Debbie Crowell never ordered the iPhone, but thanks to a hacking group known as Lulzsec, she spent a good part of her Thursday morning trying to get $712.00 in charges reversed after someone broke into her Amazon account and ordered it.
"They even had me pay for one day shipping," she said.
Crowell is one of more than 62,000 people who must now change passwords and keep a close eye on their online accounts after Lulzsec posted their email addresses and passwords to the Internet. It's the latest escalation in a messy hacking rampage by the anarchic group that's caused damage at Sony, the US Public Broadcasting Service and even the CIA.
It's not clear where all of the Lulzsec email addresses and passwords came from. At least 12,000 of them, including Crowell's, were gathered from Writerspace.com, a discussion forum for readers and writers of mystery and romance novels. The site's technical staff is trying to figure out how they were stolen and is in the process of contacting victims, said Writerspace owner Cissy Hartley.
The 62,000 addresses and passwords belong to victims at large companies such as IBM, as well as in state and federal government. Affected agencies include the US Army, Navy and Air Force, the Federal Communications Commission, the National Highway Traffic Safety Administration, the Department of Veterans Affairs and the Coast Guard.
Unlike other hacking groups, Lulzsec doesn't seem to have much of an agenda, except to settle a few scores and cause as much chaos as possible. Lulz is hacker speak for the plural of "laugh out loud."
Soon after the accounts were posted, Lulzsec followers started to claim that they had accessed Facebook, Twitter and online gaming accounts. "I am now an level 85 human warrior on mal'ganis server," wrote one follower, called Miracle Joe, referring to a server used by World of Warcraft gamers.
"Got an Xbox Live, Paypal, Facebook, Twitter, YouTube THE WHOLE LOT! J-J-J-J-J-J-JACKPOT," wrote another follower, Niall Perks. The "idiot had the same password for everything," he later explained.
Others claimed that they'd chatted with friends of the victims or posted obscene photos or messages to their profile pages.
Crowell, a property assessment specialist, describes herself as a "boring old lady on the Internet." Though she knew better, she reused her passwords, including the one she used at both Amazon and Writerspace.com. "Everyone knows that everyone uses the same password for everything," she said. "You know what you're supposed to do, but do you do it?"
Crowell is right, most people do reuse their passwords, said E.J. Hilbert, a former FBI agent who is now president of fraud investigation company Online Intelligence. It's a bad habit that needs to change. "You need to use different passwords for different sites. Period. Across the board," he said.
In a sense, Crowell was lucky. The hackers didn't break into her email account. When that happens, things can become much worse because hackers can often access other web accounts by claiming to have forgotten their password and asking for a new one to be sent via email.
There are often treasures in the victim's sent mailbox and archives. Old email messages often include personal information that can be used in further attacks, and a surprising percentage of email accounts also include nude or embarrassing photos.
Finally, criminals can use the email addresses to send malicious software to military and government employees, in what could be the first stage of a larger attack, Hilbert said. These targeted spearphishing attacks are a big problem for the government and military contractors, and have become a standard way for hackers to break into secure systems over the past half a decade.
"Government email addresses should not be used for non-governmental work, and if they are there's a huge, huge problem," Hilbert said.
Although she knew she was making a mistake by reusing her password, Crowell was still "shocked" when she discovered the fraud. "It's one of the things that you hear about all the time, but you never think it'll happen to you."