#91 The Russian Passenger

March 16, 2017

Somewhere in Russia, a man calls for a car. Somewhere in New York City, a stranger’s phone buzzes.

Further reading

haveibeenpwned.com
A good article on how and why you should use password managers, and the best password managers out there.

Further listening

Simplicity by Macroform

Email us at replyall@gimletmedia.com and use the subject “theory” if you think you can provide us additional information.

Show transcript

ALEX GOLDMAN: From Gimlet, this is Reply All. I’m Alex Goldman.

PJ VOGT: And I’m PJ Vogt.

ALEX GOLDMAN: Uh, this week we have our boss, Alex Blumberg, in the studio. Uh Alex actually just got back from a vacation in the Bahamas. Uh. How was it?

ALEX BLUMBERG: It was great.

ALEX GOLDMAN: So …  Alex, you asked us to come into the studio and I don’t have any idea why. So, lay it on us!

ALEX BLUMBERG: I need some super tech support help—

PJ: WHOA! You’re crossing segments.

ALEX BLUMBERG: (laughs) I am. I’m–that’s right.

PJ: What’s your super tech support question?

ALEX BLUMBERG: So I was coming home, so I got home from vacation, I woke up the next day, and I look at my phone, uh, and I see … some Uber notifications. And this is weird because I haven’t called Uber ’cause it was like six in the morning. And, that was weird enough. But the really weird thing is that the Uber notifications were in Russian. Here’s a screenshot.

PJ: (whispers) What?

ALEX BLUMBERG: So and I actually speak a little Russian.

PJ: Oh right. So what does it say?

ALEX BLUMBERG: This one says (speaking Russian) which means, your Uber is en route. Ar-Arthur, 4.9 stars, is um, will be there in one minute. Uh, you know, then the next one–Dennis is arriving in a Mercedes Benz E-class–

PJ: Nice!

ALEX BLUMBERG: Blah blah blah blah blah. Arthur is arriving in a Kia Rio. It’s literally–

PJ: Oh! So it’s more than one ride though?

ALEX BLUMBERG: So it’s more than one ride, two–like two different people have called Ubers in Russia (laughs) and the notifications are being sent to my phone.

ALEX GOLDMAN: Alright, so I have some questions.

ALEX BLUMBERG: Yes.

ALEX GOLDMAN: Did you check your Uber account to see if these rides appeared in your history, if that’s possible?

ALEX BLUMBERG: Ok, so, I checked my bank account, and in fact my bank account had been charged with two rides, 25 dollars.

PJ: So, like, what my brain is saying is: “Somehow, someone, in Russia, got the password for your Uber and is just like–”

ALEX BLUMBERG: And hacked my Uber account, right?

PJ: Yeah.

ALEX BLUMBERG: Right, but it’s still being charged to my bank account.

PJ: Yeah.

ALEX BLUMBERG: Right.

PJ: This actually, this seems annoying, but it seems like you call Uber, you tell them this happened, they refund the charges and they change your password.

ALEX BLUMBERG: How naive.

PJ: (laughing)

ALEX BLUMBERG: How innocent. You’re like an innocent, naive little lamb.

PJ: Ok, so what happens?

ALEX BLUMBERG: Alright, so then I like I press the Uber icon on my phone to like, go in, and instead of the normal thing that happens when it shows up and it says, “Hi Alex Blumberg, blah blah blah, where would you like to go?” whatever, the normal screen, I get this screen. . . And it says–

PJ: What? “Uber. Get moving with Uber. Enter your mobile number.” So it’s treating you as a new user, basically–

ALEX BLUMBERG: It’s treating me as the-as if I just downloaded the app and I-they have no record of who I am or anything, and-and–

PJ: Which is weird because you’re on your phone.

ALEX BLUMBERG: It’s on my phone. It’s the app that was installed my phone, but when I open it up, it doesn’t recognize me. So then I’m like, “Uh oh.”

So then the next step would be to call Uber… (pause) It’s impossible to call Uber.

So we emailed help.Uber.com and I got a [sic] e-mail response from them saying like, “We are unable to find a-any account associated with this email and mobile number.” And then I wrote back and I was like, “That’s really weird, because that’s my phone number, it’s definitely associated with this account, I have–I just received notifications this morning to this number.”

PJ: “Credit card charges from your company.”

ALEX BLUMBERG: “I have credit card charges from your company,” etc. etc. etc. And they wrote back the same thing, and they wrote back, “Sorry to hear your trouble, uh, we’re unable to find an account associated with the email, number. For security reasons, please email–“

And so then I kept on writing. And they kept on sending the same form email back and forth, and so then I was like, ok, what do I need to do? How do I–how am I gonna get out of this machine loop that I’m in here, where they keep sending me the same form letter back–

PJ: Over and over again.

