A journalist who challenged a team of hackers to find out as much information about him as possible has described their findings as “chilling” after they were able to access all of his bank accounts and crack all of his passwords.
Adam Penenberg, a US investigative journalist and editor of technology website PandoDaily, questioned whether anyone was protected from prying online eyes following his experiment with an “ethical hacking team” this year.
Fourteen years ago, Penenberg wrote an article for Forbes magazine in which he paid a private investigator to delve into his personal life.
Within a week, the private investigator was able to uncover astonishing details, including Penenberg’s date of birth, social security number, mother’s maiden name, home address, bank details and stock holdings.
In the new digital era, and in the wake of the snooping scandal surrounding fugitive NSA contractor Edward Snowden, Penenberg decided to repeat the experiment using a team of hackers from SpiderLabs, the advanced research and ethical hacking team at Trustwave.
The hacking team was given only Penenberg’s name, and was asked to perform a personal “penetration test” on him.
The only rules were that they could not break the law, and not involve Penenberg’s children in the investigation.
And their results far surpassed those of the private investigator.
“What I learned is that virtually all of us are vulnerable to electronic eavesdropping and are easy hack targets,” Penenberg wrote on PandoDaily last week following the experiment.
“Most of us have adopted the credo ‘security by obscurity’, but all it takes is a person or persons with enough patience and know-how to pierce anyone’s privacy – and, if they choose, to wreak havoc on your finances and destroy your reputation.”
On August 20, SpiderLabs’ three-member team flew to New York and staked out Penenberg’s home.
They also sent an email containing a malware link to Penenberg’s wife Charlotte, who owned a pilates studio nearby.
When Charlotte clicked on the link, the hacking team had complete access to her laptop whenever she was on the internet.
On the laptop were the family’s social security numbers, income details, copies of credit card and banking statements, as well as a password the family’s home router.
“More frightening, they discovered her password and log in to our Chase online banking account,” wrote Penenberg.
“They could, if they wanted to, have wiped us out financially.”
On the computer, they also discovered passwords for several online accounts, including Penenberg’s Amazon account.
While that might seem a minor security issue, the password Penenberg used formed the basis for all of his online passwords.
“Because I can’t possibly remember every single one to every site I use not only do I reuse passwords, I also have come up with an informal formula to create them,” Penenberg wrote.
One of SpiderLabs’ team members was an expert in computer forensics, and soon cracked all of Penenberg’s passwords.
The hacking team broke into his Twitter and Facebook accounts, leaving cryptic messages, and also ordered 100 plastic spiders from Amazon to let Penenberg know they had infiltrated his account.
They also cracked his iCloud password, and activated the Find My iPhone app, before putting both his iPhone and laptop devices into “stolen mode”.
The first Penenberg learned that his devices had been breached was when, while teaching a class at New York University, his laptop and phone both shut down.
“As for me, since we concluded this exercise I’ve changed my passwords and log ins but I don’t delude myself into thinking I’m protected from prying eyes — the government’s or anyone else’s, if they belong to someone with the right combination of skills, resources and determination,” Penenberg wrote in his article.
“And if I’m not safe, are you?”