On the evening of April 15 I unwittingly made a blunder in uploading a configuration file that contained some texting and email credentials to a site for storing source code (GitHub). To its credit, GitHub promptly emailed me a warning message to alert me that I was "sharing too much". But I had left the computer to go eat some supper and do other things, and didn't return until about 3 hours later. At that time, I discovered that the account password used to allow AMOS to send text messages had been changed, and there were notifications of hundreds of errors in my inbox, relating to this texting account. This was not good. In order to remove any trace of the file online, I removed the entire GitHub repository. I then contacted the texting service company to alert them that my account had been compromised. They gave me some instructions to follow in order to change my credentials, but the account had already been associated with a new email address, so I was unable to do that (the file shared on GitHub also had email credentials, so they must have used my Gmail address and password to read my Gmail, and thereby change the texting account info). I informed the texting service of that and requested that they freeze my account if possible.
The account was frozen, but not before $170 of texting charges had been racked up. More back and forth with the texting provider got my account set back up properly though, and thankfully no more charges have been incurred. I also changed my Gmail password of course, and many of my other passwords too, just as a precaution, in case they also might have been accessible through Gmail. I had a look at one of the phony messages and it was in French, and I think it was one of those: "Something bad has happened to your account, please click this link: ..... to fix the problem." messages. So to the thousands of people that received these, please accept my sincere apologies.
I have since enabled two-factor authentication for my texting account and will also make sure any other passwords stored in configuration files are encrypted. Nothing beats learning the hard way eh?
No comments:
Post a Comment