ALEX BLUMBERG: Over and over again. And so then I was like, maybe if I-I wrote the word “escalate.”

PJ: (laughing)

ALEX BLUMBERG: And then I started typing some things in all caps–

ALEX GOLDMAN: Wait you just–you–

ALEX BLUMBERG: And I started cursing, just to, is this going to like get me to a higher level of service?

PJ: Like when you get a robot on the phone sometimes when, it’s like you say the right words.

ALEX BLUMBERG: “Agent! Agent! Agent!” I was doing the email equivalent of ‘agent’ over and over again.

ALEX GOLDMAN: Were you do–were you sending these all as individual emails?

ALEX BLUMBERG: Yeah yeah yeah, no, so I have, yeah. So look–it’s like 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, you know, it’s basically 15-20 emails back and forth between me and Uber.

PJ: And it’s all getting the same…

ALEX BLUMBERG: And it’s all getting the same thing. So, by this time I’d roped my wife Nazanin into helping me with this, and we found, and she-her Uber app was still working. And so she found, inside the app, there’s–there is a number that you can find and it’s the number that you are supposed to call if you’ve been assaulted or endangered. That’s the one number that is an actual human being on the other end.

PJ: Huh.

ALEX BLUMBERG: So I called that number.

ALEX GOLDMAN: And…

ALEX BLUMBERG: And I said, “I haven’t been assaulted by a driver.”

PJ: But I need to talk to a person!

ALEX BLUMBERG: “But I need to talk to a person, because”–and then there was a very, very nice lady who was like, “I will try to, I–lemme try to help you.”  

I explained to her the whole story, and she was like “Gimme your phone number,” and I gave her my phone number and she was like “There is no–I have no memory of this phone number.”

ALEX GOLDMAN: Get outta here.

ALEX BLUMBERG: And she was like, “Hold on.” And then she came back and she was like, “There’s one more thing I can do. This is a little unorthodox, but if you give me your credit card number, I think I can call up your account through that.”

And I was like, “Ok.” And I gave her my credit card number, the credit card number that had been charged that very morning from Russia, and she was like, “I have no record of this credit card ever existing at Uber, ever.

PJ: That is so weird.

ALEX GOLDMAN: That’s bonkers.

PJ: It feels–

ALEX BLUMBERG: My entire existence has been erased.

PJ: It feels creepy.

ALEX BLUMBERG: It’s super creepy. And then I was like, “Is there anybody that can help me?” And she was like, “There’s nothing I can do.” So then I was like, “Okay.” (sighs). So then I started emailing some more.

ALEX GOLDMAN: And what–were you getting any variation in response?

ALEX BLUMBERG: No, and then they stopped.

PJ: Did she give you advice about–

ALEX BLUMBERG: And they they just stopped even auto-responding.

PJ: They stopped responding to your emails at all?

ALEX BLUMBERG: Yep. So I have not heard from them in three days.

ALEX GOLDMAN: (clears throat) Ok.

ALEX BLUMBERG: And here are my questions.

PJ: Yeah.

ALEX GOLDMAN: Go for it.

ALEX BLUMBERG: I want to know, how did this happen? And then …Did somehow I–I do this, or was this purely like a data breach at Uber?

ALEX GOLDMAN: Ok! I think that I–I hope that I can answer that. I will look into it for you and I will get back to you.

[MUSIC]

ALEX GOLDMAN: Uh, okay, a week ago–

ALEX BLUMBERG: Yes.

ALEX GOLDMAN: You came to me with a problem.

ALEX BLUMBERG: I did.

ALEX GOLDMAN: And the first thing that I wanted to know was like, is this a freak occurrence or does this happen all the time, and almost immediately, I heard that our coworker, Chris Giliberti had a story that I needed to hear.

CHRIS GILBERTI: It was in early January, 2016, I started getting these notifications in the middle of the night … that … there was somebody … it was like, “Your Uber is arriving.” But it was in Arabic. And there was this guy that was taking trips around Casablanca, in Morocco.

ALEX GOLDMAN: Wow.

CHRIS: And so, at first I was really freaked out because the amounts were really high. Like, 50 or something, or 60 MAD, it’d be like 50 MAD, and it’d be like, “Whoa, like I don’t even take $50 Ubers on my account, like what are, who are you to be taking like these expensive Uber’s?” (laughing) And then I like, did the math and then I was like, “Ok, no that’s like, a dollar.”

CHRIS: And so it’s like, ok, like, I–I could be fine with this for a little bit. Because I wanted to just keep on seeing where he was going.

