This week, we discover who was actually behind the hack of Alex Blumberg's Uber account. This episode picks up where Episode 91, The Russian Passenger, left off.
Come see Alex and PJ at The Bell House with Linda Holmes!
Wirecutter on password managers
Further Info
Come see Alex and PJ at The Bell House with Linda Holmes!
Wirecutter on password managers
Transcript Read Now
PJ VOGT: Hey, this is PJ with a quick note before the show starts.
If you have not listened to Episode 91, "The Russian Passenger," which was about Alex Blumberg's Uber account being hacked, go listen to that before you listen to this episode. If you don't, it'll be like just watching the last episode of a TV show: you'll ruin a bunch of surprise for yourself, and also just be confused.
Go back, listen, come back here. Ok. Let's go.
PHIA BENNIN: Previously on Reply All:
[CREEPY MUSIC]
PJ: Somehow, someone, in Russia, got the password for your Uber and is just like—
ALEX BLUMBERG: And hacked my Uber account, right?
PJ: Yeah.
MELANIE ENSIGN: Whoever had access to his email account was clicking on those links, verifying it was him, and then deleting the notification [sic] before he saw them.
TROY: You sort of leave these little traces of yourself all over the internet. And as time goes by, those chances of one of the places you’ve left your data being breached and that data then being leaked continues to go up.
ALEX GOLDMAN: So a couple weeks ago, we did an episode called "The Russian Passenger." And in that episode, our boss Alex Blumberg came to us with a question. His question was—
PJ: How did a Russian person steal my Uber account?
ALEX GOLDMAN: Yes. Someone had been taking trips around Moscow, uh—
PJ: On his ruble.
ALEX GOLDMAN: (Laughs)
PJ: On his ruble dime.
ALEX GOLDMAN: What a dumb joke...
PJ: So...
ALEX GOLDMAN: So.
PJ: He wanted us to figure out what happened. Which sort of seems simple enough, and then ended up being like, insanely complicated.
ALEX GOLDMAN: Right. And after testing a bunch of theories, what we came to as the most likely scenario was that Alex was on vacation in the Bahamas with his dad, Richard, and his dad has a tablet, a Surface Pro. Alex logged into his Gmail on the Surface Pro, and there was malware on the tablet, which, uh, gave hackers his username and password. They got into his Gmail. They hacked his Uber. But we never found any conclusive proof that that happened.
PJ: Right.
ALEX GOLDMAN: At the end of that episode, we said that if anybody out there has a different theory, or thinks that they can conclusively solve this problem, they should write into us and if they do conclusively solve it, I will send them a personal pan pizza.
And, um, we got hundreds of emails about this. We're still getting them to this day. And producer Phia Bennin, who is in the room, hello—
PHIA: Hello!
ALEX GOLDMAN: —uh, did the, uh, intrepid investigative work of actually following all of these leads and seeing where they went.
PHIA: Yes. And here’s what I can promise you: by the end of this conversation, I feel completely confident that you will pick somebody who has earned a personal pan pizza.
PJ: Alright.
PHIA: Um, what I also have to say is when I was looking into all of this, I learned a lot of things that terrified me. I have become incredibly paranoid and if I do my job correctly today, you will never touch a computer again after this conversation.
PJ: Alright, let's go.
PHIA: Ok. So, first, I feel kind of obliged to tell you that we got about a million responses that said we should've run a different virus scanner on Alex's dad's tablet. Um, a bunch suggested something called Malwarebytes, and so his dad and I did that. No viruses were found.
ALEX GOLDMAN: Huh…
PJ: Ok.
PHIA: So. Just—that was a little disappointing. I thought, like, maybe we would solve it quickly. We didn’t.
PJ: I feel like all it did was reduce the certainty of an answer that I still feel pretty good about, but do you know what I mean?
PHIA: Yeah, yeah. It was just like, “Shucks.”
ALEX GOLDMAN: It was just like, “Shucks.”
PHIA: It was just like, “Shucks.”
PJ: No pizzas for any of those people. Although helpful. Thank you. I’m glad to know.
PHIA: Yeah!
PHIA: So, now we can get into the stuff that I think is like the good stuff. To start, theory #1.
[MUSIC]
PHIA: This theory comes to us from a guy named Nick, he lives in Florida. And I’m calling his theory “Beware All Keyboards.”
So this theory is that like, at some point before Alex’s Uber got hacked, maybe he logged onto a computer, logged onto his email, and that computer had a keystroke logger on it. So, like, there was some little piece of software on the computer collecting every keystroke Alex typed in.
Here’s Nick:
NICK SAMBRATO: So I’m not the most technically savvy person, um, and I only know this through experience and I’ve retained it out of fear.
PHIA: Ok.
NICK: And this was 2001, 2002, something like that. And I worked at a little, small software, um, company.
PHIA: The head developer there was like, “Just for fun, I designed a keystroke logger that is logging all the keystrokes of everybody in network.”
PJ: Nooo!
ALEX GOLDMAN: That’s very sketchy.
PHIA: And Nick was like, “We asked him to like, show us how it works, and we all crowded around his computer, and he was like, ‘Let’s see what our coworker over there is doing.’”
ALEX GOLDMAN: Ohhh...
PHIA: And they already knew that she was, uh, online dating, which they were giving her a lot of crap about, because in the early 2000s that was like—
PJ: Weeeeeeird to people.
PHIA: Mhm. And so like, Nick and all of his co-workers gathered around the one tech guy’s computer.
NICK: And he popped up this little, like terminal window and, um, he's like, "Let me show you." What is the word? Not internet—what's the next step from internet dating if you don't meet in real life but you want to take it to the next level? Um, now you sext. There's sexting, but back then, it’s cybering.
PHIA: Uh-huh...
NICK: So we picked up right in the middle of a cyber session.
PHIA: Oh no!
NICK: Yeah. And we, I mean—I mean, four guys standing around a cubicle screamed.
PHIA: They all of a sudden realized they were seeing something they absolutely should not be looking at. And they immediately felt tremendously icky.
NICK: Yeah, so we, I mean, shut the window right away. Yeah, yeah. So that's how I met keystroke logging.
PHIA: So Nick figures, that totally is what could’ve happened to Alex Blumberg.
PJ: Which is a good theory. Except that I actually checked this with Alex.
PHIA: Mhm.
PJ: And he was like—he said, "No, no, no. I really—I only used my phone, Naz's phone, and my dad's tablet. Like, there just—there wasn't some point where he just like, went onto a stray computer somewhere.”
PHIA: Yeah, but that only really accounts for like what he's doing in the Bahamas. Like, he could've logged onto a computer with a keystroke logger, like, anytime before the trip. Like, it could've been like months ago. Um, and somebody could just be like holding onto those credentials and happen to use them now. Like it could be kind of a coincidence.
PJ: Yeah, I guess that’s true. Like, I would say, probably at some point in your life, you've used a computer that had a keylogger on it. Like, at a library for 10 seconds, or like—
PHIA: Mhm.
PJ: Or like, I think that there's enough of this stuff out there that like—yeah.
PHIA: Right. Like, it’s a little freaky to think about, and like, and—and—I’ll just—like, as I continue to talk to our listeners about different potential threats to Alex Blumberg's Uber account, like, it just got scarier and scarier. Like, things got super creepy.
PJ: I’m excited to go on this journey of creepiness with you. Before we move on, all I want to establish—this theory is—we’re not giving the pizza to this person, right?
AG: Yeah, it’s a good theory. Not pizza worthy.
PJ: Ok. So what is the next thing? What’s the next theory?
PHIA: Ok. So, theory #2,
[MUSIC]
PHIA: It comes to us from a guy named Mick Lawlor, he is a security researcher based in Durham, North Carolina. And I’m calling his theory “Beware all Wi-Fi.”
ALEX GOLDMAN: K.
PHIA: So, Mick has a device called a Wi-Fi pineapple.
ALEX GOLDMAN: (Laughs)
PJ: What?
ALEX GOLDMAN: It's so cute!
PJ: I know what both of those words mean separately.
ALEX GOLDMAN: (Laughs)
PHIA: Yeah, I mean, I was curious, like, what he was even referring to.
ALEX GOLDMAN: Mhm.
PHIA: Can you describe it for me? What does it look like?
MICK LAWLOR: Very, very small. Uh, it's only the size of my palm.
PHIA: Huh.
MICK: And it's basically a computer.
PHIA: Huh!
MICK: Um, this one, in particular, they've modified to have two antennas, which are radios to call out and to receive. There's also little switches here to do different, uh, attacks, as well.
