So what the hell happened to us?

79
52
*This post contains Amazon affiliate links.*

Hey all!

Mouse here. Serious post today. I have something really important to share.

So, you may have noticed that I haven’t posted a lot in the last few months. Sure, I’ve been super busy. But that’s not why.

My website got hijacked.

Hijacked, like a plane. Like a stagecoach in the Old West.

You heard me right. Hackers stole this very domain, thehungrymouse.com, and from mid-March to mid-May, I had absolutely no control over it.  This website. The very one that you’re reading right now.

I *just* got it back.

Domain theft is a very real thing

Wait, what?

I know.

If you haven’t heard of domain theft before, it sounds crazy. After all, domain names are pretty intangible and live in cyberspace. But, domain names are a commodity, and are subject to theft just like other property. That is, if someone can figure out how to pull the rug out from under you.

(In fact, read about the first ever criminal prosecution for domain name theft here, which actually also involved my registrar, Network Solutions.)

It happened to me. It could happen to you.

If you’re a blogger, please pay attention. If you know someone who runs a website, please pass this along. Because I honestly had no idea that this could happen. If I did, I could have prevented it.

Let me tell you what happened

The FBI is actually still investigating this for me, so I can’t give you all the details. But here’s the 30,000-foot view.

Right around mid-April, right when my book released, I tried to log in to The Hungry Mouse to write a new post.

I couldn’t get in.

Now, blog software can be finicky, so I contacted my host to find out if something was wrong, or if I was somehow bugged. The website looked fine on the front end. All my content was live and looked to be in good order, so I was sure it was just some kind of glitch.

My host called me an hour later and told me that there was a big problem. They said that it looked like I actually no longer owned my domain name. According to the WhoIs record, some dude in China owned it. And, to make it worse, the domain had been transferred to a registrar in China.

“China?!?!,” I screeched.

“Yes, China,” they said.

My host also told me that early in March, someone had made a complete copy of all my files and downloaded them.

They advised me to call my registrar, Network Solutions. Network Solutions confirmed what my host told me, and directed me to their fraud department.

The fraud guys at Network Solutions informed me that my domain had been transferred to the Chinese registrar in mid-March, about a month earlier.

They said that the transfer appeared to have been done legitimately through the email address they had on file for me, despite the fact that my Network Solutions account was accessed by an IP in Japan—not Salem, MA, where I’m based.

What’s more, the domain was pointed to my copied files, which had been installed on servers at CloudFlare out in California.

Why would someone do that? Usually domains are hijacked and the content is changed to something super lucrative (think porno or Viagra ads) immediately. They left my contact completely intact. So strange, right? Hold that thought for a sec.

Network Solutions promised to investigate and get back to me.

Nancy Drew, Mouse Detective

In the meantime, I did some digging on my own. I scanned my computer. I looked back through my email for odd messages.

Finally, as I was poking around in my Gmail settings, I discovered filters set to automatically delete any emails from both my host and my registrar. This means someone cracked my Gmail to make sure that I wouldn’t receive any notification that changes were being made to my domain.

Because I didn’t receive those notification emails, and I wasn’t in the habit of regularly checking my registration, I had no idea this was going on.

(Can you see me fuming…and feeling like the biggest idiot in the world right about now? Thought so.)

I’m more vigilant than the average girl with all my online stuff, but I don’t root around in the dusty corners of my Gmail settings every day. I don’t think many people do. But you should. (That’s Lesson Numero Uno from this debacle. More on that in a bit.)

So, per the protocol for this sort of thing (because domain theft is so common that there’s actually a protocol for it), Network Solutions started talks with the Chinese registrar, and made the case that the domain had been fraudulently transferred.

There’s no question that I am the owner of  The Hungry Mouse. I have four years of national press and a published cookbook under my belt. Not to mention a closet full of receipts, account statements, and tax returns. You get the picture. I could jump up and down and scream about justice all I wanted.

The question was whether the Chinese registrar was going to play ball with us.

I should note here that the Chinese registrar may or may not have known that my domain was stolen. Think of this registrar like a bank that had criminal funds in one of its accounts. Unless there’s a reason to investigate, the bank probably isn’t going to ask where that money came from. Sort of the same thing here.

Where can you turn when your domain is stolen?

While we were waiting to hear back from the Chinese registrar, we contacted everyone and anyone we could think of who might be able to help.

We were advised not to make an immediate public announcement about the theft because of the investigation. Also, since the site was up and running, and not distributing any kind of virus or malware, all it would do was grind The Hungry Mouse to a halt.

So we waited, very uneasily. (During this time, as you might imagine, we had to cage and sedate The Angry Chef.)