ALEX GOLDMAN: Hold on, you were just like, “Okay, I’m–I’m fine with this for a little bit, I’m just gonna let this go.”

CHRIS: Yes. He was like pretty respectful about it, like it was like, like towards the end it was like a couple times a week. And I sort of became like weirdly addicted to seeing these trips and, like, Googling, where he was starting and where he was going.

ALEX GOLDMAN: (laughs)

CHRIS: And it was actually upping my Uber rating. Because I had a fairly bad Uber rating because I’d always, like, requested and then I’d take a really long time to get to the car.

So I was like, this is great, this guy is so punctual, he like, requests the Uber, he’s down there, he gets in the car, and so I’m like, okay, this is actually like very symbiotic and also like, I’m helping somebody out, you know? Like …

ALEX GOLDMAN: (laughing) This is so weird.

CHRIS: So I let it keep going for about a month and then I was like ok, well like, I probably do have to do something about this, because I was fine with this guy taking the Ubers but I didn’t want necessarily like, everybody in Morocco to start taking Ubers with my account.

ALEX GOLDMAN: So Chris ended up changing his password and that put an end to the rides around Casablanca. But what I was struck by was just how common this Uber hacking turned out to be, like it wasn’t just you.

ALEX BLUMBERG: Right.

ALEX GOLDMAN: It wasn’t just Chris.

ALEX BLUMBERG: Right.

ALEX GOLDMAN: It’s not a Gimlet exclusive thing.

ALEX BLUMBERG: (laughs) Oh god, that would be weird!

ALEX GOLDMAN: I went on Twitter and found a ton of people who were having similar problems. Like I found people who were reporting that there were raides that they’d never taken in places like London and Hong Kong and France and Indonesia.  Like it’s happening all over the world.

ALEX BLUMBERG: Wow.

ALEX GOLDMAN: And what I was curious about is where these hacked accounts were coming from.

ALEX BLUMBERG: Uh-huh.

ALEX GOLDMAN: Like, how were people getting their hands on them? And I saw that Joseph Cox, who is a writer for Motherboard, and he was on the show (laughing) the other week, um–

PJ: Helping me hack your phone.

ALEX GOLDMAN: Helping you hack my phone.

PJ: Yes.

ALEX GOLDMAN: So, I saw that he had written about exactly this problem.

JOSEPH COX: Hello, can you hear me?

ALEX GOLDMAN: Yes, I can hear you well. Joseph?

JOSEPH: Yeah, how you doing man?

ALEX GOLDMAN: So I called him up in Berlin. And he told me that a while back he was browsing the dark web, and, if you don’t know what that is, that is just a … part of the internet that is not easy to get to, it requires special software to get on, and a lot of illegal stuff is sold there.

JOSEPH: Uh, so I was just browsing one of the Dark Web marketplaces, which uh … I actually spend a lot of time doing. You’ll just go through the listings like you’re on Amazon or Ebay or whatever, and you’ll come across something pretty interesting like 70% of the time.

ALEX GOLDMAN: Can you give me an example?

JOSEPH: Hazmat suits (laughs), AK47s.

ALEX GOLDMAN: (laughs) Oh my god.

JOSEPH: You know, all–all the good stuff, really.

ALEX GOLDMAN: So, Joseph was just poking around, not really looking for anything in particular.

JOSEPH: And I just came across this vendor who said he was selling Uber accounts, uh, and I thought, “Well, that’s pretty interesting.” And then we looked into, and there were a hell of a lot of people selling stolen Uber accounts on the dark web.

ALEX GOLDMAN: And Joseph told me that they’re relatively cheap.

PJ: How cheap is cheap?

ALEX GOLDMAN: They’re between four and seven dollars each.

ALEX BLUMBERG: So you can buy … somebody else’s Uber account.

ALEX GOLDMAN: Mhm.

ALEX BLUMBERG: For four to seven dollars.

ALEX GOLDMAN: Right.

ALEX BLUMBERG: And then, and then, basically what you’re doing is buying my password and login.

ALEX GOLDMAN: Your username and password.

PJ: The fact that like, oh, there’s all these accounts, like to me that suggests that it’s not everybody’s fault, that like, somebody isn’t getting, if somebody shows up and they’re like, “I got 1000 Uber accounts, you want to buy one?” It’s not because they guessed 1000 passwords, it’s because like, Uber made a mistake.

ALEX GOLDMAN: Totally! And that’s what I assumed was the case also. Except Joseph specifically asked Uber if they had gotten hacked.

JOSEPH: Uber, they totally denied that they had a data breach, and then as I continued to report and spoke to these hackers who said that–how they were accessing accounts, that kind of backed up what Uber said. We found no evidence that there was a data breach actually at Uber itself.