PHIA: Ok.
MICK: Yeah. And it's super, super powerful.
PHIA: So, to give you an idea of what the Wi-Fi pineapple is capable of, if you imagine hanging out at a Starbucks, you go there, and you have your laptop and you're doing work and there's a ton of other people there. And what you don't realize is somebody's just walked in with a backpack on and inside his backpack is a Wi-Fi pineapple.
And as soon as he walked into that Starbucks, it started sending out a signal saying like, "Connect to me! I'm the Internet."
PJ: So, I'd be sitting in Starbucks. I'm the sucker.
PHIA: Mhm. Yeah.
PJ: And I— and I go I to my Wi-Fi list and see "Starbucks Free Wi-Fi” and I’d click it.
PHIA: Yeah.
PJ: But what I’d what really be getting is this other guy, pretending to be Starbucks Free Wi-Fi.
PHIA: Right.
PJ: And so I’d still get connected to the Internet, but everything would go through him, and he could spy on it, right?
PHIA: Right. And it would have a little bit of code in the pineapple that says, “Anytime PJ tries to go to Facebook.com” instead give an unsecure version of Facebook. So instead of https, it’d just be http.
PJ: Yeah.
PHIA: And then the rest of it would look like Facebook.
PJ: But that would allow them to grab—
PHIA: Well, and so when you logged on, it would collect your username and your password. And Mick said, you know, this is just something for Starbucks customers to be worrying about.
MICK: I can set this up anywhere. You think about—
PHIA: (Gasps) Ooh...!
MICK: That’s just one instance. But let’s think about—let's go one step further. Let's go airports, let's go hospitals. Let's go—uh, the City of Durham actually has, uh, Wi-Fi when you walk around downtown Durham and it's free to use to the public. So let's think about the guy that’s just walking down the sidewalk with one of these in their backpack.
PHIA: You are giving me the heebie jeebies. This is so freaky.
MICK: (Laughs) It’s, it’s—and actually they sell a—a covered box that looks like a smoke detector or just—
PHIA: (Gasps)
MICK: —an ominous box on your—on your wall.
PHIA: Oh my god, that is so creepy!
PHIA: So, there’s a name for this. It’s called a man-in-the-middle attack. And Mick explained to me that another way that this could have gone down, like a way could’ve affected Blumberg is that while he was in the Bahamas, you know, he was staying at an Airbnb.
PJ: Yeah.
PHIA: If the Airbnb hosts were trying to collect his credentials—
ALEX GOLDMAN: Right.
PHIA: Or if somebody had set up a pineapple right outside his Airbnb place, this could be like a little side business—
PJ: God or—
PHIA: —selling Uber accounts off of—
PJ: You probably—if you're an Airbnb host, you’re probably not gonna do something like this because it'll eventually come back to you.
PHIA: Mhm.
PJ: But what if you're just a person who stays at an Airbnb? And like, leaves behind something like a—a pineapple—Wi-Fi pineapple.
PHIA: Mhm.
PJ: Like, for most people, how often do you look at your router? Do you know what I mean?
PHIA: Mhm.
PJ: Like, I—that's not an object that if I found in my house would creep me out.
ALEX GOLDMAN: I guess that—the question I have is if they were collecting this information why would it just have been Alex and not—like, I'm sure that Naz and, uh, Alex's parents were also using their—emails, their emails.
PJ: And their Ubers weren't hacked.
ALEX GOLDMAN: And none of their information was taken.
PJ: Ok, I think that what this falls under the category of is interesting and creepy information. No personal pan pizza. I don't feel like it's our solution.
PHIA: Right. I don’t, I don’t think this is actually the correct answer either. Um, because, it doesn’t answer this like, huge question that actually, Alex Blumberg kept having, when we were originally trying to solve this, which is that he has two-factor authentication on his email. So, when he logs in from a new computer, he not only has to put in his credentials, he also has to put in this code that he gets from a text message.
ALEX GOLDMAN: Right.
PHIA: But, I talked to this other guy, he’s based in Toronto, and he says he has a way that he thinks it could actually have worked.
DANIEL BOTEANU: Yes. So, my name is Daniel Boteanu. I'm a digital forensic investigator.
PHIA: So you're like a real detective.
DANIEL: Uh, of the digital world, yes.
PHIA: Do you have, you have a theory about—? Well, let me preface, before any of this, I am not the person who decides whether you get a pan pizza.
DANIEL: (laughs) Fair enough. So, when I heard the interviews and the, last week's show, one of the things that came to mind is, "Nobody's thinking of Alex's phone. Uh, what if Alex's phone got hacked?"
PJ: Oh, interesting!
PHIA: Yeah! He told me about this way that you could actually get into Alex’s phone. This is Theory #3.
[MUSIC]
PHIA: The “Beware the Phone Company” theory.
PJ: So how does it go?
PHIA: So, Daniel told me, you know, phone companies they all talk to each other, like that’s how you can have coverage while you’re on vacation.
DANIEL: Uh, for example, AT&T in the U.S. talks to Orange in France.
PHIA: Oh.
DB: So, that's what allows them, when you go visit Paris and you turn on your phone there, the Orange network in France sees your phone number, sees that you're an AT&T customer, and then will talk to AT&T and tell them, "Hey, I see this number that just appeared in Paris."
PHIA: Right.
DANIEL: Uh. Now if Alex used his phone in the Bahamas, the network in the Bahamas had to talk to his network in the US just to say, “This phone is roaming.” So, the way this communication happens between the phone companies, it's not a human talking to a human at the other end, everything's computers.
PHIA: Mhm.
DANIEL: Uh, and the problem with it is: anybody can pretend that they have a small phone company, uh, and talk to the big providers in the state saying, "Oh, I see, uh, this phone that just appeared in my network. I will be receiving all messages for it. Please forward them to me."
PHIA: (inhales) Oh… so they'd be communicating with Verizon saying, "I'm—I'm the local Bahamas phone company."
DANIEL: And the phone's in Bahamas, so send me all the text messages and calls and I will gladly forward them to the phone which isn't under my coverage.
PHIA: (Gasps) Oh my god!
PHIA: So, Daniel says the way that this would work to get around two-factor authentication is that when a authentication code was sent, it would go to the attacker, and they would have the choice of whether to forward that onto Alex Blumberg or not. So they would have the code that they could use in his Gmail.
PJ: But the thing with that, is you would get, if Alex like—at some point Alex did log into his Gmail, he gets that text message, you see the code for the two-factor authentication, but you don’t have his password.
PHIA: Right. You’d already have to have Alex’s username and password. And so, Daniel told me, like the most likely way that this occurs is that it’s actually a targeted attack on Alex Blumberg. You know like, it’s gotta be something like corporate espionage.
ALEX GOLDMAN: Get out of here!
PHIA: I know and it seems like probably kind of a far-fetched idea, but I've actually heard of examples of this happening to people in the media industry and people in general. Um, there's this one story that's, like a different version of the "Beware the Phone Company" attack. It happened to this guy, that I think you guys have heard of, his name's Deray McKesson, you know who that is?
ALEX GOLDMAN: Yes. He's an activist and, uh, he's very popular on Twitter, he ran for Baltimore mayor.
PHIA: Right. I mean he's like, super involved in the Black Lives Matter movement and has, you know, three quarters of a million Twitter followers.
ALEX GOLDMAN: Yes.
PJ: Not a Twitter account you would want to be hacked.
PHIA: Exactly. So, this happened to him last summer.
DERAY MCKESSON: I was at a conference, actually. I was sitting on a panel and I have two phones that I travel with every day.
PHIA: You have two phones? Do they have the same number?
DERAY: No, they're two different numbers. One is a number that I've had ever since I ever got a phone when I was a teenager. And this—I have another number, which is the number you have. And that is the number I use the most, but—especially in protests—you know, it was important that I was never without a phone. So if one died I could just turn the other one. I was rarely ever without a functional phone.
So I was on a panel, I had both the phones in front of me. And the number that I use—like the everyday number that I use—all of a sudden, um, I'm talking but I see the screen go like, "Activate your"—it's like the screen comes up, that's like, "Activate your phone." And I'm like, "Well, that's really weird."
PHIA: By the time he leaves the panel, he's getting texts from people being like, "What is going on?” Like, “Why are you tweeting out that you endorsed Trump as a candidate?"
ALEX GOLDMAN: (Sighs) Man...
PJ: Oh god...
PHIA: Somebody has completely hacked into his Twitter account.
PJ: What else were they tweeting?
PHIA: There was another tweet that was like, um, something like, "I'm not—by the way, I’m not black.”
