DEV Community


Posted on

I’m sorry I accidentally hacked your account

This post was brought over from my Medium account, because they've started asking me to pay to read content there. It was originally published on July 1, 2017.

Backstory: There is a woman out there who shares my first initial and last name, and who thinks my email address is hers. She’s been signing me up for various online services for years now. I’ve gotten invitations to job interviews for her, flight itineraries and updates, shopping coupons, and more, and I’ve always felt a little bit bad that I had no way to contact her about the more important ones. Emailing her via the only address I have for her — mine — didn’t seem like a recipe for success.

This morning I was digging through my spam folder looking for an email I was expecting (from AWS Support, because I locked myself out of my account, because I’m wicked smart and technically savvy, too) when it came to my attention that Bigwilly69 (probably not his real name) has taken a liking to me. This information came in the form of an email from a popular online dating site.

Being the security-minded sort that I like to think I am, I immediately assumed that one of two scenarios was playing out:

  1. This was a weak spam or phishing attempt.
  2. Someone signed up to this site with my email address to effect spamming or phishing activies.

I checked the links in the message by hovering (not clicking; don’t do that) on them. They legitimately go to the site they purport to go to. I checked the email headers. The message really did originate from this site’s outbound mail server. Okay, the message is legitimate (sort of), this is scenario two, someone used my email address to sign up with this site. I still don’t know why and I don’t really care, I just don’t want to get email about it. So I hit the unsubscribe link (first making sure it goes where I think it should go, of course).

No good. You have to log in to change mail preferences, and since this isn’t a real account — or at least isn’t mine — I don’t know the password.

But the account is attached to my email address. I can reset the password! I started off having no intention of logging into this account, but it seems I have to. And, if I’m honest, I’m sort of curious what sort of sinful debauchery Bigwilly has in mind for us. Who knows, maybe I’m down?

Boom. I’m in. This account has been “pwned” as they say. I am so legit. (Shut up, I am too. It counts. Let’s not discuss that this all started because I couldn’t get into my own AWS account, I still got into this one.)

So now that I’m in, why just unsubscribe from the emails? Why not shut it down? That will remove a single vector from this spammer/phisherman’s available attack surface. Every little bit helps.

I’m poking around trying to figure out how to close the account when I stumble upon the profile settings. And I recognize the name. Remember the backstory? Yeah, it’s her. This isn’t a spam or phishing account, this is her real account and I just took it over. Curse these mad skillz!
A quick peek out the curtains to see whether the FBI SWAT team had arrived yet revealed that I still had time to explain myself and maybe shave a few years off of my sentence. Some clever online sleuthing brought me to her Facebook profile (and by clever sleuthing, I mean that I searched Facebook for her name and she popped up immediately).
I sent her a message explaining what happened, and how, and why, and gave her the new password for her account. I hope she sees it, and I hope she has a sense of humor about it.

But just in case: I was with you guys all day.

Top comments (0)