In the meantime, we found a bang-up intellectual property attorney and talked about our options.

We called the Massachusetts Attorney General to report business fraud.

When the Mass Attorney General didn’t get back to us, we called Senator John Kerry’s office, who we know has an interest in cyberterrorism.

The folks at Kerry’s office were great. (Thank you all, again!) They made a bunch of phone calls, and ultimately put us directly in touch with the FBI.

I love the FBI

Now there’s a phrase I never thought would make it into one of my posts.

Like I said, because there’s an ongoing investigation, I can’t tell you that much about the Special Agent in charge. Suffice it to say, he’s more than earned a lifetime supply of cakes and cookies from The Mouse Empire.

(And yes, I somehow manage to refrain from calling him Mulder. Don’t ask me how.)

There’s a lot more that I just can’t talk about right now, but that should give you a pretty good idea of what happened.

How I ultimately got my domain back

Fast forward to about two weeks ago.

Network Solutions emailed me with great news. Based on the evidence presented, the Chinese registrar had agreed to return the domain to us.

A week or so later, it was safely back in our paws, where it belongs.

Basically, we got lucky. The other registrar decided to cooperate. The whole thing could have been a lot harder. (See below.)

Now, the FBI are still investigating. We’ll see if they catch the bad guys.

Interesting fact. I learned that if the FBI can figure out who did this, but won’t prosecute for whatever reason, they’re bound by recent victim legislation to turn the perpetrator’s information over to me.

Rest assured, if the party responsible for the theft is on U.S. soil, I’ll bring the biggest, baddest civil case right to their door, complete with bells, whistles, and complimentary, homemade mints.

Why did they do it?

Honestly, we’re still not sure. And I’m not 100% convinced that I even care.

As personal as it may feel, we’re sure it wasn’t. Whoever did this has most likely done the same thing to a bunch of other websites, and will do it to a bunch more before they’re caught.

When it comes down to it, I’m a regular girl who works a full-time job, and runs this website because I truly love to teach people how to cook. I just happen to own something that someone else wanted to use to make a couple of bucks.

Our best guess is that they were after ad revenue based on our traffic. (The Hungry Mouse gets about 200,000 unique visitors a month.) They tried installing their own Google AdSense code on the site on three separate occasions, each of which I had shut down through Google.

I just thank the gods we don’t store customer data or credit card information.

Where can you turn if your domain has been stolen?

Aside from what I outlined above, there’s actually a whole procedure for disputes about domain names. Read more about it here.

In fact, there’s a whole organization, called iCann, that’s dedicated to the global care and feeding of domain names.

Basically, I would have had to file a dispute, and pay to have it arbitrated. That’s a process that, before attorney’s fees, can cost a couple grand and take months.

10 Tips for Blog Security

There are surely better sources for website security than this post. Please seek them out. (Please!) I’m by no means an internet security expert, and I’m not making any claims that this stuff will make your site hacker proof. That said, here are a handful of things that should make your blog harder to steal.

1. Make sure your email is secure

This is the big one. If you use Gmail for email, turn on two-step verification. Basically, this service ties your email log-ins to specific browsers on specific computers. (As in, I can only log-in to my email on Google Chrome on this computer, etc.)

If you try to log-in anywhere else, Gmail requires you to enter a special code that you receive by cell phone.

So, even if someone manages to hack your username and password, they won’t be able to get into your Gmail if they don’t have your phone. Here’s more on how that works.

Why is email security so important?
Think about it. If someone hacks your email, they can use your messages to figure out what kind of online accounts you may have.

For example, say they try to login to your Amazon.com account. They use your email address to sign in, but say that they lost their password. They get a password reset message sent to them at your email that they now control, they use it to create a new password, and…bingo! They can access your Amazon.com account. (And you can’t, because they reset your password.)

Rinse and repeat with your bank account, your PayPal account, and whatever else they can find via your email. Sure, some of those sites will probably have other security measures in place around password resets, but some won’t. Do you want to find out the hard way?

The two-step verification thing can be a huge pain in the ass, but it’s well worth it. Funny enough, someone told me that Google came up with it because they originally got hacked by the Chinese.

2. Make your domain registration private

When most bloggers register a domain name, they use their home address on their account. When you make your registration private (a service that I believe most registrars offer), your address isn’t published publicly with the domain listing. You can see who is listed as the owner of any domain name by doing a “whois” lookup. Hit this website (or the site for any big registrar), enter any domain name, and see what I mean.

3. Max out your security with your registrar

Whatever your registrar and/or host offer for security, you probably want it. Every company will have different services. Find out what your providers offer and see what makes sense for you.