PJ: So like, racist troll.
PHIA: Yeah.
DERAY: So, luckily the panel's at the end. I get off the panel and I call Verizon. And, lo and behold, somebody calls Verizon posing as me. They essentially got the SIM card changed over the phone.
PHIA: Oh my god!
DM: So what they did is that they have my phone. My number got sent to another phone and then they did the two-factor, so the text with the passcode went to a different phone.
PHIA: Which means that like, the phone in front of him at the panel was no longer attached to his account.
PJ: (whispers) Right.
DM: I luckily got my account back later that day, but yeah that was wild. I didn't even know you could do that. I had no clue that you could even change a SIM card over the phone.
PHIA: And that’s the other way a person can get around two-factor authentication.
PJ: Oh god.
PHIA: Yeah. It seems like, super nightmarish. And Daniel says, you know, even though it probably something that Alex should be worrying about...
DANIEL: It’s unlikely that this is what happened. And if I’m doing something at that scale, I’m not also going to go after his Uber account and sell that on the black market—
PHIA: Right.
DANIEL: —and just tip Alex off that something happened to his phone.
PHIA: Right.
DB: I’m just going to try to keep things as quiet as possible.
PHIA: So ultimately, the “Beware the Phone Company” theory makes me very, very scared, but I think it’s very unlikely this is what happened to Alex’s Uber account.
ALEX GOLDMAN: Right.
PHIA: So, I don't think that theory merits a pizza. And after like all of my research into this, the theory that was still standing at the end of the day was that when Alex was in the Bahamas, he logged into Gmail using his dad's Surface Pro. And, the Surface Pro had some malware on it. And through that somebody hacked into Alex's Gmail and his Uber account. And so basically, after doing all of this research, the theory that seems most likely is the one that you, Alex Goldman, presented in the last episode. So, I think you deserve your own personal pan pizza.
[MUSIC - “DJANGLY BITS”]
ALEX GOLDMAN: That rules.
PJ: Huh. Nice job!
[OMINOUS MUSIC]
PHIA: However...after the break...Alex’s theory comes crashing down.
[BREAK]
PHIA: Hi guys!
ALEX GOLDMAN: Hi!
PHIA: So, thank you for coming back into the studio.
ALEX GOLDMAN: Last time we talked I won a pizza!
PHIA: (Laughing) Yes! So we talked a couple days ago when we talked like, we went through a bunch of different theories that—
PJ: We learned a lot about how the world's not a safe place. Why are we back here? Like, what is happening?
ALEX GOLDMAN: Yeah. Is there some kind of update that might cost me a pizza (laughing)?
PHIA: So. (Laughs) So people like continued to be sending in—
PJ: Wait. Before you even say—
PHIA: Ok. Yeah, yeah, yeah.
PJ: —anything, can I just say something?
PHIA: Mhm.
PJ: I just wanna say, I feel like too often I make fun of you and stuff. I wanna say that the fact that you did get it right and earn that pizza is really awesome and you deserve to feel really proud of yourself. And it's really cool.
ALEX GOLDMAN: This is such a neg.
PJ: No! I think it's awesome and like, this is one victory that I would not take away from you because you—you got it. And that's great.
ALEX GOLDMAN: You're just setting this up so that when I—it does get taken away from me.
PJ: I don't know that it's gonna get taken away from you. So Phia, what did you find out?
PHIA: Guys...
PJ: (Laughs)
PHIA: You—you are getting so ahead of yourselves!
PJ: (Laughs)
PHIA: So okay—so, there was just this one part of the story that was still nagging me—which is, if you remember, Uber said they sent emails to Alex when the like, weird activity was happening in Moscow. And Alex said he never saw any of those emails. Like, he never got them.
PJ: Yeah, even in his trash can, like, nothing, nothing, nothing.
PHIA: So, I wrote Melanie Ensign, that woman who works at Uber, and I was like, “I have to find those emails. When did you send those emails?” And she wrote me back. She didn’t actually send me the emails that they’d sent to Alex Blumberg. She’s just sent me four time stamps for the different times those emails should’ve gone out. And as she sent that to me, I actually heard from another listener who told me about something that I didn’t realize existed. Which is that there’s a place in Google Support that says “restore user’s permanently deleted emails.”
PJ: That's nuts.
ALEX GOLDMAN: I didn't know that that existed either. Does it restore them from the beginning of time?
PJ: I bet you—you can get like a month.
PHIA: You get 25 days.
PJ: (whispers) Nice job, me.
PHIA: And, uh, I learned about this when there were like—the day when Alex was on vacation was 26 days ago.
PJ: Nooo!
ALEX GOLDMAN: Get—get out of here.
PHIA: Oh no, no. Sorry. 24 days ago.
PJ: Aaah!
PHIA: (Laughs)
PJ: What a rollercoaster, man!
PHIA: (laughing) Sorry. Yeah so, I could look back but I had like this tiny window where I could still look back and it's actually you have to like, submit something to Google and then they like, uh, you know, like scrape their system and send you everything.
PJ: I'm literally picturing like, a hard drive at Google Headquarters that like, a conveyor belt is moving towards an incinerator.
PHIA: It feels totally like that. And so like, um, we immediately submitted something to them, they did the scrape, they—they like said, "Ok, now everything should be there." And I started looking at Alex's email with all the restored emails.
PJ: And?
PHIA: (pauses) Nothing!
PJ: Whoa.
ALEX GOLDMAN: Get outta here.
[JAZZY DETECTIVE MUSIC]
PHIA: No emails from Uber. Like, this was so frustrating. So, I ... got on the phone with somebody from Google customer support. And was like, “You guys have not restored all the emails. Like, I know for a fact there are these four emails from these four different specific times. I'm not seeing them in here. You guys are Google. You have to be able to find them.”
PJ: And what'd they say?
PHIA: And the guy was like, "You know, I've never—I've never seen this happen before. This is really strange." And like, I got so frustrated.
And then he told me that there was a whole different way that we could be approaching this, that I didn’t actually need to be talking to him at all. Um, because Gimlet’s email is through a Google Business Account, that through the administrator, I could actually see all the emails coming in and out of Gimlet Media, I could see the subject lines, the like, who they were to and who they were from and when they came in.
PJ: I'm just quickly thinking about like every email I've ever sent at work. I was like, “Eh, it's Gmail. It's all private.” Good to know.
PHIA: Yes. Ok, so, let me—let me quickly pull it up for you. Um, it’s actually called the Admin Console, and there's a feature in here called “Reports.”
PJ: Ok.
PHIA: So, you go into reports and there’s a place for email log search. And now you can look for like, the four specific emails that we know Uber says that they sent to Alex Blumberg. Um. So we’ll put Uber in the “sender field” and Blumberg in the “recipient” field. Does one of you wanna lead—drive this?
PJ: I wanna do it.
ALEX GOLDMAN: Alright.
PHIA: Ok.
PJ: Ok. So, I'm gonna hit search.
PHIA: Mhm.
PJ: Searching … searching … oh wow. So there's one, two, three, four, five emails. So there's many, but, they're all just the ones from once Alex was like, "What's going on with my thing?" “My account has an unrecognized charge,” “I can't sign into my account,” “I can't sign into my account,” “My account has an unrecognized charge.” And finally you get “Interview request: The case of the missing Uber account" (laughing).
ALEX GOLDMAN: I wrote that, uh, subject line.
PJ: Uh. So this is really interesting.
PHIA: Yes. This is when I changed from feeling like Google, scrape through your servers, find these emails to—
PJ: Uber.
PHIA: Maybe these emails never were sent.
ALEX GOLDMAN: Oh my god. This re—requires a dramatic sting. Like a dun dun dunnnn … okay. If—done it. What happened?
PHIA: (Laughs)
PJ: So, yeah, this would seem to suggest that Uber either thinks they sent emails and didn't send them. Or, in the worst scenario, is not telling the truth.
PHIA: Yeah.
PJ: Did you go back to Uber with this?
PHIA: (Long pause) Of course I did!
PJ: (Laughs)
ALEX GOLDMAN: Yeah, what kind of—even I wouldn't ask that question.
PJ: Uh, so what did they say?
PHIA: Ok, so, yesterday—
PJ: You got us?
PHIA: So I wrote her yesterday and she wrote me back fairly quickly and here’s what she said: “Hi Phia! Great news! We figured it out!"
PJ: Uh-huh...
ALEX GOLDMAN: (Laughs)
PHIA: Alex's—Alex's password was part of a data dump that was sold online and tested by a bot script before being sold to the person who used it to request trips.
PJ: Wow.
