I used to be very into the hacking, software cracking and reverse engineering scenes when I was a teen – spending my nights discussing Softice cracking methodologies, scripting telnet fingerprinting utilities, and other trivialities in IRC while taking care of FXPing releases all night.<p>One day my mom's email stopped working, so I contacted a CSR for the ISP. After 2 hours of being passed around to their highest level of tech support and explaining that she signed up for some shitty extra antivirus service some time before and that her actual email was probably aliased to an account on the special antivirus server, they kept insisting the account didn't exist and that I was lying. I tried to explain that it was almost a given that the alias just got deleted by someone doing clean-up too many times and I lost all patience. I dedicated all night to gaining access to their mail servers and getting my moms account back up.<p>I documented everything and the next day I went over and talked to their head engineer. I explained everything while sitting in a computer in his office proving the hack. I got a free lunch and 3 months of free internet service out of it. I was also called in a month later to corroborate the vulnerability was patched.<p>Two or three weeks later I got suspended from school for stealing some exams from the teachers shares in their "private" network. I covered my tracks, but a girl in the computer room at the time accused me of doing "something fishy" and I was caught with a floppy that contained the exams. That drama took the better part of the month and included my lawyer (my uncle doing me a favor) making incredible legal threats. I almost failed that quarter, but I did get off mostly unpunished.<p>I do development and specialize in security and risk assessment these days. It's nowhere as fun as it used to be in the early 90's.
I can't recall having been hacked personally (I did some fooling around on a public network in my ex-dorm, was fun), but I recall that the local government's anti-cyber crime division's website was owned. It was a fail of epic proportions. Someone found an old Joomla! exploit (a simple SQLi attack on a forgotten password form) and changed the credentials to admin:admin.<p>It was a big scandal in the news and the police, as scapegoats, arrested two 19-year-olds who just happened to log in with admin:admin and actually leave their names on the front page of the website. The fuckers weren't able to catch <i>anyone</i> besides them, let alone the original perpetrator. The guys were fined and I think they actually got a short jail sentence.<p>I once ran a public web server on a No-IP domain, and my lighttpd logs were <i>full</i> of hundreds and hundreds of probes (I assume all automated) for some common exploits and security holes. I had some script kiddies attempt to sneak in SQL injection attacks (I was using MongoDB so they were out of luck) and even try some stupid shit like entering '>exec("echo 1"); into my forms (to this day I'm not sure what that was supposed to do) and whatnot.
I installed a new DigitalOcean VPS instance with the Wordpress app install image. I hadn't yet run the Wordpress install because I ran out of time that evening so I powered down the instance because I knew that the install wasn't secure.<p>I had made a few tweaks to the server (SSH setup, etc) so I took a snapshot and went to bed.<p>I did not realise but, the snapshot process restarted the server after completion. The next time I came back the server I had a Polish Wordpress blog. Luckily I had mis-configured the permissions and you were unable to install any plugins, so not much damage could be done.<p>Still, please be aware that snapshots on Digital Ocean restarts the server after completion!
Im not aware of cases where someone used my authentification without my knowledge.<p>And doing... never something professional.
Some scriptkiddie stuff in my younger years, expanding privileges in our school systems oder experimenting with sql injections on an (accidentally) unprotected site. Just messinf things up and try what is possible to do.
And copying the lecturers scripts from an encrypted usb drive while it was mounted (kind of trojan? just a program which does its job and removes itself).<p>And i used a keylogger to get access to a classmate's facebook account, and everytime he defaced someones fb (we was one of the guys checking every pc in the lab for loggin in fb accounts) i did the same to him. Im not very proud of this.
Of course, we've all been hacked by the NSA and others, but outside of state actors:<p>Many years before dropbox, my brother wanted to send me some photos, but couldn't tell me his IP address - otherwise I would have restricted the clients to there. I went ahead and turned on an FTP server and an account for him on my home "server", and told iptables to let anything into that, then forgot to turn it off when he was finished.<p>The FTP server turned out to have a bug which allowed unauthenticated access, and someone started running the eggdrop IRC server on my system, were using /dev/shm as their home directory and who knows what else.<p>I'm not aware of any other non-state sponsored violations of my personal computing resources.
I got pwned by a ssh trojan when using an io.com shell account back in 2002/2003. Because I was a trusting soul, I had used my shell account to log into a local music enthusiast board (where I ran an elist and fooled around with zope and stuff) and my workstation at a government lab. It came to my attention via ... the NSA monitoring of my government lab workstation (it wasn't a secure lab, thankfully). The FBI got involved, and the guy who ran the local music thingee ended up spending almost a week cleaning shit up. There was an arrest; it was some kid. It was one of the single most embarrassing things that ever happened to me, in a lifetime of embarrassing things. It was also unpleasant and extremely time consuming. I don't recommend it.
Once upon a time I was given an account on a host which was publicly accessible over the internet.<p>I was told "OK your username is 'steve', your password is 'steve'". Between the time it was created and the time I logged in for the first time it had been compromised via a dictionary-attack.<p>I know these things happen constantly, but I was pretty surprised at the sheer bad luck and timing involved.<p>Otherwise I worked at a hosting company for many years, and clients would frequently get compromised. Largely as a result of outdated wordpress/magento/drupal installations. (Sometimes dictionary attacks too, but largely it was outdated web applications allowing remote code-execution.)
A bit of both :)<p>For the latter my intentions were strictly prank, and I was young and stupid. Basically it was just messing around in the highschool computer lab. We changed what time the bell rang, and put some nonsense meals on the lunch menu. I was Banned from the lab for my senior year :)<p>For the former, my static homepage was hacked last year, because the root of the VPS was hacked. I had been using the provider for about 12 years, and they had some old IIS and classic asp still running on the box! They injected some classic asp into my page to point to a fake rolex sales site.<p>That was fun.
Back when Diablo III had a real money market, someone gained access to my account and locked me out. I hadn't played in a while, so they could have been using my character for a month or two. I worked with Blizzard to regain my account (surprisingly pain-free process), and logged on to find my old character fully leveled, extremely well-equipped, and wealthy. I never got to thank the guy, so instead I told all of the new friends I had on my contact list to thank him for me. They didn't like that.
My coworker supports lots of old Joomla installations and they get hacked every other week. Usually the .htaccess redirects people to porn sites or they insert SEO spam. I do t know how he copes with it