ALEX GOLDMAN: And so I decided to go on the dark web and just ask people like, “Hey–where are you getting these Uber accounts?” And, you would be surprised to learn (laughs), I’m sure you’ll be shocked, they’re not super stoked to talk to people who want to talk to them about their criminal activities.

PJ: Well they probably just don’t listen to podcasts.

ALEX GOLDMAN: But, this one guy went by the username “Passman.” Um, I sent him a message saying, “Did all of these Uber accounts come from some huge hack of Uber?”

And he told me the same thing Joseph told me, which was: he didn’t think that anything like that had happened.

ALEX BLUMBERG: Ok.

ALEX GOLDMAN: And I said, “Interesting. Can you do me a favor, and see if, uh, any of these email addresses are in your cache of, um, hacked Uber accounts?”

PJ: And you gave him a bunch of Alex’s email addresses?

ALEX GOLDMAN: A couple. Yeah.

PJ: Ok.

ALEX GOLDMAN: (laughs) And his response was, and I quote, “Why are you giving me your boss’ email addresses? Do you want me to take a crack at his other accounts? That’s daring.”

ALL: (laughter)

PJ: I kind of agree with him.

ALEX BLUMBERG: Yeah.

PJ: “So I went to all the local muggers and I showed them a picture of you–”

ALEX GOLDMAN: (laughs)

PJ: “–And your wallet, and they said they didn’t recognize you but it seemed like you have a lot of money!”

ALEX BLUMBERG: Oh my god. Okay.

ALEX GOLDMAN: Look, whatever, it’s done, I can’t take it back. Um. Regardless, Joseph told me that he had a theory for what might have happened, and it’s this thing that hackers do that they call ‘credential stuffing.’

PJ: That sounds gross.

ALEX GOLDMAN: It does sound pretty gross. Joseph told me how it works:

JOSEPH: So companies’ websites are hacked every single day. Last year we had LinkedIn, Myspace, VK.com. All of these other breaches of tens if not hundreds of millions of accounts. Uh, with email addresses, and passwords being traded amongst hackers. But if you’re a clever hacker, you’re not only going to use those details, to break into accounts on that one site, you’re gonna see if they work on something else. The problem there is that people are using the same password on multiple websites and services.

ALEX GOLDMAN: Ohhhhhh.

JOSEPH: All they’re doing is reusing the password, but they’ll have a special piece of software which can just churn through just hundreds if not thousands, very very quickly. The more that me and my colleagues report on these data breaches every other day, every week, it is password reuse that is the main threat to ordinary users of the internet for sure.

ALEX GOLDMAN: So, at this point I’m thinking like, this might’ve been the thing that happened to you. Uh, someone got your password from some other account, like your diapers.com account, and it was the same password that you use for Uber.

ALEX BLUMBERG: I mean who uses a different password for every single online service they’ve ever–?

ALEX GOLDMAN: Yeah, I–I totally agree. I don’t do it either. And I am definitely rethinking that now that I’ve reported this story. And, to that point, Joseph had a piece of advice.

JOSEPH: Get a password manager, which is a piece of software which will generate unique, strong passwords so you don’t have to remember them.

ALEX GOLDMAN: But, since I know you don’t use a password manager, um, I wanted to know if someone had found your password in some hack that had made its way onto the internet. And luckily there’s a guy who can tell us if that happened.

TROY HUNT: My name is Troy Hunt. I am a security researcher. And I am recording from my home on the Gold Coast in Australia.

ALEX GOLDMAN: Which Troy makes kinda sounds like heaven on earth…

TROY: It’s sunny. It’s gonna be 30 degrees, that’s celsius. Nice and warm. I think I might go out on the water.

ALEX GOLDMAN: Ugh.

TROY: It’s clear skies–

[MUSIC]

ALEX GOLDMAN: Troy’s an internet security researcher. So he knows that the more a person uses the internet, signs up for new services, new websites, the more vulnerable they become.

TROY: You sort of leave these little traces of yourself all over the internet. And as time goes by, those traces just get larger and larger. Uh, and the chances of one of the places you’ve left your data being breached and that data then being leaked continues to go up.

ALEX GOLDMAN: So, in 2013, Troy started a website called haveibeenpwned.com. P-W-N-E-D. It’s a way for people to find out whether their personal information has ended up on the internet

TROY: So when we see data breaches where a company, like, say LinkedIn, is hacked and their data is, uh, ultimately spread across the internet, I grab these data breaches, I aggregate them into a service, and I make them searchable so that people can discover where they’ve been exposed.

PJ: So what’d you find?

ALEX GOLDMAN: Well PJ, why don’t you put your email, your–your personal email address into, into this.