ALEX GOLDMAN: Ok.
PJ: Wait.
ALEX GOLDMAN: I'm still super confused...
PJ: Hold on—I have specifi—data dump? Whose data dump? Like she said “data dump on a botnet.” Like, are they saying, "Oh, things were actually breached?"
PHIA: So she followed up with a second email. And she said … let me see, "By the way, we found his account in data dumps from LinkedIn, Dropbox, and Myspace, which isn't surprising since they announced previous data breaches. If he hasn't changed those passwords recently he should.”
PJ: But we checked that.
PHIA: Right! So, I forwarded all of this to our digital forensics expert, that guy Daniel Boteanu.
PJ: And?
PHIA: And I said to him: "I find this confusing. Does it make sense to you?"
PJ: And he said?
PHIA: And he said, "No, it does not."
ALEX GOLDMAN: Oh my god.
PHIA: “Yeah, he was like, for one, where are the emails that they said they sent?”
PJ: Right. This feels really weird. Wh-what did Uber say?
PHIA: Well, a couple hours ago, I came back into the studio with Alex Blumberg, who has a terrible head cold, and we called Uber.
[PHONE RINGS]
MELANIE ENSIGN: Hi, this is Melanie.
PHIA: Hi Melanie, it's Phia!
MELANIE: Hi! How are you?
PHIA: Um, I’m here with Alex and I’m recording our call.
ALEX BLUMBERG: Hey Melanie!
MELANIE: Awesome! Hi Alex!
PHIA: She said she realized that in order to solve this problem she needed to call in, like, the big guns.
MELANIE: We actually have an elite team within our security organization, uh, that deals specifically with account security and compromised accounts, um, and those types of issues. So I—I thought, “Why don’t I go spend some time with them and let’s actually do a legitimate forensics investigation and figure out what’s happened?”
ALEX BLUMBERG: Ok.
PHIA: Um, what happened?
MELANIE: It turns out the initial email address that was actually associated with your account—
ALEX BLUMBERG: Uh-huh.
MELANIE: —was your former email address from This American Life.
ALEX BLUMBERG: Ohhhhhhhhh.
ALEX GOLDMAN: Ooohhhhhhhhhhhhhhhhhhh.
PHIA: (Laughs)
PJ: So this is like his old work email address.
PHIA: Right.
MELANIE: So the notifications saying, “Your email address has been changed,” “Your phone number has been changed,” “Your password has been changed,” were all going to that address.
ALEX BLUMBERG: To the thislife.org address. Which is no longer even active. Which is a dead email address.
MELANIE: So those notifications are essentially going into the void.
PJ: Can I also just say this out loud so I make sure that I understand it?
PHIA: Yeah.
PJ: Ok. It was not a keylogger, or pineapple Wi-Fi, or anything like that. Basically, all that happened was Alex Blumberg forgot that years ago, when he signed up for Uber, he used an old work email address.
PHIA: Mhm.
PJ: He also forgot that he used to use the same password for everything, including a bunch of websites that have since been hacked.
And so hackers got his password from one of those websites, and they used it to break into his Uber and steal his rides, and then when Uber tried to warn Alex that this was happening, they emailed the address that they had on file, which was his old work email address. So he never saw it. And, also the hackers might have had access to that anyway.
PHIA: Yeah, and finding that out, it was like, everything all of a sudden started to click, like, remember how he didn’t have his ride receipts?
PJ: Yeah! I remember when we were talking about this like, off-mic, there was a point where he was like—he was like, "Yeah, yeah, yeah. I don't get ride receipts."
PHIA: Right. Everybody was like, "Hold on."
PJ: And, we were like, "But everybody—everybody gets ride receipts."
ALEX GOLDMAN: Yeah, of course you don't.
PJ: But he was, they were just going to his old email account.
PHIA: Right.
PJ: Also, when we searched haveibeenpwned, we searched alex@gimletmedia, we didn't search his old email address.
PHIA: Right. And if you do search that old email address, it has three breaches to it. It's been pwned three times.
ALEX GOLDMAN: Are they—are they LinkedIn, Myspace, and Dropbox?
PHIA: Yes.
PJ: So there you go.
ALEX GOLDMAN: Wow, so we were not just wrong, but we were like double-extra-super wrong.
PHIA: Well, I think like, we were inventing something very complicated because with the data we had that was the most likely outcome.
PJ: Yeah.
PHIA: Or like, the most likely how it happened.
PJ: Did Alex—how did Alex react to all of this?
PHIA: Alex is so thrilled to actually have an answer to like—to know exactly what happened to his account.
PHIA: You feel like “case closed”?
ALEX BLUMBERG: I do! I feel like case closed.
PHIA: Yeah.
ALEX BLUMBERG: Wow!
PHIA: Took us a long time.
ALEX BLUMBERG: All it took was like dozens of engineers at Google, dozens of engineers at Uber, the entire staff of Reply All, a bunch of—a handful—
PHIA: (Laughs) Actually like, all of our listeners.
ALEX BLUMBERG: A bunch of listeners to Reply All, a handful of staff members at uh, at uh—at Gimlet, and my father.
PHIA: Yeah.
ALEX BLUMBERG: And me.
PHIA: Yeah.
ALEX BLUMBERG: Man! It makes it—so on the one hand, that’s great. On the other hand it’s like, what if you don’t have that at your disposal? Like, what are you supposed to do?
PHIA: You have to live with a lot more mystery in your life, I guess. And get a password manager.
ALEX BLUMBERG: Seriously.
PHIA: Yeah.
ALEX BLUMBERG: Boy, is there a lesson to this, isn’t there?
PHIA: There really is.
ALEX BLUMBERG: (Laughing) Yeah...
PHIA: And I don’t have one either. We’re both the worst. Ok.
ALEX BLUMBERG: (Laughs) Ok. Wait, should we just get one right now?
PHIA: A password manager?
ALEX BLUMBERG: I’m—I’m sitting in front of a computer.
PHIA: Oh my god, I don’t want to.
ALEX BLUMBERG: I don’t either… password manager [hear typing]
[MUSIC - “SIMPLICITY”]
PHIA: So like, the final question on the whole thing is like, at this point, who do you owe a pan pizza?
PJ: I feel like I know.
ALEX GOLDMAN: I guess it's Melanie right?
PJ: It's Phia Bennin! (pauses) Are you kidding me?!
PHIA: (Laughs) I mean, I think Melanie could take a pan pizza. I would happily accept a pan pizza. Pizza party?
ALEX GOLDMAN: Look. As I specified.
PHIA: Mm.
ALEX GOLDMAN: It is a personal pan pizza. You are not to share it with anybody in the office.
PJ: What do you think a personal pan pizza is (laughs)?
ALEX GOLDMAN: It is a pizza made in Phia's own personal pan.
PJ: Wow. Ok. So at the end of the day, who's getting pizza? You're getting a pizza, Phia. We're gonna send Melanie a pizza. Which feels a little weird to me, honestly. We find ourselves in the position of being journalists who have to send a pizza to someone we interviewed for a story (laughing) at a company. Whatever. Sometimes you end up in a weird place. I feel like our forensics guy, Daniel Boteanu, I feel like he probably gets a pizza.
PHIA: Mhm. He was very helpful.
PJ: Ok, cool.
PHIA: Cool!
ALEX GOLDMAN: Good work, Phia.
PJ: Yeah, nice job.
PHIA: Thanks! That's really nice.
[MUSIC FADES OUT]
[CREDITS SONG PLAYS]
CREDITS:
Reply All is hosted by me, PJ Vogt, and Alex Goldman. Our show is produced by Sruthi Pinnamaneni, Phia Bennin, Chloe Prasinos, and Damiano Marchetti. Production assistance from Sherina Ong. We’re edited by Tim Howard and Jorge Just. We were mixed by Kate Bilinski.
Special thanks to Stevie Lane, Richard Blumberg, Gabriel Lewis, Alex Kruglov, Tim Harford, and all of the listeners who wrote in with their theories. You all are awesome.
Also, if you are going to be in New York City on April 30th, Email Debt Forgiveness Day, we're gonna be at The Bell House. We're doing a very low-key show, uh, with our friend Linda Holmes from Pop Culture Happy Hour. Uh, you can get tickets at gimlet.media/ReplyAllLive. Come. It'll be fun. We look forward to seeing you.
Our theme music is by the mysterious Breakmaster Cylinder. Our ad music is by Build Buildings. And the song at the end of the episode this week is “Simplicity” by MACROFORM. And our logo is by Matt Lubchansky.
Matt Lieber is a lost t-shirt that just shows up again one day.