4. Use smart user names & passwords

Make them complicated and unintelligible. Use symbols, numbers, and upper and lower case letters. Forget about using your birthday. Don’t use your dog’s name. Change your username from “admin” to something else. And don’t, whatever you do, use the same password for your email, your blog log-in, and your ATM pin. Because if someone cracks one password, they can probably get into all your accounts associated with it.

5. Change your password every 90 days

My friends at the FBI told me that most stolen passwords kick around for a while before they get used. Change your passwords at least every 90 days.

6. Install security plugins on your blog

Do some research and find out what the best security plug-ins are for your particular blogging software. Install them. Keep them up to date. Monitor them. Don’t skimp on the antivirus software on your computer, though I’ve been advised that a lot of the off-the-shelf programs aren’t super up to date, and if a hacker really wants your site, they’ll write custom code to try to get it.

7. Back your content up

This is a basic one, but it’s one that not everyone does regularly. Back up all your files to some kind of external drive or cloud, so that if the worst happens, at least you still have a copy of all your data.

8. Document everything

Keep good records. If your domain is hijacked, or if your email is hacked, take screenshots of everything you find, and keep a running Word doc with notes. It’s a frazzling time, and little details that might be important can slip through the cracks.

9. Don’t assume it can’t happen to you

I don’t store customer data or credit cards. I have nothing that a hacker might want except my content or my traffic. You never know what motivates a criminal. And frankly, it doesn’t really matter much once they have your stuff. Be preemptive. The best offense is a good defense, and all that.

10. Be vigilant

Don’t assume that the companies you do business with always have your best interests at heart. You’re responsible for keeping yourself as safe as you can. Check your accounts frequently. Change your passwords frequently. Alert companies about any sketchy activity you notice. Don’t login to super sensitive accounts over public wifi, or on public computers. If it’s important to you, don’t get lazy about it. Read about online security. Talk to people you know who know who work in the field. Put what you learn into practice.

The bottom line?

Our lives increasingly revolve around the Internet, whether you run a website, or just use the internet.

Stop for a minute and think about how some of the most valuable things in your life are probably also the most intangible.

I’m talking bank accounts. (Do you keep a big pile of cash in a safe in your house? Or is your life savings represented by a number you see on your bank’s website?)

I’m talking credit cards. (Do you pay your credit cards online via instant transfer from your bank? Are your credit cards tied to your PayPal account? Do you receive e-statements for all of your accounts via email?)

I’m talking e-mail. (Do you back up your email or keep paper copies? Or does all of your important correspondence live only in your inbox?)

I’m talking commerce accounts. (Do you buy everything in person in a store? Or do you purchase half your stuff online and pay using your PayPal account…that’s tied to an email account that has a password you never change…which happens to be your birthday, your cat’s name, or something else really easy to guess?)

You see where I’m going with all this.

I’m not suggesting that everything online is insecure. Not at all.

I am suggesting, however, that security and smart behavior is more important than ever as we do more and more personal stuff and business online.

So?

Be smart. Be safe. Stay on top of your accounts and your computer, and make sure you keep whatever security measures you take up to date.

Please leave a comment

If you have insights, questions, or other tips about blog security, please leave a comment!

We’ve recovered now, but we did actually treat this like a case of full-on identity theft. That means we changed ALL our financial accounts over, alerted credit bureaus, modified all of our online accounts, etc. As much as we want to forget what just happened to us, it was really important to tell this story, because we don’t want it to happen to anyone else.

And now, back to the kitchen! Even though summer’s coming, I can’t shake the urge to start baking.

Talk to you soon!

+Jessie

10 Tips for Blog Security

Here are a handful of things that should make your blog more secure, and harder to steal.