PJ: Oh boy that’s, this is uncomfortable. Okay. [typing noise] OH NO.

ALEX GOLDMAN: (laughing)

ALEX BLUMBERG: (laughing)

PJ: Woooooow. I’ve been pwned.

ALEX GOLDMAN: On how many different sites?

PJ: Two! That’s crazy. Like these are… it’s Adobe and tumblr…  both of these are accounts that I’ve had for-EVER. Oh that feels horrible.

ALEX BLUMBERG: Your username and password is on the dark web.

PJ: That is–

ALEX BLUMBERG: Right now.

PJ: A really bad feeling.

ALEX BLUMBERG: That’s wild.

ALEX GOLDMAN: Alex Blumberg, would you like to take a look and see what’s going on here.

ALEX BLUMBERG: Oh god–have I been pwned?

PJ: (laughs)

ALEX BLUMBERG: I’m–this is terrifying to type this in. [typing sound] Good news! No pwnage found!

PJ: Wow!

ALEX BLUMBERG: Alright.

ALEX GOLDMAN: Alex, I don’t want to rain on your parade and this is probably a little frustrating to hear, but Troy told me that just because the website shows that you haven’t been pwned, that doesn’t 100 percent mean your credentials were never part of a data breach.

TROY: Yeah, there are a heap of unknown unknowns. (laughs) You know? There are all these things that happen that we simply never hear about. There’s stuff that has already happened that will come to light later on. And there’s also stuff that will never come to light.

ALEX GOLDMAN: So, for example, in 2016, 360 million Myspace accounts were put up for sale on the dark web. But they had actually been st- taken in 2013. So for like three years someone was sitting on them, maybe using them, and, uh, Troy couldn’t put them in his data base because he didn’t know they’d been hacked.

ALEX BLUMBERG: So even though I got the message saying that I have not been pwned, I may still be pwned–

ALEX GOLDMAN: Yeah.

ALEX BLUMBERG: Somewhere. Should we interrupt this super tech support to do a very quick Yes Yes No on the, on the origin of pwned?

ALEX GOLDMAN: Yeah. It’s very easy. You ready?

ALEX BLUMBERG: Yeah.

ALEX GOLDMAN: Most people know it because in video games, when you beat somebody very badly you say that they’re “owned.”

ALEX BLUMBERG: Right.

ALEX GOLDMAN: And the ‘p’ is right next to the ‘o’ so people frequently misspelled it and then they misspelled it frequently enough that it just became it’s own word.

ALEX BLUMBERG: Gotcha.

PJ: I could have told you that also. [pause] I didn’t know that. (laughs)

ALEX BLUMBERG: (laughs) So haveibeenpwned.com.

ALEX GOLDMAN: Right. So based on talking to Troy and to Joseph, my working hypothesis has been like your Friendster account got hacked and it made it’s way onto the internet somewhere and it’s just never come to light. But, then I got in touch with Uber. And what they think happened, actually might be a lot worse than that.

ALEX BLUMBERG: What?! What did they tell you?

ALEX GOLDMAN: Um. I’ll tell you after the break.

ALEX BLUMBERG: Oh, Goldman.

ALEX GOLDMAN: (laughs)

[AD BREAK]

[MUSIC]

ALEX GOLDMAN: Welcome back to the show. Ok, so Alex, let me explain what Uber thinks happened.

ALEX BLUMBERG: Ok.

ALEX GOLDMAN: So you told me at the beginning of the show that your account just disappeared altogether, like Uber did not recognize it’s existence.

ALEX BLUMBERG: Yes, exactly.

ALEX GOLDMAN: And what they told me was, when someone changes their account info, like their email address or their phone number, the support team only has access to the new information. So the way that they found your hacked account was the screenshots that we sent them, of your phone’s lock screen, which had driver names and driver’s licenses on them. And from the license plate numbers, they identified the rides that were taken. And from those rides, they identified your account and got it back for you.

Um but once they got your account back, they took a look at it, and they told me that they’re pretty sure that not only was your Uber account hacked, but your Gmail account was hacked.

MELANIE ENSIGN: What we saw on our end, um, was … some suspicious logins, um, for Alex’s Uber account. So whoever was trying to log in did have his password. Um, but we have systems that will detect, um, logins that look suspicious.

ALEX GOLDMAN: That’s Melanie Ensign and she is the person whose job it is to talk about security at Uber. And Melanie told me that when Uber saw your trips in Moscow, the ones that you didn’t actually take, they sent you an email that said, “You have to click on this link to verify that you’re actually now in Moscow.”

MELANIE: And so, whoever had access to his email account was clicking on those links, verifying it was him, and then deleting the notification before he saw them. 