You can visit our website at replyall.limo, and you can find more episodes of the show on iTunes or Spotify or wherever you would like to listen to podcasts. It’s your choice. Thank you for listening. We’ll see you next week.
If you have not listened to Episode 91, "The Russian Passenger," which was about Alex Blumberg's Uber account being hacked, go listen to that before you listen to this episode. If you don't, it'll be like just watching the last episode of a TV show: you'll ruin a bunch of surprise for yourself, and also just be confused.
Go back, listen, come back here. Ok. Let's go.
PHIA BENNIN: Previously on Reply All:
[CREEPY MUSIC]
PJ: Somehow, someone, in Russia, got the password for your Uber and is just like—
ALEX BLUMBERG: And hacked my Uber account, right?
PJ: Yeah.
MELANIE ENSIGN: Whoever had access to his email account was clicking on those links, verifying it was him, and then deleting the notification [sic] before he saw them.
TROY: You sort of leave these little traces of yourself all over the internet. And as time goes by, those chances of one of the places you’ve left your data being breached and that data then being leaked continues to go up.
ALEX GOLDMAN: So a couple weeks ago, we did an episode called "The Russian Passenger." And in that episode, our boss Alex Blumberg came to us with a question. His question was—
PJ: How did a Russian person steal my Uber account?
ALEX GOLDMAN: Yes. Someone had been taking trips around Moscow, uh—
PJ: On his ruble.
ALEX GOLDMAN: (Laughs)
PJ: On his ruble dime.
ALEX GOLDMAN: What a dumb joke...
PJ: So...
ALEX GOLDMAN: So.
PJ: He wanted us to figure out what happened. Which sort of seems simple enough, and then ended up being like, insanely complicated.
ALEX GOLDMAN: Right. And after testing a bunch of theories, what we came to as the most likely scenario was that Alex was on vacation in the Bahamas with his dad, Richard, and his dad has a tablet, a Surface Pro. Alex logged into his Gmail on the Surface Pro, and there was malware on the tablet, which, uh, gave hackers his username and password. They got into his Gmail. They hacked his Uber. But we never found any conclusive proof that that happened.
PJ: Right.
ALEX GOLDMAN: At the end of that episode, we said that if anybody out there has a different theory, or thinks that they can conclusively solve this problem, they should write into us and if they do conclusively solve it, I will send them a personal pan pizza.
And, um, we got hundreds of emails about this. We're still getting them to this day. And producer Phia Bennin, who is in the room, hello—
PHIA: Hello!
ALEX GOLDMAN: —uh, did the, uh, intrepid investigative work of actually following all of these leads and seeing where they went.
PHIA: Yes. And here’s what I can promise you: by the end of this conversation, I feel completely confident that you will pick somebody who has earned a personal pan pizza.
PJ: Alright.
PHIA: Um, what I also have to say is when I was looking into all of this, I learned a lot of things that terrified me. I have become incredibly paranoid and if I do my job correctly today, you will never touch a computer again after this conversation.
PJ: Alright, let's go.
PHIA: Ok. So, first, I feel kind of obliged to tell you that we got about a million responses that said we should've run a different virus scanner on Alex's dad's tablet. Um, a bunch suggested something called Malwarebytes, and so his dad and I did that. No viruses were found.
ALEX GOLDMAN: Huh…
PJ: Ok.
PHIA: So. Just—that was a little disappointing. I thought, like, maybe we would solve it quickly. We didn’t.
PJ: I feel like all it did was reduce the certainty of an answer that I still feel pretty good about, but do you know what I mean?
PHIA: Yeah, yeah. It was just like, “Shucks.”
ALEX GOLDMAN: It was just like, “Shucks.”
PHIA: It was just like, “Shucks.”
PJ: No pizzas for any of those people. Although helpful. Thank you. I’m glad to know.
PHIA: Yeah!
PHIA: So, now we can get into the stuff that I think is like the good stuff. To start, theory #1.
[MUSIC]
PHIA: This theory comes to us from a guy named Nick, he lives in Florida. And I’m calling his theory “Beware All Keyboards.”
So this theory is that like, at some point before Alex’s Uber got hacked, maybe he logged onto a computer, logged onto his email, and that computer had a keystroke logger on it. So, like, there was some little piece of software on the computer collecting every keystroke Alex typed in.
Here’s Nick:
NICK SAMBRATO: So I’m not the most technically savvy person, um, and I only know this through experience and I’ve retained it out of fear.
PHIA: Ok.
NICK: And this was 2001, 2002, something like that. And I worked at a little, small software, um, company.
PHIA: The head developer there was like, “Just for fun, I designed a keystroke logger that is logging all the keystrokes of everybody in network.”
PJ: Nooo!
ALEX GOLDMAN: That’s very sketchy.
PHIA: And Nick was like, “We asked him to like, show us how it works, and we all crowded around his computer, and he was like, ‘Let’s see what our coworker over there is doing.’”
ALEX GOLDMAN: Ohhh...
PHIA: And they already knew that she was, uh, online dating, which they were giving her a lot of crap about, because in the early 2000s that was like—
PJ: Weeeeeeird to people.
PHIA: Mhm. And so like, Nick and all of his co-workers gathered around the one tech guy’s computer.
NICK: And he popped up this little, like terminal window and, um, he's like, "Let me show you." What is the word? Not internet—what's the next step from internet dating if you don't meet in real life but you want to take it to the next level? Um, now you sext. There's sexting, but back then, it’s cybering.
PHIA: Uh-huh...
NICK: So we picked up right in the middle of a cyber session.
PHIA: Oh no!
NICK: Yeah. And we, I mean—I mean, four guys standing around a cubicle screamed.
PHIA: They all of a sudden realized they were seeing something they absolutely should not be looking at. And they immediately felt tremendously icky.
NICK: Yeah, so we, I mean, shut the window right away. Yeah, yeah. So that's how I met keystroke logging.
PHIA: So Nick figures, that totally is what could’ve happened to Alex Blumberg.
PJ: Which is a good theory. Except that I actually checked this with Alex.
PHIA: Mhm.
PJ: And he was like—he said, "No, no, no. I really—I only used my phone, Naz's phone, and my dad's tablet. Like, there just—there wasn't some point where he just like, went onto a stray computer somewhere.”
PHIA: Yeah, but that only really accounts for like what he's doing in the Bahamas. Like, he could've logged onto a computer with a keystroke logger, like, anytime before the trip. Like, it could've been like months ago. Um, and somebody could just be like holding onto those credentials and happen to use them now. Like it could be kind of a coincidence.
PJ: Yeah, I guess that’s true. Like, I would say, probably at some point in your life, you've used a computer that had a keylogger on it. Like, at a library for 10 seconds, or like—
PHIA: Mhm.
PJ: Or like, I think that there's enough of this stuff out there that like—yeah.
PHIA: Right. Like, it’s a little freaky to think about, and like, and—and—I’ll just—like, as I continue to talk to our listeners about different potential threats to Alex Blumberg's Uber account, like, it just got scarier and scarier. Like, things got super creepy.
PJ: I’m excited to go on this journey of creepiness with you. Before we move on, all I want to establish—this theory is—we’re not giving the pizza to this person, right?
AG: Yeah, it’s a good theory. Not pizza worthy.
PJ: Ok. So what is the next thing? What’s the next theory?
PHIA: Ok. So, theory #2,
[MUSIC]
PHIA: It comes to us from a guy named Mick Lawlor, he is a security researcher based in Durham, North Carolina. And I’m calling his theory “Beware all Wi-Fi.”
ALEX GOLDMAN: K.
PHIA: So, Mick has a device called a Wi-Fi pineapple.
ALEX GOLDMAN: (Laughs)
PJ: What?
ALEX GOLDMAN: It's so cute!
PJ: I know what both of those words mean separately.
ALEX GOLDMAN: (Laughs)
PHIA: Yeah, I mean, I was curious, like, what he was even referring to.
ALEX GOLDMAN: Mhm.
PHIA: Can you describe it for me? What does it look like?
MICK LAWLOR: Very, very small. Uh, it's only the size of my palm.
PHIA: Huh.
MICK: And it's basically a computer.
PHIA: Huh!
MICK: Um, this one, in particular, they've modified to have two antennas, which are radios to call out and to receive. There's also little switches here to do different, uh, attacks, as well.
PHIA: Ok.
MICK: Yeah. And it's super, super powerful.
PHIA: So, to give you an idea of what the Wi-Fi pineapple is capable of, if you imagine hanging out at a Starbucks, you go there, and you have your laptop and you're doing work and there's a ton of other people there. And what you don't realize is somebody's just walked in with a backpack on and inside his backpack is a Wi-Fi pineapple.
