Released from Prison, Spammer Who Stole 17.5 Million Passwords Apologizes and Reforms (zdnet.com) 19
An anonymous reader quotes ZDNet:
Kyle Milliken, a 29-year-old Arkansas man, was released last week from a federal work camp. He served 17 months for hacking into the servers of several companies and stealing their user databases. Some of the victims included Disqus, from where he stole 17.5 million user records, Kickstarter, from where he took 5.2 million records, and Imgur, with 1.7 million records. For years, Milliken and his partners operated by using the credentials stolen from other companies to break into more lucrative accounts on other services.
If users had reused their passwords, Milliken would access their email inboxes, Facebook, Twitter, or Myspace accounts, and post spam promoting various products and services. From 2010 to 2014, Milliken and his colleagues operated a successful spam campaign using this simple scheme, making more than $1.4 million in profits, and living the high life. Authorities eventually caught up with the hacker. He was arrested in 2014, and collaborated with authorities for the next years, until last year, when it leaked that he was collaborating with authorities and was blackballed on the cybercrime underground....
In an interview with ZDNet last week, Milliken said he's planning to go back to school and then start a career in cyber-security... [H]e publicly apologized to the Kickstarter CEO on Twitter. "I've had a lot of time to reflect and see things from a different perspective," Milliken told ZDNet. "When you're hacking or have an objective to dump a database, you don't think about who's on the other end. There's a lot of talented people, a ton of work, and even more money that goes into creating a company... there's a bit of remorse for putting these people through cyber hell."
He also has a message for internet uesrs: stop reusing your passwords. And he also suggests enabling two-factor authentication.
"I honestly think that the big three email providers (Microsoft, Yahoo, Google) added this feature because of me."
If users had reused their passwords, Milliken would access their email inboxes, Facebook, Twitter, or Myspace accounts, and post spam promoting various products and services. From 2010 to 2014, Milliken and his colleagues operated a successful spam campaign using this simple scheme, making more than $1.4 million in profits, and living the high life. Authorities eventually caught up with the hacker. He was arrested in 2014, and collaborated with authorities for the next years, until last year, when it leaked that he was collaborating with authorities and was blackballed on the cybercrime underground....
In an interview with ZDNet last week, Milliken said he's planning to go back to school and then start a career in cyber-security... [H]e publicly apologized to the Kickstarter CEO on Twitter. "I've had a lot of time to reflect and see things from a different perspective," Milliken told ZDNet. "When you're hacking or have an objective to dump a database, you don't think about who's on the other end. There's a lot of talented people, a ton of work, and even more money that goes into creating a company... there's a bit of remorse for putting these people through cyber hell."
He also has a message for internet uesrs: stop reusing your passwords. And he also suggests enabling two-factor authentication.
"I honestly think that the big three email providers (Microsoft, Yahoo, Google) added this feature because of me."
Only because she's famous (Score:2)
It's weird to me that the BOP is even considering sending her to a Fed facility. Much easier to send to the local jail where they have an agreement in place to hold federal inmates for short periods.
But, she's famous, so they probably want to make an example.
Apologized to CEO (Score:4, Insightful)
He apologized to the Kickstarter CEO? Why? How about apologizing to the people instead? The CEO was responsible for securing his companies data. Sounds like he just wants a job.
Salted hash (Score:2)
How can these companies get away with storing passwords in the first place?
Re: (Score:2)
Exactly. Honestly, I see no reason your clear text password should ever reach a company server. Half-ass salt it with the username before hashing it and sending it to the server, then that becomes the effective password. Then salt that with a true random salt on the server, hash and store.
This way it becomes impossible for the company to know the password, or even if multiple users share the same password.
$1.4M.... (Score:3)
Hmm, five years of that averages out to $280K per year.
"Colleagues" implies AT LEAST a three way split.
So, he made maybe $90K per year doing this. Seems to me he could have made more just getting a job in IT....
Re: $90k (Score:2)
Re: (Score:1)
Yo dawg, I heard you like databases.
So I made a database of your data so you can get databased while you database.
Or something.
Re: (Score:2)
Reforms? (Score:2, Interesting)
TFA is anti-anonymity (Score:2)
Always a criminal (Score:2)
Pretty obvious this guy is a narcissist of the worst order.
Anyone who trusts him to do anything but continue to be a criminal is delusional.
And as long as hacking and data theft is regarded with such laissez-faire by governments, guys like this will flourish - and there are many of them.
Re: (Score:1)
Password security - wrong person jailed (Score:2)
Second, yes you should reuse passwords, you should be using Password1! on every stupid site that wants you to register so they can track you. F#@k them. 99% of sites are not valuable enough for me to create a unique password for. People should have 4 passwords at most, one for work, one for their banking, one for their trusted email
Re: (Score:1)