Save Recipe

Ingredients

1 blog, that you want to keep safe and secure

Instructions

  1. Make sure your email is secure: This is the big one. If you use Gmail for email, turn on two-step verification. Basically, this service ties your email log-ins to specific browsers on specific computers. (As in, I can only log-in to my email on Google Chrome on this computer, etc.) If you try to log-in anywhere else, Gmail requires you to enter a special code that you receive by cell phone. So, even if someone manages to hack your username and password, they won’t be able to get into your Gmail if they don’t have your phone. Here’s more on how that works.
  2. Make your domain registration private: When most bloggers register a domain name, they use their home address on their account. When you make your registration private (a service that I believe most registrars offer), your address isn’t published publicly with the domain listing. You can see who is listed as the owner of any domain name by doing a “whois” lookup. Hit this website (or the site for any big registrar), enter any domain name, and see what I mean.
  3. Max out your security with your registrar: Whatever your registrar and/or host offer for security, you probably want it. Every company will have different services. Find out what your providers offer and see what makes sense for you.
  4. Use smart user names & passwords: Make them complicated and unintelligible. Use symbols, numbers, and upper and lower case letters. Forget about using your birthday. Don’t use your dog’s name. Change your username from “admin” to something else. And don’t, whatever you do, use the same password for your email, your blog log-in, and your ATM pin. Because if someone cracks one password, they can probably get into all your accounts associated with it.
  5. Change your password every 90 days: My friends at the FBI told me that most stolen passwords kick around for a while before they get used. Change your passwords at least every 90 days.
  6. Install security plugins on your blog: Do some research and find out what the best security plug-ins are for your particular blogging software. Install them. Keep them up to date. Monitor them. Don’t skimp on the antivirus software on your computer, though I’ve been advised that a lot of the off-the-shelf programs aren’t super up to date, and if a hacker really wants your site, they’ll write custom code to try to get it.
  7. Back your content up: This is a basic one, but it’s one that not everyone does regularly. Back up all your files to some kind of external drive or cloud, so that if the worst happens, at least you still have a copy of all your data.
  8. Document everything: Keep good records. If your domain is hijacked, or if your email is hacked, take screenshots of everything you find, and keep a running Word doc with notes. It’s a frazzling time, and little details that might be important can slip through the cracks.
  9. Don’t assume it can’t happen to you: I don’t store customer data or credit cards. I have nothing that a hacker might want except my content or my traffic. You never know what motivates a criminal. And frankly, it doesn’t really matter much once they have your stuff. Be preemptive. The best offense is a good defense, and all that.
  10. Be vigilant: Don’t assume that the companies you do business with always have your best interests at heart. You’re responsible for keeping yourself as safe as you can. Check your accounts frequently. Change your passwords frequently. Alert companies about any sketchy activity you notice. Don’t login to super sensitive accounts over public wifi, or on public computers. If it’s important to you, don’t get lazy about it. Read about online security. Talk to people you know who know who work in the field. Put what you learn into practice.
http://www.thehungrymouse.com/2012/05/23/10-tips-to-help-keep-your-blog-safe-from-hijackers/

SHARE
Previous articleHow to Make Lemon Curd
Next articleCoconut Custard Pie
Jessie Cross is a cookbook author and creator of The Hungry Mouse, a monster online food blog w/500+ recipes. When she's not shopping for cheese or baking pies, Jessie serves as an Associate Creative Director at PARTNERS+simons, a boutique ad agency in Boston. She lives in Salem, Massachusetts with her husband and two small, fluffy wolves.

79 COMMENTS

  1. OMG! I wondered where you’d gone!!
    Strangely just this past Monday, FB notified me that someone from Japan tried to access my account.
    And even stranger, I keep getting emails from someone in China asking me to contact them about a “business deal.” he addressed me by name in the email and is sending me the email (as opposed to multiple people like scammers usually do).

    So thank you for this reminder. I’m going to make some changes pronto.

  2. Whoa! That’s crazy. I was wondering what happened to my fav. blogger, but figured you were just super busy with the cookbook. I don’t have a blog, but about six months ago my fb, email, and then my paypal were jacked in that order. I had BIG charges on my paypal account that took awhile to fight. I couldn’t imagine my property being stolen like that. Good for you for getting what was yours back! (And i’m now off to change my email password again. I have a bunch of accounts linked to it)

  3. Can you please put the RSS feed back to full posts? I love your blog (and am sorry about what happened!) but don’t have time to click through to every post. Please please!

  4. Girl I am so used to seeing your posts on FB now that I have to sadly admit I only look at your actual site every now and then (usually when you draw my attn to it on FB). I had no idea this had happened, but I am glad you got your prized possession back still intact. AND oh boy if they let the Angry Chef have these jerkoffs’ info and they live even remotely within his reach……I’d pay to see THAT one! heheheh *big hugs for you both*

  5. As added security for your email (or any other) passwords, you may want to look into LastPass, a password manager/form filler. I’ve been using them almost since their beginning (about 4 years now) and they just keep getting better and better.

  6. Wow, that is nuts. I knew people could mess with blogs and websites but had no clue that the domain could actually be stolen! I’m glad you were able to get it sorted out in the end and the other registrar actually worked with you. Thanks for the advise.

  7. Hi Jessie!

    Can’t believe what happened! Glad you got it back. It is crazy to read that this actually happened. Any plugins you recommend? I am searching for some and will post back my findings…

    However, I can recommend http://myows.com/ to protect your Copyrights. They just added a function where you can add your RSS feed so any content you create will automatically be Copyrighted under your name. You can never be too safe!