And as soon as he walked into that Starbucks, it started sending out a signal saying like, "Connect to me! I'm the Internet."
PJ: So, I'd be sitting in Starbucks. I'm the sucker.
PHIA: Mhm. Yeah.
PJ: And I— and I go I to my Wi-Fi list and see "Starbucks Free Wi-Fi” and I’d click it.
PHIA: Yeah.
PJ: But what I’d what really be getting is this other guy, pretending to be Starbucks Free Wi-Fi.
PHIA: Right.
PJ: And so I’d still get connected to the Internet, but everything would go through him, and he could spy on it, right?
PHIA: Right. And it would have a little bit of code in the pineapple that says, “Anytime PJ tries to go to Facebook.com” instead give an unsecure version of Facebook. So instead of https, it’d just be http.
PJ: Yeah.
PHIA: And then the rest of it would look like Facebook.
PJ: But that would allow them to grab—
PHIA: Well, and so when you logged on, it would collect your username and your password. And Mick said, you know, this is just something for Starbucks customers to be worrying about.
MICK: I can set this up anywhere. You think about—
PHIA: (Gasps) Ooh...!
MICK: That’s just one instance. But let’s think about—let's go one step further. Let's go airports, let's go hospitals. Let's go—uh, the City of Durham actually has, uh, Wi-Fi when you walk around downtown Durham and it's free to use to the public. So let's think about the guy that’s just walking down the sidewalk with one of these in their backpack.
PHIA: You are giving me the heebie jeebies. This is so freaky.
MICK: (Laughs) It’s, it’s—and actually they sell a—a covered box that looks like a smoke detector or just—
PHIA: (Gasps)
MICK: —an ominous box on your—on your wall.
PHIA: Oh my god, that is so creepy!
PHIA: So, there’s a name for this. It’s called a man-in-the-middle attack. And Mick explained to me that another way that this could have gone down, like a way could’ve affected Blumberg is that while he was in the Bahamas, you know, he was staying at an Airbnb.
PJ: Yeah.
PHIA: If the Airbnb hosts were trying to collect his credentials—
ALEX GOLDMAN: Right.
PHIA: Or if somebody had set up a pineapple right outside his Airbnb place, this could be like a little side business—
PJ: God or—
PHIA: —selling Uber accounts off of—
PJ: You probably—if you're an Airbnb host, you’re probably not gonna do something like this because it'll eventually come back to you.
PHIA: Mhm.
PJ: But what if you're just a person who stays at an Airbnb? And like, leaves behind something like a—a pineapple—Wi-Fi pineapple.
PHIA: Mhm.
PJ: Like, for most people, how often do you look at your router? Do you know what I mean?
PHIA: Mhm.
PJ: Like, I—that's not an object that if I found in my house would creep me out.
ALEX GOLDMAN: I guess that—the question I have is if they were collecting this information why would it just have been Alex and not—like, I'm sure that Naz and, uh, Alex's parents were also using their—emails, their emails.
PJ: And their Ubers weren't hacked.
ALEX GOLDMAN: And none of their information was taken.
PJ: Ok, I think that what this falls under the category of is interesting and creepy information. No personal pan pizza. I don't feel like it's our solution.
PHIA: Right. I don’t, I don’t think this is actually the correct answer either. Um, because, it doesn’t answer this like, huge question that actually, Alex Blumberg kept having, when we were originally trying to solve this, which is that he has two-factor authentication on his email. So, when he logs in from a new computer, he not only has to put in his credentials, he also has to put in this code that he gets from a text message.
ALEX GOLDMAN: Right.
PHIA: But, I talked to this other guy, he’s based in Toronto, and he says he has a way that he thinks it could actually have worked.
DANIEL BOTEANU: Yes. So, my name is Daniel Boteanu. I'm a digital forensic investigator.
PHIA: So you're like a real detective.
DANIEL: Uh, of the digital world, yes.
PHIA: Do you have, you have a theory about—? Well, let me preface, before any of this, I am not the person who decides whether you get a pan pizza.
DANIEL: (laughs) Fair enough. So, when I heard the interviews and the, last week's show, one of the things that came to mind is, "Nobody's thinking of Alex's phone. Uh, what if Alex's phone got hacked?"
PJ: Oh, interesting!
PHIA: Yeah! He told me about this way that you could actually get into Alex’s phone. This is Theory #3.
[MUSIC]
PHIA: The “Beware the Phone Company” theory.
PJ: So how does it go?
PHIA: So, Daniel told me, you know, phone companies they all talk to each other, like that’s how you can have coverage while you’re on vacation.
DANIEL: Uh, for example, AT&T in the U.S. talks to Orange in France.
PHIA: Oh.
DB: So, that's what allows them, when you go visit Paris and you turn on your phone there, the Orange network in France sees your phone number, sees that you're an AT&T customer, and then will talk to AT&T and tell them, "Hey, I see this number that just appeared in Paris."
PHIA: Right.
DANIEL: Uh. Now if Alex used his phone in the Bahamas, the network in the Bahamas had to talk to his network in the US just to say, “This phone is roaming.” So, the way this communication happens between the phone companies, it's not a human talking to a human at the other end, everything's computers.
PHIA: Mhm.
DANIEL: Uh, and the problem with it is: anybody can pretend that they have a small phone company, uh, and talk to the big providers in the state saying, "Oh, I see, uh, this phone that just appeared in my network. I will be receiving all messages for it. Please forward them to me."
PHIA: (inhales) Oh… so they'd be communicating with Verizon saying, "I'm—I'm the local Bahamas phone company."
DANIEL: And the phone's in Bahamas, so send me all the text messages and calls and I will gladly forward them to the phone which isn't under my coverage.
PHIA: (Gasps) Oh my god!
PHIA: So, Daniel says the way that this would work to get around two-factor authentication is that when a authentication code was sent, it would go to the attacker, and they would have the choice of whether to forward that onto Alex Blumberg or not. So they would have the code that they could use in his Gmail.
PJ: But the thing with that, is you would get, if Alex like—at some point Alex did log into his Gmail, he gets that text message, you see the code for the two-factor authentication, but you don’t have his password.
PHIA: Right. You’d already have to have Alex’s username and password. And so, Daniel told me, like the most likely way that this occurs is that it’s actually a targeted attack on Alex Blumberg. You know like, it’s gotta be something like corporate espionage.
ALEX GOLDMAN: Get out of here!
PHIA: I know and it seems like probably kind of a far-fetched idea, but I've actually heard of examples of this happening to people in the media industry and people in general. Um, there's this one story that's, like a different version of the "Beware the Phone Company" attack. It happened to this guy, that I think you guys have heard of, his name's Deray McKesson, you know who that is?
ALEX GOLDMAN: Yes. He's an activist and, uh, he's very popular on Twitter, he ran for Baltimore mayor.
PHIA: Right. I mean he's like, super involved in the Black Lives Matter movement and has, you know, three quarters of a million Twitter followers.
ALEX GOLDMAN: Yes.
PJ: Not a Twitter account you would want to be hacked.
PHIA: Exactly. So, this happened to him last summer.
DERAY MCKESSON: I was at a conference, actually. I was sitting on a panel and I have two phones that I travel with every day.
PHIA: You have two phones? Do they have the same number?
DERAY: No, they're two different numbers. One is a number that I've had ever since I ever got a phone when I was a teenager. And this—I have another number, which is the number you have. And that is the number I use the most, but—especially in protests—you know, it was important that I was never without a phone. So if one died I could just turn the other one. I was rarely ever without a functional phone.
So I was on a panel, I had both the phones in front of me. And the number that I use—like the everyday number that I use—all of a sudden, um, I'm talking but I see the screen go like, "Activate your"—it's like the screen comes up, that's like, "Activate your phone." And I'm like, "Well, that's really weird."
PHIA: By the time he leaves the panel, he's getting texts from people being like, "What is going on?” Like, “Why are you tweeting out that you endorsed Trump as a candidate?"
ALEX GOLDMAN: (Sighs) Man...
PJ: Oh god...
PHIA: Somebody has completely hacked into his Twitter account.
PJ: What else were they tweeting?
PHIA: There was another tweet that was like, um, something like, "I'm not—by the way, I’m not black.”
PJ: So like, racist troll.
PHIA: Yeah.
DERAY: So, luckily the panel's at the end. I get off the panel and I call Verizon. And, lo and behold, somebody calls Verizon posing as me. They essentially got the SIM card changed over the phone.
