I was driving up to the Catskills for an overnight with the family when, apparently, my email started spewing spam. I didn’t get into range of a wi-fi until several minutes passed, at which time I was greeted with 95 “mail undeliverable” notices and many tweets, of which these two were the first:
Naturally, I changed my password on the spot, but roughly 45 emails were sent to 300+ recipients. (Obviously, there were a fair number of old addresses in there.) The emails contained links to various sites, none of which I clicked on. Later that evening, I sent emails to those affected to urge them not to click on said links. Ideally, they’ll also retrieve my email address from the doomed depths of the spam folder.
The emails themselves were pretty dumb. They were a link and a silly quote and…that’s it. Of course, each email was sent to several recipients, meaning that private email addresses from authors were mixed in with my mortgage lender, my friends from college and a number of fine customer service folks from places like United, the Gap and DharmaCrafts. (What? I contain multitudes, yo.)
Email is, in a way, an extension of my voice, and it was dissonant to see someone else pulling those strings. No, I’m not saying I’m lost without my email, because I rather enjoy being unplugged when I can swing it. But it’s one of my chief ways of talking to other people these days, and having someone come in and send crap around in my name is just strange. I don’t feel violated or anything because, well, I have some perspective on my life. But it was weird.
Thankfully, most folks saw right through it and recognized it as spam, including this Twitter correspondent:
I like Scott.
Anyway, you can learn from my mistakes. For one, I hadn’t changed my password on my email account since 2010 — and even then, I think all I did was to add a digit or two. It was stupid-simple, and in retrospect, I’m surprised it went as long as it did without getting compromised. So switch up your passwords.
I also turned on Google’s two-step authentication. Now, when I log in from computers not my own, it’ll require a code sent to my phone. At first I’m all like, “What a pain in the ass.” But I quickly realized that A) I always have my phone on me, and B) I just got hacked, so shut up. Two-step authentication for the win. I also created a unique email password for my phone, too. So that’s good.
Lots of folks suggested a variety of ways and systems to keep passwords secure and squared away, and I’ll be checking those out as well. I’ll also be keeping an eye on my bank account and credit history for a while, because while I’m fairly careful about transmitting such things via email, who knows what tidbits someone might glean?
Anyway, it’s a relatively minor annoyance for now. I reached out to folks to apologize and correct, and that’s that. If you got one from me, I’m sorry about that and I’ve tightened up my security. I’m doubly sorry about the private email addresses that got broadcast, and doubly appreciative how much folks have been understanding and helpful. Thanks to Wes and John and about a dozen others who were quick to notify me. You guys rock.