  8. I had something somewhat similar happen 4 years ago and the FBI got involved. What a nightmare but I appreciate you sharing what you’ve learned throughout it all!

  9. Hello! Thank you so much for posting this! It couldn’t have been easy to get this all down and drudge through it just when you got your site back. My wallet was stolen a few months ago – minor in comparison I know – but even though my cards were shut down relatively fast I am still dealing with the fallout in small, unexpected ways. I cannot begin to imagine how getting my entire site hijacked would feel. How AWFUL! I’ll make sure to pass, post and tweet this on so others are aware. I had NO idea this was even possible!

  10. I’m so sorry this happened to you! As a former intellectual property litigator, I dealt with this stuff all the time (back in the wild wild West of the mid-90’s, no less!). I’ve been hacked numerous times (clearly just for sport, I don’t have near the traffic you do) and we had a personal case of identity theft about 2 years ago that lit our hair on fire. I use eWallet now – keeps track of all your passwords, user names, etc. and will generate wildly funky/difficult passwords for you, so you can change ’em up regularly and not have to remember them (because now, I’m a writer, Wellness professional and housewife and my brain is not what it used to be!). Cheers to your success in getting the domain back, though! Power to the Mouse!

  11. Wow, crazy! Sorry that happened to you. Thank you so much for sharing with all of us how to possibly avoid this happening to others. Glad you’re back.

  12. I’m really, really glad that everything worked out for you! I’ve seen thefts like this in the past that have gone badly, and I’m glad that whatever registrar employee in china was willing to work with you. I can’t imagine what I’d feel like if someone hijacked my site(s)

  13. WOW! That is one amazing story! I’ll share it with blogger friends ASAP!
    Hope to get a nice yummy post from you soon…

  14. Wow, thanks so much for the heads-up and for that information! I am already diligent about changing my passwords frequently and using different passwords for different applications but had no idea about the Gmail thing. So glad that your story has a happy ending and, thanks to the lessons learned and conveyed, you will probably prevent the same thing happening to so many others.

  15. HOLY MOLY! That is scarey stuff right there! Who would of thought? Don’t people have better things to do than to sit around and hack other peoples blogs? I’m glad you got your blog back and thank you for al the helpful information!

  16. Geez louise, I cannot believe this happened to you and that this can happen. I really had no idea! Thank you for sharing this info…so glad your senator’s office and the FBI got involved. This is serious…if it’s this easy to take over your site or anyone’s domain, someone not involved with the FBI or a foreign entity could take over fbi.gov or any number of government sites. This just boggles my mind.

  17. Thank you for this post and the enlightenment in it. Your horrendous experience only serves to remind us all to take every precaution we can to protect what we treasure. I had no idea that this kind of thing could happen.
    Enjoy getting your hands back into the flour!

  18. I WAS wondering if you’d tired of the blogging world!!! Thank you SO much for sharing your experience with us… you are not only incredibly entertaining to read but always so informative! (and I have to share this with you, I find it amusing that the “secret code” for submitting this very post has the word “mob” in it) 🙂

  19. Eeeek! Now I’m just terrified because the person who transferred my website over from WordPress.com to WordPress.org is the same person who registered my doman name for me. She told me that her clients find it easiest to have her keep track of the domain registrations, since it’s really easy to forget about a renewal and then lose the domain name in a split second. She gave me a VERBAL agreement and a very non-professional written agreement stating that I can request that the domain name be transferred to my name at any time. I’m just afraid that if I ask her to do it (which I now ABSOLUTELY want to do) that she’ll refuse…hold a grudge for losing my business… and I’ll be in your shoes!

    • Hey lady,

      Based on what you’ve said in your comment, it sounds like you hired her. So, if she works for you on your site, she shouldn’t give you any grief about putting your domain name in your name. I definitely think you should own and be in control of everything you publish. It’s fine to hire folks to help you out on the tech/admin side, but I would be very wary of putting that kind of control in someone else’s hands. Especially when it’s your content. (Even if she’s 100% ethical, what happens to your domain if she goes out of business, gets sick, or disappears?)

      That said, I don’t know the nature of your relationship, so it could be OK. But my gut is telling me that you don’t trust her on some level. However you deal with getting it into your name, make sure that you email the woman to create a paper trail (even if you talk to her on the phone), just in case you need it.

      About domains expiring. Yes, that’s definitely a concern. And it does happen if you’re careless. However, most hosts will have an option to set your domain to auto-renew. Depending on who your host is, you should also receive several emails as your domain name is coming up for renewal.

      It comes down to this. Know when your domain expires. Mark it on your calendar. Then mark it a few months before that to renew it. If it’s important to you, you won’t forget. After all, you’re the one in charge. 😉

      Hope that helps. Good luck!

      +Jessie

    • Becca, ask for ownership of your domain NOW! If you have problems, report her to wordpress.com and to wordpress.org. I can’t imagine she would want to own your domain… but if you gain traffic it could be very valuable.

  20. Jessie, i read this last night and was completely floored that something like this could happen! I’m so sorry you had to go through this–but if any good can come of it, it’s letting other site owners know that it could happen. So thank you for that. I’m taking steps today that you outlined in this post to try to prevent this from happening.

    Happy you’re back!

  21. Wowzers! This is crazy, Jessie. I popped over here from the Food Bloggers Friends site. Excellent advice for all. I’ve had my debit card number stolen – thanks goodness my bank realized it ASAP and called me immediately. We try to keep everything secure but when you’re on the up & up it can be hard to think like a hacker. Unfortunately that’s what we have to do to keep safe. I see we’re neighbors, so to speak – I’m in Boston. Would love to connect more & network if you’re up for it. All the best ~ Jessica.

  22. I’m so sorry to hear about this! It must have been terrible to go through. Thank you so much for the list of things we can all do to keep our blogs safe. I’ve bookmarked this post and will be making all of the proper precautions.

  23. How terrible! So sorry you had to go through all that. I had someone hack into my site and start changing things around. It was a scarey time and I was pulling my hair out until I figured out how to patch the security breach.

  24. I am so glad this has worked out to your favor & your awesome site is back in your control. It’s amazing, how easy it is to get comfortable with our online lives and the security of them. I had a huge wake up call after reading James Fallow’s piece in The Atlantic last year about his wife’s email being hacked – it’s a great read for anyone questioning the hacking process. I immediately switched to the two-part gmail sign in, and while it was a big pain at first, now it’s just part of my interaction with the web.

    Here’s a link to it – http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/

    Also – a word on passwords. In real hacking, the characters don’t matter as much as we’re all led to believe. A computer password hacking program can buzz through all those various characters the same as letters. The real key is length – and to have the words in it have no personal association. Make it a phrase or a funny name – as long as it’s long (I get really irritated at sites that only allow up to 11 digit passwords). On top of that – have three or four base passwords, then switch them subtly for various site logins – and, as you mentioned, change them out completely every 90 days or so.

    Anyway – stay safe out there!!

  25. Talk about a nightmare.

    Great post, I am sharing it. I was recently compromised on my Fb page and gmail through my cell phone.

    A good thing to make a habit of is using different passwords for accounts. My Fb and gmail were the same which made it easier to compromise. I am making sure to change passwords on a regular basis.

    So glad you were able to get your site back.

  26. WOW. Thank you for sharing. I never knew this could happen. Good wake up call!

  27. Holy crap am I ever glad I stumbled upon this post. My little blog is still a wee baby, but that doesn’t make this info any less important. I’m taking all your suggestions TODAY!

  28. I’m so sorry this happened to you, Jessie. Thank you for sharing your experience and the knowledge you gained from it. I hope everything goes smoothly from here forward. I can’t imagine how many HOURS this must have taken out of your daily life. I imagine a spa day (or spa WEEK!) is in order! xoxo

  29. I had someone on Facebook try to create an account using an old email of mine. Thankfully I was having the messages forwarded to my current account and I managed to see the email notifying me of the creation. So basically I was able to log in after saying I had forgotten my password and then shut down the account. Scary stuff. Glad you are back!

  30. So scary that this can happen and that it can take you so long to get back what is rightfully yours. Thank you, thank you, thank you for taking the time to write such an informative and enlightening post. I have put a link to this post on my FB page and my Twitter feed. I also sent a copy to my host who also teaches WP to others.

  31. Another small tip to preventing the harvesting of email addresses which was a part of your problem, always use blind copy :bcc when emailing to a group of friends so you don’t expose their email addresses to harvesting.

  32. OMG, I had no idea that domain names could be hijacked. As soon as I post this comment I am setting up a 2 step verification for the gmail (not published/and not on business cards) account that I use to get all of my information from my host/registrar.

  33. Ok….now I am paranoid. A couple of weeks ago we got an email that someone in China was trying to register our doman name and that we were to conact them. The email was in such poor English that I legitimately thought it was SPAM.

    But maybe it wasn’t!!!! AHHHHH! Would you email me. I would love some of the info you have with the FBI or your IP attorney to forward them the email to see if it is legit.