PHIA: Oh my god!
DM: So what they did is that they have my phone. My number got sent to another phone and then they did the two-factor, so the text with the passcode went to a different phone.
PHIA: Which means that like, the phone in front of him at the panel was no longer attached to his account.
PJ: (whispers) Right.
DM: I luckily got my account back later that day, but yeah that was wild. I didn't even know you could do that. I had no clue that you could even change a SIM card over the phone.
PHIA: And that’s the other way a person can get around two-factor authentication.
PJ: Oh god.
PHIA: Yeah. It seems like, super nightmarish. And Daniel says, you know, even though it probably something that Alex should be worrying about...
DANIEL: It’s unlikely that this is what happened. And if I’m doing something at that scale, I’m not also going to go after his Uber account and sell that on the black market—
PHIA: Right.
DANIEL: —and just tip Alex off that something happened to his phone.
PHIA: Right.
DB: I’m just going to try to keep things as quiet as possible.
PHIA: So ultimately, the “Beware the Phone Company” theory makes me very, very scared, but I think it’s very unlikely this is what happened to Alex’s Uber account.
ALEX GOLDMAN: Right.
PHIA: So, I don't think that theory merits a pizza. And after like all of my research into this, the theory that was still standing at the end of the day was that when Alex was in the Bahamas, he logged into Gmail using his dad's Surface Pro. And, the Surface Pro had some malware on it. And through that somebody hacked into Alex's Gmail and his Uber account. And so basically, after doing all of this research, the theory that seems most likely is the one that you, Alex Goldman, presented in the last episode. So, I think you deserve your own personal pan pizza.
[MUSIC - “DJANGLY BITS”]
ALEX GOLDMAN: That rules.
PJ: Huh. Nice job!
[OMINOUS MUSIC]
PHIA: However...after the break...Alex’s theory comes crashing down.
[BREAK]
PHIA: Hi guys!
ALEX GOLDMAN: Hi!
PHIA: So, thank you for coming back into the studio.
ALEX GOLDMAN: Last time we talked I won a pizza!
PHIA: (Laughing) Yes! So we talked a couple days ago when we talked like, we went through a bunch of different theories that—
PJ: We learned a lot about how the world's not a safe place. Why are we back here? Like, what is happening?
ALEX GOLDMAN: Yeah. Is there some kind of update that might cost me a pizza (laughing)?
PHIA: So. (Laughs) So people like continued to be sending in—
PJ: Wait. Before you even say—
PHIA: Ok. Yeah, yeah, yeah.
PJ: —anything, can I just say something?
PHIA: Mhm.
PJ: I just wanna say, I feel like too often I make fun of you and stuff. I wanna say that the fact that you did get it right and earn that pizza is really awesome and you deserve to feel really proud of yourself. And it's really cool.
ALEX GOLDMAN: This is such a neg.
PJ: No! I think it's awesome and like, this is one victory that I would not take away from you because you—you got it. And that's great.
ALEX GOLDMAN: You're just setting this up so that when I—it does get taken away from me.
PJ: I don't know that it's gonna get taken away from you. So Phia, what did you find out?
PHIA: Guys...
PJ: (Laughs)
PHIA: You—you are getting so ahead of yourselves!
PJ: (Laughs)
PHIA: So okay—so, there was just this one part of the story that was still nagging me—which is, if you remember, Uber said they sent emails to Alex when the like, weird activity was happening in Moscow. And Alex said he never saw any of those emails. Like, he never got them.
PJ: Yeah, even in his trash can, like, nothing, nothing, nothing.
PHIA: So, I wrote Melanie Ensign, that woman who works at Uber, and I was like, “I have to find those emails. When did you send those emails?” And she wrote me back. She didn’t actually send me the emails that they’d sent to Alex Blumberg. She’s just sent me four time stamps for the different times those emails should’ve gone out. And as she sent that to me, I actually heard from another listener who told me about something that I didn’t realize existed. Which is that there’s a place in Google Support that says “restore user’s permanently deleted emails.”
PJ: That's nuts.
ALEX GOLDMAN: I didn't know that that existed either. Does it restore them from the beginning of time?
PJ: I bet you—you can get like a month.
PHIA: You get 25 days.
PJ: (whispers) Nice job, me.
PHIA: And, uh, I learned about this when there were like—the day when Alex was on vacation was 26 days ago.
PJ: Nooo!
ALEX GOLDMAN: Get—get out of here.
PHIA: Oh no, no. Sorry. 24 days ago.
PJ: Aaah!
PHIA: (Laughs)
PJ: What a rollercoaster, man!
PHIA: (laughing) Sorry. Yeah so, I could look back but I had like this tiny window where I could still look back and it's actually you have to like, submit something to Google and then they like, uh, you know, like scrape their system and send you everything.
PJ: I'm literally picturing like, a hard drive at Google Headquarters that like, a conveyor belt is moving towards an incinerator.
PHIA: It feels totally like that. And so like, um, we immediately submitted something to them, they did the scrape, they—they like said, "Ok, now everything should be there." And I started looking at Alex's email with all the restored emails.
PJ: And?
PHIA: (pauses) Nothing!
PJ: Whoa.
ALEX GOLDMAN: Get outta here.
[JAZZY DETECTIVE MUSIC]
PHIA: No emails from Uber. Like, this was so frustrating. So, I ... got on the phone with somebody from Google customer support. And was like, “You guys have not restored all the emails. Like, I know for a fact there are these four emails from these four different specific times. I'm not seeing them in here. You guys are Google. You have to be able to find them.”
PJ: And what'd they say?
PHIA: And the guy was like, "You know, I've never—I've never seen this happen before. This is really strange." And like, I got so frustrated.
And then he told me that there was a whole different way that we could be approaching this, that I didn’t actually need to be talking to him at all. Um, because Gimlet’s email is through a Google Business Account, that through the administrator, I could actually see all the emails coming in and out of Gimlet Media, I could see the subject lines, the like, who they were to and who they were from and when they came in.
PJ: I'm just quickly thinking about like every email I've ever sent at work. I was like, “Eh, it's Gmail. It's all private.” Good to know.
PHIA: Yes. Ok, so, let me—let me quickly pull it up for you. Um, it’s actually called the Admin Console, and there's a feature in here called “Reports.”
PJ: Ok.
PHIA: So, you go into reports and there’s a place for email log search. And now you can look for like, the four specific emails that we know Uber says that they sent to Alex Blumberg. Um. So we’ll put Uber in the “sender field” and Blumberg in the “recipient” field. Does one of you wanna lead—drive this?
PJ: I wanna do it.
ALEX GOLDMAN: Alright.
PHIA: Ok.
PJ: Ok. So, I'm gonna hit search.
PHIA: Mhm.
PJ: Searching … searching … oh wow. So there's one, two, three, four, five emails. So there's many, but, they're all just the ones from once Alex was like, "What's going on with my thing?" “My account has an unrecognized charge,” “I can't sign into my account,” “I can't sign into my account,” “My account has an unrecognized charge.” And finally you get “Interview request: The case of the missing Uber account" (laughing).
ALEX GOLDMAN: I wrote that, uh, subject line.
PJ: Uh. So this is really interesting.
PHIA: Yes. This is when I changed from feeling like Google, scrape through your servers, find these emails to—
PJ: Uber.
PHIA: Maybe these emails never were sent.
ALEX GOLDMAN: Oh my god. This re—requires a dramatic sting. Like a dun dun dunnnn … okay. If—done it. What happened?
PHIA: (Laughs)
PJ: So, yeah, this would seem to suggest that Uber either thinks they sent emails and didn't send them. Or, in the worst scenario, is not telling the truth.
PHIA: Yeah.
PJ: Did you go back to Uber with this?
PHIA: (Long pause) Of course I did!
PJ: (Laughs)
ALEX GOLDMAN: Yeah, what kind of—even I wouldn't ask that question.
PJ: Uh, so what did they say?
PHIA: Ok, so, yesterday—
PJ: You got us?
PHIA: So I wrote her yesterday and she wrote me back fairly quickly and here’s what she said: “Hi Phia! Great news! We figured it out!"
PJ: Uh-huh...
ALEX GOLDMAN: (Laughs)
PHIA: Alex's—Alex's password was part of a data dump that was sold online and tested by a bot script before being sold to the person who used it to request trips.
PJ: Wow.
ALEX GOLDMAN: Ok.
PJ: Wait.
ALEX GOLDMAN: I'm still super confused...
PJ: Hold on—I have specifi—data dump? Whose data dump? Like she said “data dump on a botnet.” Like, are they saying, "Oh, things were actually breached?"
