Here's a lesson in online security: Passwords are important. They keep your information safe. Crucially, they also prevent other people from impersonating you.
Unfortunately, one of The Switch's readers learned that the hard way. On a story explaining how the Heartbleed bug could slow down the Internet, a commenter scoffed at the "Heartbleed thingamajig," arguing that the Internet's handwringing over security was mostly overwrought:
I couldn't give a flying fig about the Heartbleed thingamajig. Two years already the thing has been running loose ... and not a word of someone crying over its damage. Say ... does anyone really know its origin? Russian crackers? Seattle high-schoolers? the NSA? Yahoo's marketing department?
The reader went on to post the two passwords he uses on a regular basis across all of his main accounts, inviting hackers to
read all the eMail I have. Sneak into my WaPo, NYT or CNN accounts and go crazy making comments in my name. Break-into my Facebook or Twitter profiles and change my hometown to Gas City Indiana, swap-out my avatar with a picture of your nads, make friends with people I don't know.
Several other readers tried to point out how dangerous this was — to which the original commenter wrote, "Wow ... that's like attacking a brave guy 'cause he isn't foolish enough to be reckless."
Predictably, inviting the worst led to the worst.
The reader's accounts on Tumblr, WordPress, Twitter and Facebook all appear to have been hacked in short order. The reader's location on Twitter now reads as Gas City, Indiana, just like the commenter asked, and the account has several mocking tweets. I've obscured the reader's name here to protect his identity, even though he seems intent on getting it stolen.
"OK, Perhaps putting my password on a national news site is not so good," the commenter's WordPress blog reads. "I actually posted my password ... on a national news site, as well as bragging that my doors were open and I have no AV [antivirus] software. I see my Facebook was hit first, but perhaps I didn’t think that if someone gets access to my email, they have access to my bank, credit cards, most anything. Ooops!" (Note: the WordPress post is written in the first-person voice, but from the context it sounds more like whomever hijacked the WordPress account was impersonating the reader.)
Now, there are other ways to explain what happened here. It's possible that this is a hoax — somebody set up fake accounts on these various services and deliberately hijacked them to manufacture a story from nothing. But the lesson is no less valid: Share your credentials online, and you won't have to worry about getting hacked — you'll have done all the hard work for the criminals.
The reader did not respond to multiple attempts to contact him.
More tech news: