Kurt R.A. Giambastiani

I spent the last week at war.

In the wee hours, late last week, I awoke to email alerts regarding my personal Facebook account. It had been disabled.

My first thought was that one of my more political posts had rubbed someone the wrong way and they’d reported me, but as I investigated, I learned that, no, someone had gained access to my account and had done something that violated Community Standards.

I’d been hacked.

I tried to recover control, but Facebook’s algorithms denied me and summarily deactivated my account. This also deactivated the “author” page I ran on Facebook, where I echo posts from here. As far as Facebook was concerned, I was a non-entity.

Somehow, this pisher in Hanoi (or at least, that’s where he said he was) had force-friended me and run off with my email address (which, frankly, wasn’t hard to find), at which point he began using it to brute force his way into other, mostly gaming-oriented sites.

I did my best to keep ahead of him, first protecting my financials by canceling my credit card and changing everything on my banking accounts, but while I was doing that, he was attacking my flank. It soon became clear that my info had been shared, as hits began to come in from places other than Hanoi: Ukraine, Egypt, Thailand, Russia, Chicago, New York City. (True, these may have been ISP reroutes, but I’m not tech-savvy enough, nor did I really care enough, to find out.)

Thus, I spent the whole of this week in an adrenaline-soaked haze, madly going through the pages (and I literally mean pages) of info I’d stored on sites, accounts, logins, and passwords. My prioritization had started with financials, but it quickly became clear that what my nemeses wanted was access to video games. EA Games, Ubisoft, Microsoft, EPIC Games, 2K Games. I mean, to hell with Amazon or BofA, these pishers wanted to play Fortnite! One Ukrainian dolt had the cheek to tie their laptop and Xbox to my Microsoft account.

The attack on my Microsoft accounts was especially worrisome, as I have software and backups tied to that. All my original fears about storing data on “the cloud,” fears that had become attenuated with global acceptance of the model, came back to me tenfold.

It was clear that my old email addresses, decades-long favorites, were utterly compromised and I wouldn’t be able to use them again, even under a different ISP. Leaving Yahoo! as an email provider didn’t bother me—I’d been fighting the bureaucracy between them and my actual ISP (Frontier) for years, getting nowhere with either—but the Yahoo/Frontier dysfunction meant I couldn’t even change passwords on those accounts, much less shut them down.

In short, it was a hot mess.

Eventually, I devised a strategy that I hope has thwarted them. I created new email accounts, including a sacrificial one. Working under the assumption that they were monitoring activity on my compromised emails, I began a process of swapping accounts from Compromised Email (which they could see) to Sacrificial Email (which they could not see, but which might be listed on alerts sent to the first address), and thence to a new set of accounts (of which they could see nothing). It was convoluted plan, and it may have been overkill, but overkill is sort of what I was going for. I mean, if I could have nuked them from orbit, I would have turned the key myself.

The furor has died down, now. Today brought only one attempt, on an account I didn’t even know I had (Ubisoft). I’m hoping that I’ve protected everything that needs protecting, and that I won’t be damaged by the remnants I’ve left on the field.

But here are the lessons I’ve learned.

1. You know how they say “don’t use the same password everywhere”? Good advice. I followed that advice fairly well, but not completely. I shared password variants in categories of sites, which mitigated how far they could go with an email and a password. Still, that was too much.
2. Never ever create an account that re-uses credentials from another site. When my Facebook account was deactivated, that cascaded to other sites, essentially shutting them down on me, too. I don’t know why anyone thought sharing credentials was a good idea (see Item 1, above).
3. Canceling my credit card was a top-notch move. Yes, I’m having issues with subscriptions and auto-pay options that have come due in the past week, and I won’t get my new card for a few days more, but I’d rather deal with a late-fee than with exorbitant charges on a breached card.
4. While we all know it intellectually, do not let your heart buy into the illusion that you own or control your Facebook data. I know it sounds hyperbolic, but when my Facebook page was deactivated—no explanation, no appeals, no recourse—I felt like I’d been disappeared. All my history, all my contacts, all my pictures, all my memories, were gone. While I had originals of the photos and had backups of contact information, the history of conversations and interactions was irretrievably lost to me.

What with being in near-isolation for months, online contact with friends has become much more important, and having it ripped away was a terribly emotional blow. I know these are First World Problems and not a big deal on the grand scale, but it was all I could do to fight off the grief and hold it together long enough to fight these shmekel-heads, day after day.

If they’re determined, I know I can’t stop them. I’m just hoping I can make myself enough of a pain in the ass that they decide to move on to less prickly prey.

So, that’s what my last week has been like. I hope that I’m nearing the end of this episode. It’s a long weekend, here in America, and I could use some sleep. Some uninterrupted sleep.

k