PHIA: So she followed up with a second email. And she said … let me see, "By the way, we found his account in data dumps from LinkedIn, Dropbox, and Myspace, which isn't surprising since they announced previous data breaches. If he hasn't changed those passwords recently he should.”
PJ: But we checked that.
PHIA: Right! So, I forwarded all of this to our digital forensics expert, that guy Daniel Boteanu.
PJ: And?
PHIA: And I said to him: "I find this confusing. Does it make sense to you?"
PJ: And he said?
PHIA: And he said, "No, it does not."
ALEX GOLDMAN: Oh my god.
PHIA: “Yeah, he was like, for one, where are the emails that they said they sent?”
PJ: Right. This feels really weird. Wh-what did Uber say?
PHIA: Well, a couple hours ago, I came back into the studio with Alex Blumberg, who has a terrible head cold, and we called Uber.
[PHONE RINGS]
MELANIE ENSIGN: Hi, this is Melanie.
PHIA: Hi Melanie, it's Phia!
MELANIE: Hi! How are you?
PHIA: Um, I’m here with Alex and I’m recording our call.
ALEX BLUMBERG: Hey Melanie!
MELANIE: Awesome! Hi Alex!
PHIA: She said she realized that in order to solve this problem she needed to call in, like, the big guns.
MELANIE: We actually have an elite team within our security organization, uh, that deals specifically with account security and compromised accounts, um, and those types of issues. So I—I thought, “Why don’t I go spend some time with them and let’s actually do a legitimate forensics investigation and figure out what’s happened?”
ALEX BLUMBERG: Ok.
PHIA: Um, what happened?
MELANIE: It turns out the initial email address that was actually associated with your account—
ALEX BLUMBERG: Uh-huh.
MELANIE: —was your former email address from This American Life.
ALEX BLUMBERG: Ohhhhhhhhh.
ALEX GOLDMAN: Ooohhhhhhhhhhhhhhhhhhh.
PHIA: (Laughs)
PJ: So this is like his old work email address.
PHIA: Right.
MELANIE: So the notifications saying, “Your email address has been changed,” “Your phone number has been changed,” “Your password has been changed,” were all going to that address.
ALEX BLUMBERG: To the thislife.org address. Which is no longer even active. Which is a dead email address.
MELANIE: So those notifications are essentially going into the void.
PJ: Can I also just say this out loud so I make sure that I understand it?
PHIA: Yeah.
PJ: Ok. It was not a keylogger, or pineapple Wi-Fi, or anything like that. Basically, all that happened was Alex Blumberg forgot that years ago, when he signed up for Uber, he used an old work email address.
PHIA: Mhm.
PJ: He also forgot that he used to use the same password for everything, including a bunch of websites that have since been hacked.
And so hackers got his password from one of those websites, and they used it to break into his Uber and steal his rides, and then when Uber tried to warn Alex that this was happening, they emailed the address that they had on file, which was his old work email address. So he never saw it. And, also the hackers might have had access to that anyway.
PHIA: Yeah, and finding that out, it was like, everything all of a sudden started to click, like, remember how he didn’t have his ride receipts?
PJ: Yeah! I remember when we were talking about this like, off-mic, there was a point where he was like—he was like, "Yeah, yeah, yeah. I don't get ride receipts."
PHIA: Right. Everybody was like, "Hold on."
PJ: And, we were like, "But everybody—everybody gets ride receipts."
ALEX GOLDMAN: Yeah, of course you don't.
PJ: But he was, they were just going to his old email account.
PHIA: Right.
PJ: Also, when we searched haveibeenpwned, we searched alex@gimletmedia, we didn't search his old email address.
PHIA: Right. And if you do search that old email address, it has three breaches to it. It's been pwned three times.
ALEX GOLDMAN: Are they—are they LinkedIn, Myspace, and Dropbox?
PHIA: Yes.
PJ: So there you go.
ALEX GOLDMAN: Wow, so we were not just wrong, but we were like double-extra-super wrong.
PHIA: Well, I think like, we were inventing something very complicated because with the data we had that was the most likely outcome.
PJ: Yeah.
PHIA: Or like, the most likely how it happened.
PJ: Did Alex—how did Alex react to all of this?
PHIA: Alex is so thrilled to actually have an answer to like—to know exactly what happened to his account.
PHIA: You feel like “case closed”?
ALEX BLUMBERG: I do! I feel like case closed.
PHIA: Yeah.
ALEX BLUMBERG: Wow!
PHIA: Took us a long time.
ALEX BLUMBERG: All it took was like dozens of engineers at Google, dozens of engineers at Uber, the entire staff of Reply All, a bunch of—a handful—
PHIA: (Laughs) Actually like, all of our listeners.
ALEX BLUMBERG: A bunch of listeners to Reply All, a handful of staff members at uh, at uh—at Gimlet, and my father.
PHIA: Yeah.
ALEX BLUMBERG: And me.
PHIA: Yeah.
ALEX BLUMBERG: Man! It makes it—so on the one hand, that’s great. On the other hand it’s like, what if you don’t have that at your disposal? Like, what are you supposed to do?
PHIA: You have to live with a lot more mystery in your life, I guess. And get a password manager.
ALEX BLUMBERG: Seriously.
PHIA: Yeah.
ALEX BLUMBERG: Boy, is there a lesson to this, isn’t there?
PHIA: There really is.
ALEX BLUMBERG: (Laughing) Yeah...
PHIA: And I don’t have one either. We’re both the worst. Ok.
ALEX BLUMBERG: (Laughs) Ok. Wait, should we just get one right now?
PHIA: A password manager?
ALEX BLUMBERG: I’m—I’m sitting in front of a computer.
PHIA: Oh my god, I don’t want to.
ALEX BLUMBERG: I don’t either… password manager [hear typing]
[MUSIC - “SIMPLICITY”]
PHIA: So like, the final question on the whole thing is like, at this point, who do you owe a pan pizza?
PJ: I feel like I know.
ALEX GOLDMAN: I guess it's Melanie right?
PJ: It's Phia Bennin! (pauses) Are you kidding me?!
PHIA: (Laughs) I mean, I think Melanie could take a pan pizza. I would happily accept a pan pizza. Pizza party?
ALEX GOLDMAN: Look. As I specified.
PHIA: Mm.
ALEX GOLDMAN: It is a personal pan pizza. You are not to share it with anybody in the office.
PJ: What do you think a personal pan pizza is (laughs)?
ALEX GOLDMAN: It is a pizza made in Phia's own personal pan.
PJ: Wow. Ok. So at the end of the day, who's getting pizza? You're getting a pizza, Phia. We're gonna send Melanie a pizza. Which feels a little weird to me, honestly. We find ourselves in the position of being journalists who have to send a pizza to someone we interviewed for a story (laughing) at a company. Whatever. Sometimes you end up in a weird place. I feel like our forensics guy, Daniel Boteanu, I feel like he probably gets a pizza.
PHIA: Mhm. He was very helpful.
PJ: Ok, cool.
PHIA: Cool!
ALEX GOLDMAN: Good work, Phia.
PJ: Yeah, nice job.
PHIA: Thanks! That's really nice.
[MUSIC FADES OUT]
[CREDITS SONG PLAYS]
CREDITS:
Reply All is hosted by me, PJ Vogt, and Alex Goldman. Our show is produced by Sruthi Pinnamaneni, Phia Bennin, Chloe Prasinos, and Damiano Marchetti. Production assistance from Sherina Ong. We’re edited by Tim Howard and Jorge Just. We were mixed by Kate Bilinski.
Special thanks to Stevie Lane, Richard Blumberg, Gabriel Lewis, Alex Kruglov, Tim Harford, and all of the listeners who wrote in with their theories. You all are awesome.
Also, if you are going to be in New York City on April 30th, Email Debt Forgiveness Day, we're gonna be at The Bell House. We're doing a very low-key show, uh, with our friend Linda Holmes from Pop Culture Happy Hour. Uh, you can get tickets at gimlet.media/ReplyAllLive. Come. It'll be fun. We look forward to seeing you.
Our theme music is by the mysterious Breakmaster Cylinder. Our ad music is by Build Buildings. And the song at the end of the episode this week is “Simplicity” by MACROFORM. And our logo is by Matt Lubchansky.
Matt Lieber is a lost t-shirt that just shows up again one day.
You can visit our website at replyall.limo, and you can find more episodes of the show on iTunes or Spotify or wherever you would like to listen to podcasts. It’s your choice. Thank you for listening. We’ll see you next week.