The Woman Who Got Hacked Because Her Name Is Mercedes

How having a sought-after blog address can lead to trouble.

|
Jan 19 2015, 7:15pm

​Image: ​The Preiser Project/Flickr

​You always remember the first time you get hacked. I was left feeling idiotic back in 2012, when a worm took out thousands of ​Tumblr accounts including my own, and my Tumblr, Twitter, and Pinterest began posting spam ads for diet supplements over and over ("garcina cambogia," I will forever doubt your fat burning claims).

Phishing and link spam does the work for the hacker on a mass scale. But with Mercedes Beach, a New York-based graphic designer who recently had her Gmail and potentially all social media accounts attached to it hacked, it was a different story. It was a personal attack tailored just to her, a kind of social media noir story. The hacker was after only one thing: her Tumblr URL, mercedes.tumblr.com.

Beach first got suspicious early last Sunday, when she received emails from Instagram and Amazon reporting that someone was trying to access her accounts. It concerned her, but she was hungover and decided to deal with it later.

Then she received a phone call from a man with an English accent who said he was a Google employee. The caller ID read 650-253-0000, which she knew to have the area code for Mountain View, California. The caller said that he was going to send a verification code to her phone and asked her to read it out over the line. She opened the message, read out the numbers, and a second later the caller hung up.

What had been suspicion became a small panic attack. Beach remembered Google's two-step verification, and realised she'd just given hers away. She tried to access her Gmail and found that she'd been shut out. She started changing passwords to protect her Instagram, Facebook, Apple ID, and secondary email, an old account from college.

She was still logged into her old email when she received a message she later posted on Instagram:

Beach was being threatened from her own email.

She checked her Tumblr but found it had already been taken. The password had been changed, and the URL had already been altered to "mercedes-beach.tumblr.com." Seeing this, she replied asking for her email passwords back. The hacker complied, she changed all her passwords again, and they spoke no more.

"The URL was mercedes.tumblr.com—I understand that it could be potentially lucrative," Beach told me over Gchat. "Immediately after it was taken, the blog had a Mercedes Benz logo as the avatar and a picture of a yellow car in front of a scenic beach view. A '#Mercedes #ComingSoon' caption. Now it's down, but the URL is still under ownership."

A Mercedes Benz official tumblr already ​exists and seems to be doing well. It seems likely the person who stole Beach's Tumblr URL planned to try to sell it on somewhere, or use it for further deceit.

Though her Tumblr and its followers remain under a new name, the old address waits online, dormant, under the control of a usurper. It sounds like Beach was targeted thanks to her association with a brand name, a valuable tool for hackers who can spin "luxury internet" out of thin air and hide behind the trust it inspires.

The impression of exclusivity is powerful online, to the extent that a ".lux​ury" top-level domain name was introduced last year and snapped up by over 500 companies. Think back to every spam email you've ever received; how many offered Rolexes and designer products at a discount? Software has even been cre​ated to help identify unauthorised use of logos and other visual materials on websites: Counterfeit brand names appear on screen as much as they appear on cheap handbags.

Tumblr's ​community guidelines dictate that "usernames/URLs are meant for the use and enjoyment of all of our users. Don't squat, hoard, amass, accumulate, accrue, stockpile, rack up, buy, trade, sell, launder, invest in, ingest, get drunk on, cyber with, grope, or jealously guard Tumblr usernames/URLs."

And yet Tumblr URLs can be sold on at a profit to the right kind of idiot, even if the site's support can just as easily shut down the account once it begins to attract complaints. One such example appears on this blackh​at forum thread: after buying an account for $500, the poster realises too late that the person they bought it from has likely contacted Tumblr claiming it was stolen, getting their blog back even as they make off with the money they were paid for it.

Counterfeit brand names appear on screen as much as they appear on cheap handbags

Beach has been checking in on her old account, waiting to see what happens next. She's still understandably annoyed, having started the blog back in 2008 and amassed some 970 followers.

The question of how someone could get in so quickly through her email remains, though it's likely there was a link somewhere in an old message and the password was "probably, definitely" the same as another account. She's waiting for a response from Tumblr.

Beach told me the whole episode took less than an hour, and her URL was taken within minutes of the mysterious phone call. "I did some research, too. The phone number I got a call from was 650-253-0000, which I looked up and is supposedly Google's official number." (It is: it's listed as the cont​act number for their California HQ).

Myriad ways to caller ID sp​oof exist online, and it's certainly been done b​efore. Beach told me she checked and there was no sign of anyone logging into Tumblr from a different IP address, but that could be concealed with the Tor anonymous browser or another proxy.

In the end, Beach blames the nature of the social web: "All my accounts and sites are interconnected. Facebook, Instagram, Tumblr, and personal website. My Tumblr links to my website… I'm realizing now that my web presence makes me vulnerable."

Its easy to pass through life online in blissful ignorance, giving away information in fragments in a bid to create a "personal brand." Like the bank statements we rip apart before we throw them in the bin, we give ourselves away in statuses, replies, and tweets, fragments which can be easily reassembled in the wrong hands.

In the face of personalised, highly coordinated attacks, all we can do is take as many precautions as possible—back up your blog, use a password m​anager, make up wholly random and unmemorable passwords for each site you use. Remain skeptical.

And if your name sounds anything like a household brand, you'd be advised to watch your back.