Disqus & Kickstarter hacker warns against password reuse


A hacker who made a fortune by breaking into people’s accounts and posting spam on their behalf is now warning users against password reuse.

Kyle Milliken, a 29-year-old Arkansas man, was released last week from a federal work camp. He served 17 months for hacking into the servers of several companies and stealing their user databases.

Some of the victims included Disqus, from where he stole 17.5 million user records, Kickstarter, from where he took 5.2 million records, and Imgur, with 1.7 million records.

For years, Milliken and his partners operated by using the credentials stolen from other companies to break into more lucrative accounts on other services.

If users had reused their passwords, Milliken would access their email inboxes, Facebook, Twitter, or Myspace accounts, and post spam promoting various products and services.

From 2010 to 2014, Milliken and his colleagues operated a successful spam campaign using this simple scheme, making more than $1.4 million in profits, and living the high life.

Authorities eventually caught up with the hacker. He was arrested in 2014, and collaborated with authorities for the next years, until last year, when it leaked that he was collaborating with authorities and was blackballed on the cybercrime underground.

A white-hat career

Now, Milliken is out and looking for a new life. But this time he’s not interested in breaking the law. In an interview with ZDNet last week, Milliken said he’s planning to go back to school and then start a career in cyber-security.

“Right now I’m going back to the basics and studying for every possible security certification,” Milliken said. “Being a 16 year old high school dropout without any formal education I had to reverse engineer and teach myself everything that I know about cybersecurity.

“There’s a few gaps that I need to close that I wasn’t concerned about while I was in the midst of my hacking and spamming career.”

What kind of career, he’s not yet decided, but Milliken won’t be the first former hacker to switch sides. Many have done so before him, with the most (in)famous case being Hector “Sabu” Monsegur, a former member of the LulzSec hacking crew, who’s now a full time employee for Rhino Security Labs, a leading cloud security pen-testing firm.

An apology

But in the meantime, Milliken has also been making amends and showing everyone he’s ready to turn a new leaf. For starters, he publicly apologized to the Kickstarter CEO on Twitter.

“I’ve had a lot of time to reflect and see things from a different perspective,” Milliken told ZDNet. “When you’re hacking or have an objective to dump a database, you don’t think about who’s on the other end. There’s a lot of talented people, a ton of work, and even more money that goes into creating a company.

“I never imagined the type of chaos a security breach would cause for all of the people who work so hard and take pride in building their company. In the moment these aren’t things that you’re thinking about. That being said there’s a bit of remorse for putting these people through cyber hell.”

Password reuse

But while Milliken is getting his new life in order, he’s also sharing some advice with the other people who he hacked in the past — namely regular users.

His advice is simple. Stop reusing passwords and enable two-factor authentication (2FA).

If someone would have given this advice to users while Milliken was still active, back in the day, he would have been way less successful.

However, Milliken was active in a day and age when hackers hadn’t yet made a mess of the internet. Back then, it was normal for users to reuse passwords, and it wasn’t a frowned upon practice as it’s today.

Since then, billions of user credentials have been dumped in the public domain and are available to all hackers all over the world. Most hackers have access to services that sell organized records for any user, showing all the passwords a potential target might have used used in the past. This puts almost anyone engaging in password reuse in danger of having their accounts taken over.

“The reuse of login credentials in my opinion is the greatest security flaw that we have today,” Milliken said. “When I was hacking I had my own personal collection of databases that I could easily search for a company’s email and parse all of the data.

“It only takes one employee to reuse the same password to have potential access to hack everything that you’re looking for.

“Not only is the reuse of login credentials a huge vulnerability, but even using the same pattern of passwords is a huge mistake,” Milliken added. “For instance, say your login credentials are in multiple databases and your password for Google is ‘KyleGm1!’ and for Twitter it’s ‘KyleTw1!’.

“With this information we know your password for Facebook is more than likely ‘KyleFb1!’,” he said.

“Now that there are billions of records leaked from thousands of websites it’s even easier for anyone to breach almost any company or website out there.”

Two-factor authentication

Milliken said that password reuse could be corrected by better training, but there’s also one security feature that made his life as a hacker a living hell.

“The one that I despised was the 2FA,” the former hacker said, “SMS verification specifically.

“I honestly think that the big three email providers (Microsoft, Yahoo, Google) added this feature because of me. I was logging into millions of email accounts and really causing havoc with my contact mail spamming.”

But while it’s highly unlikely that these companies added 2FA support because of Milliken, one thing is known to be true. Both Google and Microsoft love 2FA and have constantly recommended it to their users.

Back in May, Google said that users who added a recovery phone number to their accounts (and indirectly enabled SMS-based 2FA) were also improving their account security.

“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,” Google said at the time.

Last month, Microsoft echoed the same advice, revealing that using a multi-factor authentication (MFA) solution usually ends up blocking 99.9% of all account hacks on its platform.

Hearing the same thing from Milliken, a former hacker who once used to take advantage of users reusing password and admitted to being stopped because of 2FA, sure puts this advice and its effectiveness in a new light. Maybe, for once, users should take it seriously.