    Thanks a million for your help!

  34. thanks for sharing your experience, very helpful and crazy too. I had no idea that could happen to a blog. So I set up the 2-step deal. thanks

  35. I’m so glad you’re back and the site is ok… I like the new header, too! I kept checking in and thought the front page was odd as it displayed posts from October last year instead of the most current ones like normal.

    I have read that you can make very secure, easy to remember passwords by using a few words together that do not make sense in that order, like “horseshufflecottonmarks”.

  36. Jessie I had idea this was going on. You poor thing! And quite a detective Mouse is! Will be changing all passwords on a regular basis. thanks for the story and all of the advice.

    Miss all you guys!

  37. Whoa….this is some scary stuff. So sorry it happened to you and thank you for sharing your experience with us all and all the sound advice you have given. One can never be secure enough it would seem. Very glad you are back. xx

  38. First, I am so glad that you got your domain back. I’m so sorry for all you had to go through– how violated you must have felt! Thank you for sharing your story, and I’m glad it has a happy ending. My husband works for the government, in computer security. I’m going to share this story with him, and ask him to help implement the safeguards that I need. Welcome back!

  39. This is so scary and strange!! I have gotten several emails from the “Chinese Registrars Office” claiming that they someone wants to register my domain name… I’ve always hit delete and chalked it up to spam…

    This is what it said……

    “Dear Manager:

    We are a Network Service Company which is the domain name registration center in Anhui, China. On April,24th,2012, We received HUHUA Company’s application that they are registering the name “bakeaholicmama” as their Internet Trademark and “bakeaholicmama.cn”,”bakeaholicmama.com.cn” ,”bakeaholicmama.asia”domain names etc.,It is China and ASIA domain names.But after auditing we found the brand name been used by your company. As the domain name registrar in China, it is our duty to notice you, so I am sending you this Email to check.According to the principle in China,your company is the owner of the trademark,In our auditing time we can keep the domain names safe for you firstly, but our audit period is limited, if you object the third party application these domain names and need to protect the brand in china and Asia by yourself, please let the responsible officer contact us as soon as possible. Thank you!

    Kind regards

    Angela Zhang ”

    I guess I need to start paying attention and figure this out!!!

  40. HI Jessie
    This is so informative. I recently changed ISP and there were so many cross checks to ensure I actually owned the domain. It is scary that some arbitrary person can hack into your life and the password issue is really the most important one. To me, my banking is the most important thing to protect and I am always amazed when people tell me they save their credit card details on other sites, or keep their ATM passwords on their bank cards. I hope that many of your readers take heed to what you have shared.
    Good luck with sorting the matter out completely.
    Tandy

  41. Hi Jessie,

    A word about passwords –
    For those who have a difficult time remembering passwords like “[email protected])4QxRs}”, you can use one of these two nice good-password tricks:

    1) Passphrase
    Using a passphrase is longer to type, but often easier to remember — and it has the benefit of being way stronger than the “#ma)+XrPWtn” kind of passwords. If your site allows long enough passwords to do this, you can use a password made of four random words, like this:
    knobby complaint command icecream
    slippery tomorrow knickers eternal

    ..although, you need to be careful not to use words that are strongly associated with you or with themselves, so:
    “tree green root leaf” — bad (words are associated with each other)
    “kristy cooking computer consciousness” — bad (words are things deeply involved in my life, possibly guessable by looking at my facebook or some such)

    2) Longish Nonsense Phonetic Word
    You can also use a longish nonsense phonetic word — try to make it 12+ letters. Just mix letters up in a pronounceable way, and don’t include any real words. Imagine it’s a name for some place in a fantasy novel, or something like that. If it ends up including a real word, misspell that word:

    amitogiferru
    graumsanmeridox
    noxiwrekletak

    I usually use two together, that have a cadence to them:
    sominga refeniso
    bretigo mahnika
    moxerz ominykondu

    ..using either of these methods will give you a unique, strong password.

  42. So glad to hear it’s back in your hands. This site has been so important to me from basic tips to daily inspiration.

    Looking forward to seeing more to come for our little Hungry Mouse!

  43. So glad to hear you have control again!

    This site and the Hungry Mouse have been so important to me from the tips to daily inspiration.

    Looking foward to see more upcoming ideas and events!!

  44. Glad you were able to get all your stuff back. I wonder if you or anyone else clicked on a link in one of those emails that show up talking about a Chinese company trying to sell you your own domain name. I see those all the time and just delete them from the server before they even have a chance to get to my computer. In any case what a tale!

