Oops! This image does not follow our content guidelines. To continue publishing, please remove it or upload a different image.
It began with dumplings.
When I got an email at midnight last March from Grubhub notifying me that my order from Dumpling Depot was on its way to an address 3,000 miles away from my location in New York City, I thought there must have been some mistake. And there was: mine.
Because I didn't take a few basic internet security precautions, hackers robbed me of $13,103.91 worth of cash and prizes from three of my accounts over the next six months. And while this doesn't make me, your Recode data privacy reporter, look very smart, I'm sharing my story with you in the hope that it will help you avoid a similar fate.
The person who hacked my Grubhub account last March ordered a black fungus salad with celery, a five-spice-marinated beef entree, and 12 pork dumplings (with chives) for a total of $26.84. At first, it was annoying but didn't seem like that big of a deal: I notified Grubhub about the fraudulent charge and got a refund. Then I changed my password, sent an angry text to the phone number on the food order, and went about my life, foolishly thinking that this was an isolated incident. It was not.
Five months later, I logged into my bank account to find a substantially smaller number in my savings account than I expected. Sure enough, $9,000 had been wired away two days previously. During the subsequent, frantic call to my bank, I looked at my checking account and saw that $4,000 had been wired away from there, too — a discovery I declared with a variety of curse words. The woman on the other end of the line had a pleasant Southern drawl, which made her promises that I would get the money back seem extra reassuring.
She was right, although my access to all of my money was cut off for several days as the bank froze my old, violated accounts and created new ones. It took about two weeks before everything was fully up and running again and my $13,000 was restored. I don't know if my bank got the $13,000 back or just fronted me the money and called it a loss. When I called them for an update and to demand justice, they told me they couldn't tell me any details about the case because I was not the victim, the bank was. Obviously, things could have been a lot worse: I did get the money back.
Join the Open Sourced Reporting Network
Oops! This image does not follow our content guidelines. To continue publishing, please remove it or upload a different image.
