Surviving a Cyber Attack: My Journey Through Identity Theft and Lessons Learned

For those of you who have visited my profile in the past month. You might have noticed several changes:

1. "Tech Fusion," my newsletter, no longer exists.
2. There are no longer any posts on my account.
3. My featured section has been removed.

To explain these changes and share a cautionary tale, I would like to request for 10 minutes of your precious time. This is the story of how my Identity was Hacked.

On March 14, 2024, exactly one month before this post, I woke up to a seemingly normal day, blissfully unaware of the ordeal ahead. The first sign of trouble was a call from a friend who noticed that my Instagram account had been hacked. Since I am inactive on Instagram and haven't had the app for a while now, I was unaware of the flurry of messages incoming. Turns out there was a Crypto Story posted from my account. I quickly deleted the post and assured my contacts that it wasn't from me. Thankfully, my followers know that I don't engage in financial postings, so no one was misled by this.

The situation escalated when I checked my email and found multiple sign-in warnings from various services, including Google, LinkedIn, Facebook, PayPal, and all my bank accounts. This was when I realized that it was just not a random hacker who got access to my Instagram account through some Linux exploit, but a targeted attack aimed at me.

Upon reviewing my financial accounts—without delving into specifics—I found them drained to the extent that they showed a year's worth of negative balance. I immediately froze all my accounts and thus started a long and arduous week of police reports and customer service calls. I called every one, from the banks to the vendors where the purchases took place. Fortunately, many of the purchases were pending and were cancelled but still a large chunk of money could not be recovered. Mostly from eBay and other services that had already shipped out the products.

In a step that proved crucial, I contacted all the major shipping companies and told them to freeze all the packages with my name on them. Initially, they were reserved, but once I showed them ID proof with my name on it and the identity theft report they were ready to comply. This saved a significant amount of money.

Unfortunately, I couldn't stop automatic payments from subscription services, though I managed to halt future charges. Only Canva agreed to issue a refund.

After this entire ordeal, I discovered that not only my LinkedIn but several other social media accounts had been compromised. It's disheartening to know that my newsletter and posts were deleted—I had established valuable connections through them and truly believe they offered significant value to both myself and my readers. Nevertheless, I am profoundly grateful that I was able to avert a potentially devastating financial loss.

So, what did I learn?

I have different passwords for different websites. Matter of fact, I use a password manager and have 2FA enabled for most of my accounts.

So how did I get hacked?

A simple answer to this is: Gmail. No matter how many unique passwords you have, they are useless if you can reset them. No matter how many 2FAs you have set up, they are useless if you have your email as the 2FA medium or can send recovery keys to it. No matter how many email IDs you use, it does not matter if they are the recovery emails of each other.

In today's world, our online identities are interconnected like a spider web. And what happens if you set fire to one end of the web? The whole web burns. It just requires that initial ignition for our online identities to fall apart.

Then how does one stay safe online?

I have come to only one conclusion after a lot of thought: You can't. If someone is out to get you, they will find a way. Even people like Metro Boomin, Tiger Woods, and Michelle Obama who probably have extensive security measures and organizations behind them are subject to hacking.

So does that leave us at the mercy of these hackers?

Not yet.

There is this quote my grandfather says, "I would rather carry $500 in cash than a suspicious card". His statement is geared more towards the fact that digital money is easy to spend but hard to justify/account for. But his advice can very well apply for this instance as well. I would rather go everyday to an ATM to withdraw cash than go through the stress I experienced once again. However, carrying large sums of cash for everyday transactions, especially for significant expenses like rent, is not practical in today's digital world.

This is why I adopted the next best solution:

1. The majority of my funds are now in a secure account accessible only by checks and money orders.
2. I maintain a separate account for monthly expenses, funded just enough to cover those costs.
3. I use a single card that requires phone app confirmation for every transaction.
4. I avoid storing my card details online; for necessary online purchases, I use a burner debit card linked to an account with minimal funds.

This incident has been a harsh lesson, occurring at a time when I am not widely influential or financially powerful—a situation that could have been much worse a few years down the line.

This article serves as both a comeback and an informative piece on cybercrime prevention. I will soon relaunch my newsletter with new content planned prior to these events. Until then, stay vigilant and safe!

-- Sohum Berdia