ALEX GOLDMAN: Oh!

MELANIE: And that’s why since Alex doesn’t have any memory of … ever seeing the email, why we believe that somebody had access to his email account first, um, because somebody was taking action on those emails and then deleting them.

ALEX BLUMBERG: These is where I’m like, “Okay maybe.” But there’s one thing that still does not make sense to me. I have two-step verification. And the–the purpose of this is that is to protect against just the thing that Uber is saying happened to my account.

In theory, even if hackers got my password information from the dark web, they go to their Russian computers and their Russian cyber cafe, they login, and then they’re gonna get a message that says please enter the code. And so, and I would be getting a text to my phone saying, “Here’s your authentication code,” and I’d be like what in the world is going on here and then I would like sound the alarms. So this–that’s what I don’t understand. Like how, because I have two-step verification, how did somebody manage to do this from a remote computer?

PJ: I mean is the question you’re really asking just, is Uber lying basically? Like are they saying that they sent suspicious activity emails that they didn’t really send and they’re trying to cover their asses?

ALEX BLUMBERG: I don’t think Uber’s lying. But I want to  find out, can we determine, there’s gotta be somebody you can call in to make sure–to tell me if my account has been hacked or not. My Gmail account.

ALEX GOLDMAN: Alright.

PJ: And then, yeah–

ALEX BLUMBERG: And is it hacked still? Am I, at this very moment, pwned?

PJ/ALEX GOLDMAN: (laughing)

ALEX GOLDMAN: Alright. I’ll uh try to figure it out.

[MUSIC]

ALEX BLUMBERG: Alright.

ALEX GOLDMAN: (clears throat) Okay so it’s been a couple days. And I just sorta wanted to recap where we’re at.

ALEX BLUMBERG: Ok.

ALEX GOLDMAN: At first I thought that Uber had had some kind of data breach and your username and password had made it out into the world. And that does not appear to be the case. And then, I thought that maybe another account of yours got hacked from somewhere else and people used that username and password for your Uber, but that also seems unlikely.

And when I went to Uber, Uber told me that your Gmail account had probably been hacked. And so, uh, like I said, I’ve been looking into this and I don’t know what happened to your gmail.

PJ: (laughing)

ALEX BLUMBERG: Ok.

ALEX GOLDMAN: And in the past when tech support problems have gotten bigger than me– Or at least once, we brought in a ringer.

PJ: (gasps dramatically)

ALEX BLUMBERG: Ok.

PJ: Sort of like a super Alex Goldman.

ALEX GOLDMAN: He, yes. We brought in someone who is basically a super version of me. His name’s Dave Maynor. He is a security researcher, he lives in Atlanta, and I have him on the phone.

DAVE MAYNOR: Howdy!

ALEX BLUMBERG: Hey–

DAVE: How you guys doing?

ALEX BLUMBERG: Good. Hey Dave.

ALEX GOLDMAN: So Alex, I’ve already briefed Dave on what’s going on with you, so you can ask him any question you want.

ALEX BLUMBERG: So, that, my question is: Did someone take over my Gmail account? Um, and does somebody still have access to my Gmail, ’cause that would be scary. And–

DAVE: Well–

ALEX BLUMBERG: It doesn’t seem possible because I had two-factor auth–authentication.

DAVE: Let’s start with your questions. First of all, is it possible? Yes, this happens all the time.

The next step to–to kind of, narrow down this mystery, is to take a look at the access logs for your Gmail account and see if there is anything suspicious.

ALEX BLUMBERG: Ok, so where do I find the access logs?

DAVE: So, there is one where you can go to like this myaccount.google.com/device-activity.

ALEX BLUMBERG: (typing) Slash device, slash activity?

DAVE: Device DASH, uh activity. Like hyphen.

ALEX BLUMBERG: Alright. Yeah. Mac–and it’s got a bunch of Nassau, the Bahamas; Windows, the Bahamas.

PJ: Wait, Windows, the Bahamas?

ALEX GOLDMAN: Uh, it shows a windows machine, which Alex does not have, accessing his account from the Bahamas.

ALEX BLUMBERG: Oh–yeah, but no I did, ’cause, my dad had his, yes, no, my dad had his Microsoft tablet. So I tried to log on–that’s right, I tried to log on to a Google Docs thing. But my account was compromised three days or four days after I accessed the Surface. So it wasn’t like it happened right away.

DAVE: Well, so when you’re, when you’re a bad guy in the credential harvesting business, right, you’re getting a lot of information in at once, you gotta classify it.

ALEX BLUMBERG: Right, got it.

DAVE: And then you’ve got to sell it off to someone to make–uh, to, to use.