  45. For domain registrars, offering extra security is risky, because someone will hack it and then there is all the liability, court costs, and bad publicity, even if not the registrars fault. So it’s a no-win for registrars to offer a special high security version.

  46. A Russian ‘ring’ got me a few years ago – they had not one but two of my credit card numbers! God knows what else they had. I was contacted a few days after they started charging computers and other electronics to my cards and having them shipped to Russia. Great thing that the CC companies have people who do nothing but monitor for fraud, same thing for the telecommunications company I work for, we have a large division just for fraud. I was contacted by the FBI who sent an agent to run some tests on my computer to see if I had any planted ‘bugs’! Was a bit of excitement for a while but it was disconcerting and a major headache to get all my accounts changed lest any of it be known by more thieves in the world. So sorry to hear of your troubles, I’ve already changed my settings for my Gmail account, thank you so much for alerting your readers about it. Bon Appetit!

  47. I recommend double bagging it for website security. Whatever blog platform you use, wordpress, typepad, whatever. If it is hosted on you own hosting account (and not a hosted service like blogger) don’t rely on the application’s security alone. Put the admin area inside a shell protected by apache .htaccess password protection (your host can help you set this up usually). This will require you to enter two passwords to enter your admin area, but this simple step will defect 99% of site hacking attempts.

  48. “4. Use smart user names & passwords

    Make them complicated and unintelligible. Use symbols, numbers, and upper and lower case letters.”

    Bad advice.

    The longer a password is, the stronger it is. Password phrases or a complete sentence is much, much more secure than the advice you’ve given above.

    Even more secure: Keep a split, encrypted keychain that manages your accounts such that you don’t even know the password. KeePass can do this when the password database is stored on a hard drive in an encrypted format, a decryption key is stored on a USB thumbdrive that you take with you, and access to the database requires a master password. All three pieces have to be present on the same machine to open the password database. Effectively two-factor authentication: Something you have (a USB thumbdrive) and something you know (your master password).

  49. Jessie: I teach computer security and tell folks if they can tell me their password it is most likely not very secure. If they have to show me their password then the issue is length. Passwords today under 14 characters are not secure. A good 12 core Mac Pro can crack the hash in a few hours.

    So here is how to make a very secure password that only you know and is very difficult to break using the normal tools (we are not talking government sponsored cryptographers with almost unlimited budget).

    Start with your favorite crutch pass word. We will just Jonny’s or Suzy’s birthday June 5. Type in Jun5 then thnJI(p;/’ for a password that looks like Jun5thnJI(p;/’ – a 14 character password you can easily type any time you need it and can also change easily because it follows your pattern.

    Here the pattern is:
    First the Crutch Password “Jun5”
    Second is follow the keyboard down and right “thn” and now you have “Jun5thn”
    Third is hold down the shift key and follow the keyboard up and right “JI(” and you have “Jun5thnJI”
    Fourth is release the shift key and go down and right “p;/” giving “Jun5thnJI(p;/”
    Fifth is use the shift key and to up and right and the password is Jun5thnJI(p;/’

    Try to tell some one your password now.

    Up, down, left, right, shift , etc are all your call. What is your favorite pattern? I have seen M and W used often, also left and right across the keyboard on different rows, e.g. JKLuioNM<%^&, is the letters & numbers of Jun 5 followed by the three letters/numbers in the row with shift key on or off.

  50. Wow, just read most of your story and I have to say in the 19 years I’ve been a graphic designer/web developer I’ve never heard of such a thing. The hackers put a lot of effort into swiping your blog and domain name. Maybe they wanted to hold it for ransom. There’s a lot to learn from this post and the comments which I’ll read later. But for now I’m on to your rye bread recipe…

  51. That’s completely insane that someone would just steal an entire blog. What is wrong with people? I only had a issue with one person copy & paste every single post I made onto hers. That’s as far as that has ever gone. I’m sorry that happen but now you gave very good information to others so it won’t happen to someone else.

  52. Ug. I hadn’t really thought about this happening. Great tips.

    My Paypal account was broken into a few years ago. I thought about contacting the FBI (and Paypal and my bank, of course), but it turned out my local police also wanted to know. So if the worse does happen to someone, consider filing a local police report also. Mine sent someone out to take a statement then one of their detectives worked with the FBI. It turned out they were part of a ring of hijackers/scammers.

  53. I’m all over this in this article. If it is really charity causes then the Publicity will come naturally around the rear in the truthfulness. Certainly with Yoav, it will be appalling if it became another black hat strategy. Regrettably Most likely which a number of nefarious losers out there are actually considering lower that will route.

LEAVE A REPLY