We are learning about site security this week, and have been asked to share stories of websites we know of that got hacked – how it happened, how they fixed it. I’ve asked an acquaintance at the Mono Lake Committee to share what happened when their site was recently defaced, but other than that, and until I get the inside story on that, I really don’t know of any websites that were hacked, but I do know of an email account that got phished.
It was the webmaster email account of the site I used to be webmaster for – the new webmaster got phished. So embarrassing! I saw the email, and it was pretty obvious to me, but she had the flu and was barely keeping up with the email, and for some combination of those reasons and carelessness, she bit. It was a Yahoo! account, and we had tons of addresses saved in it (mainly to keep emails from going into the spam folder, but also for reference) and the phisher sent out emails to all the contacts saying the webmaster was stuck in Europe and needed money – it was obvious to everyone who got it that it was more phishing, but in the meanwhile, the webmaster was locked out of her email account, where job postings and events and all sorts of web updates came in daily. She had to frantically email everyone to not respond to the phishers, apologize, and set up a new email account for online forms, at the same time as working with Yahoo! to regain access to her account, change the password and lock out the hackers.
The annoying thing for me, as former webmaster, is she never changed all the emails on the website – even though she regained access to the Yahoo! account, she switched to a gmail account as they are so much better at filtering spam and phishing emails. But the old email account was on practically every page of the website! And it was not a dynamic site or even made with templates – each page was separate. However, all she had to do was a global find and replace in Dreamweaver – except it was more complicated than that as the emails on the site were disguised with Spam Vaccine, but it would have only taken a few passes to get all the old email addresses updates, and if it were me, I would have rather changed them all by hand than leave them on the site! Sloppy.
Of course that sloppiness is what got her phished in the first place.
Lesson: even if you are fairly tech savvy, you still need to “make haste slowly” to avoid making a fatal error.
Sorry, the comment form is closed at this time.