ALEX BLUMBERG: Right.

DAVE: So it’s not like it’s an instantaneous thing.

ALEX BLUMBERG: Got it. And how would they do that without him noticing?

DAVE: Well I mean–malware works in mysterious ways.

ALEX BLUMBERG: So it’s like, it’s in the background?

DAVE: Right.

ALEX BLUMBERG: I see. So it’s in the background, it’s running in the background, it’s mimicking … it’s mimicking an actual legitimate user accessing Gmail, accessing Gmail, even though it’s not showing up on the screen or anything.

DAVE: Right.

ALEX BLUMBERG: Gotcha. Alright let’s call my dad real fast.

[MUSIC]

PJ: Do we call… your dad’s name is Richard … Do we call him Mr. Blumberg?

ALEX BLUMBERG: (laughing) No you can call him Richard.

PJ: I don’t know if I can call him Richard.

ALEX BLUMBERG: (laughing) You can call him Richard.

PJ: I feel like I’m gonna call him Mr. Blumberg.

ALEX BLUMBERG: (laughing) Ok. [phone rings] Hello Dad?

RICHARD BLUMBERG: Hello!

ALEX GOLDMAN: Hi, Mr. Blumberg.

PJ: Hey, Mr. Blumberg.

ALEX BLUMBERG: (laughs) You guys both went for Mr..

PJ: (laughs)

ALEX BLUMBERG: I, I told told them to go with Richard.

RICHARD: If you’re gonna be PJ and Alex, I’m gonna be Richard.

ALEX GOLDMAN: So Alex caught … Richard up on everything that happened so far and explained that we wanted to check his tablet to see if that’s how the hackers got into Alex’s Uber account.

ALEX BLUMBERG: There was one time when I logged into my account that was on a computer that people say could have been–could have been compromised. And that is when I log–tried to log into my Gmail account from your … tablet.

RICHARD: Surface Pro.

ALEX BLUMBERG: Yes.

RICHARD: Yeah. Well I will say that sometime in the last few weeks, and it may have been when we were in the Bahamas, I got an email from, uh, Google saying that someone had tried to log into my–my Gmail account from a computer in … somewhere that I’d never been. I can’t remember where it was.

And, so I deauthorized that, I said, “No that’s not an authorized computer,” and then I went out and I changed my Gmail password immediately. You know, I haven’t used the Surface Pro since we, uh, got back from the Bahamas, but it had gotten so buggy, it’s gotten–it had slowed down so badly that I figured that–

ALEX BLUMBERG: Hmm.

RICHARD: I knew something–something was wrong with it.

ALEX BLUMBERG: Do you have a–did, did you have any malware, uh, detecting software on there?

ALEX GOLDMAN: A lot of Windows, uh, Windows devices come with something called Windows Defender.

RICHARD: Yeah, I think there is Windows Defender on that.

ALEX GOLDMAN: Ok.

ALEX BLUMBERG: Is there anyway to look at Windows Defender and see if there’s anything…?

RICHARD: Yeah, let me, let me get the Surface Pro and I’ll fire that up. [long pause] Ok. I got Windows Defender up.

ALEX GOLDMAN: So, I’m going to ask you to do a full scan, if you can do a full scan. The problem is that a full scan takes awhile.

[MUSIC]

RICHARD: Ok!

ALEX BLUMBERG: So what’s the verdict? Did it find anything?

RICHARD: “Scan completed on 718,851 items. No threats were detected on your PC during this scan.”

PJ: Interesting.

ALEX GOLDMAN: Hmmmm.

ALEX BLUMBERG: (laughs)

ALEX GOLDMAN: I’m legitimately so angry.

PJ: Why?

ALEX GOLDMAN: Like, I’m so frustrated by this.

PJ: Why?

ALEX GOLDMAN: Cause it’s just unanswerable.

ALEX BLUMBERG: (laughs)

PJ: It’s not unanswerable.

ALEX GOLDMAN: It’s obviously cannot be answered.

ALEX BLUMBERG: Uber was compromised. And they’re blaming it on me and my dad’s–my dad’s Surface Pro.

PJ: They found innocent, they found scapegoats in the Blumberg family.

ALEX BLUMBERG: (laughs)

RICHARD: (laughs)

ALEX BLUMBERG: Would Windows Defender definitely have found the spyware?

PJ: I mean–this is like, the default Windows antivirus program we’re talking about, so it totally could’ve missed something. I don’t know. The tablet still just feels like the most likely suspect to me. This stuff’s hard to actually say with any certainty. You know? It’s like trying to figure out who got you sick.

ALEX GOLDMAN: Kind of. I mean the virus analogy is actually very apt. It can make its way in from a million different places.

