Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Crime Security Spam

Released from Prison, Spammer Who Stole 17.5 Million Passwords Apologizes and Reforms (zdnet.com) 19

An anonymous reader quotes ZDNet: Kyle Milliken, a 29-year-old Arkansas man, was released last week from a federal work camp. He served 17 months for hacking into the servers of several companies and stealing their user databases. Some of the victims included Disqus, from where he stole 17.5 million user records, Kickstarter, from where he took 5.2 million records, and Imgur, with 1.7 million records. For years, Milliken and his partners operated by using the credentials stolen from other companies to break into more lucrative accounts on other services.

If users had reused their passwords, Milliken would access their email inboxes, Facebook, Twitter, or Myspace accounts, and post spam promoting various products and services. From 2010 to 2014, Milliken and his colleagues operated a successful spam campaign using this simple scheme, making more than $1.4 million in profits, and living the high life. Authorities eventually caught up with the hacker. He was arrested in 2014, and collaborated with authorities for the next years, until last year, when it leaked that he was collaborating with authorities and was blackballed on the cybercrime underground....

In an interview with ZDNet last week, Milliken said he's planning to go back to school and then start a career in cyber-security... [H]e publicly apologized to the Kickstarter CEO on Twitter. "I've had a lot of time to reflect and see things from a different perspective," Milliken told ZDNet. "When you're hacking or have an objective to dump a database, you don't think about who's on the other end. There's a lot of talented people, a ton of work, and even more money that goes into creating a company... there's a bit of remorse for putting these people through cyber hell."

He also has a message for internet uesrs: stop reusing your passwords. And he also suggests enabling two-factor authentication.

"I honestly think that the big three email providers (Microsoft, Yahoo, Google) added this feature because of me."
This discussion has been archived. No new comments can be posted.

Released from Prison, Spammer Who Stole 17.5 Million Passwords Apologizes and Reforms

Comments Filter:
  • Apologized to CEO (Score:4, Insightful)

    by 110010001000 ( 697113 ) on Sunday September 15, 2019 @07:03AM (#59196216) Homepage Journal

    He apologized to the Kickstarter CEO? Why? How about apologizing to the people instead? The CEO was responsible for securing his companies data. Sounds like he just wants a job.

  • How can these companies get away with storing passwords in the first place?

    • Exactly. Honestly, I see no reason your clear text password should ever reach a company server. Half-ass salt it with the username before hashing it and sending it to the server, then that becomes the effective password. Then salt that with a true random salt on the server, hash and store.

      This way it becomes impossible for the company to know the password, or even if multiple users share the same password.

  • by CrimsonAvenger ( 580665 ) on Sunday September 15, 2019 @07:34AM (#59196254)

    Hmm, five years of that averages out to $280K per year.

    "Colleagues" implies AT LEAST a three way split.

    So, he made maybe $90K per year doing this. Seems to me he could have made more just getting a job in IT....

    • $90k in I.T.? That ain't what I.T. is valued at everywhere. Try $25k as a base for a more realistic valuation of a "Network Administrator" or "IT Specialist".
  • Comment removed based on user account deletion
  • Reforms? (Score:2, Interesting)

    by Anonymous Coward
    Seems like he hasn't quite broken all his old habits. https://i.imgur.com/MuGWLhJ.pn... [imgur.com]
  • By all means, use TFA for your accounts that use your real name, but otherwise, if anonymity is important to you, all TFA will do is link your online alias with your real name, essentially erasing anonymity. Also regardless of any ToS or Privacy Notice from any company offering TFA, they now have your phone number (if they use text messages for TFA) and there's really nothing stopping them from selling that to 'advertisers' (read as: phone spammers and telemarketer scum).
  • Pretty obvious this guy is a narcissist of the worst order.
    Anyone who trusts him to do anything but continue to be a criminal is delusional.
    And as long as hacking and data theft is regarded with such laissez-faire by governments, guys like this will flourish - and there are many of them.

  • First the Chief security officers of all the companies he stole passwords from should have been with him in prison. There is no excuse for storing passwords in the clear.
    Second, yes you should reuse passwords, you should be using Password1! on every stupid site that wants you to register so they can track you. F#@k them. 99% of sites are not valuable enough for me to create a unique password for. People should have 4 passwords at most, one for work, one for their banking, one for their trusted email

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...