help with password management? Share in the comments as your solution might be the perfect solution for someone else reading this post.
2 replies on “An email attack, a Hilton hack, and a few lessons learned.”
Steve – that was quite the story. And as always, I can hear you speaking as I read your writing. Clear, and engaging. Always a pleasure.
That said – down to the business end of this – I’ve found Dashlane to be a very easy to use password manager where they’ve at least taken a poke at a11y, though I can’t speak to their success on that front.
And you’re right – securing our own personal accounts is something that each of us has to take responsibility for, because sooner or later you will get caught in something like your story.
Sort of a side note, but in the vein of protecting ourselves from the dark side, I use Capital One’s Eno to manage my credit card. It gives me a unique credit card number for as many online vendors as I want. All of the unique numbers tie to my specific credit card account, but nobody can see my real account. If a vendor gets hacked, the only number compromised is the Eno number. My source credit card is safe. And it’s all free.
Steve, I am sorry to hear it. What I’m finding most frustrating is that password management is not as simple as it sounds. Theoretically I know what needs to be done, I set up 1password, I pay for the subscription, but amongst all the devices sometimes in a hurry I just add something to the iCloud keychain, and all of a sudden I have two sets of passwords. And when I really need it, I can’t figure out how to find it, not to mention that by now I have over 300 passwords. 1password definitely made it easier, but it is still a nightmare, I read that Microsoft and Google are working on some kind of a solution where passwords as such will not be necessary, not sure how that will work. But I’d rather remember 300 passwords than having a chip built under my skin. Maybe there is something in between.