ALEX BLUMBERG: But if we were- if we–if we were just to backup some distance and look at this big picture: Uber, a multi-billion dollar company, employing I’m sure gazillions of cybersecurity experts to keep its data safe or the Blumberg family (laughs).

PJ: (laughs) Who are–

ALEX BLUMBERG: Yeah.

PJ: –sharp guys.

ALEX BLUMBERG: (laughs) But not very suspicious in general by nature.

PJ: (laughs)

ALEX BLUMBERG: Uh, yeah that probably, I guess that does seem to be probably where the breach occurred, much as I hate to admit it. Um, and, and we can’t- and it is–and it is troubling that we cannot find exactly–

ALEX GOLDMAN: It’s infuriating.

ALEX BLUMBERG: –where it came through.

ALEX GOLDMAN: And I’m not mad at you.

ALEX BLUMBERG: Yeah.

ALEX GOLDMAN: I’m mad at myself. I-I came here to super tech support you.

ALEX BLUMBERG: I know.

ALEX GOLDMAN: And at the end of this, I’ve got like a lot of best practices. It’s like, it’s like use a different password on every website, check out “Have I Been Pwned?” to see if your–your data’s out there. Um, always be super,super diligent, blaht-y blaht-y blaht-y blah. Still at the end of the day I have no idea what happened.

PJ: Can I tell you, can I tell you a story?

ALEX GOLDMAN: Sure.

PJ: My dad’s like a very good athlete and a former baseball coach. And we would play catch and like no matter how bad a ball I threw, he would always catch it. Like crazy bad throws. And so I got it in my head that he was invincible.

And then one day I took my favorite toy and went to the upstairs bathroom of our house, I threw it out the window at him (laughing) where he was like down on the patio below, and when it was like 3 feet from his head I was like, “Dad, catch!” And he jumped out of the way and my toy broke.

That’s sorta how I feel about you right now. “Like… we asked you to answer a question that is very hard to completely, 100 percent answer, and you did your best, and that’s just, really too bad.

[MUSIC]

ALEX BLUMBERG: (laughs)

ALEX GOLDMAN: I thought this was going to be a story that would be somehow inspiring.

PJ: (laughing)

ALEX GOLDMAN: Make me feel like not an abject failure.

PJ: You’re part of the human race.

ALEX BLUMBERG: You didn’t catch the toy.

PJ: You didn’t catch the toy. It’s shattered now.

RICHARD: Yup.

PJ: (laughs)

ALEX GOLDMAN: Listen Richard, thank you for indulging us on this.

ALEX BLUMBERG: Yeah.

RICHARD: Thank you.

ALEX BLUMBERG: Yeah, thanks Dad.

RICHARD: I’m sorry I couldn’t be of more help. But I’m glad that my, I’m glad (laughing) that I have no viruses on my tablet.

ALL: (laughing)

ALEX BLUMBERG: Alright Dad.

RICHARD BLUMBERG: Thank you guys.

ALEX GOLDMAN: Thanks.

RICHARD: Alex I love you.

ALEX BLUMBERG: Love you too.

RICHARD: I’ll see you all later.

ALEX BLUMBERG: Ok, bye.

ALEX GOLDMAN: Bye.

[MUSIC]

ALEX GOLDMAN: So I’m pretty sure that we got this one right. That Richard’s tablet is probably how hackers got access to Alex’s Uber account. But I’m willing to be that there are people out there who think that I am dead wrong.

So, if you are a person who believes that you have a better theory as to how this happened, or even just a different theory, email us at replyall@gimletmedia.com, use the subject line “Theory,” and we will take a look at it, and if it turns out that you’re right, I’ll send you a personal pan pizza.

Also, if you want to read about password managers or you want to go to haveibeenpwned.com, check out the description for this episode.

[CREDITS]

ALEX GOLDMAN: Reply All is hosted by PJ Vogt and me, Alex Goldman. Our show is produced by Sruthi Pinnamaneni, Phia Bennin, Chloe Prasinos, and Damiano Marchetti. We’re edited by Tim Howard and Jorge Just. We were mixed by Rick Kwan. Our theme music is by the mysterious Breakmaster Cylinder. Our ad music is by Bild Buildings. And the song at the end of the episode this week is Simplicity by MACROFORM. Our logo is by Matt Lubchansky. Fact-checking by Thom Cote.

Matt Lieber is four extra beers in the fridge that you forgot were even there.

You can visit our website at replyall.diamonds, and you can find more episodes of the show on iTunes or Spotify or wherever you personally decide you would like to listen to podcasts. Thanks for listening. We’ll see you next week!

[ADS]

View full transcript