Kyle Milliken is back from jail, and he has some advice for you.
The 30-year-old hacker from Arkansas, according to his blog, at age 17 began phishing celebrity Myspace accounts and using them to send internet marketing spam. After earning $5,000 per week, he evolved to hack millions of email, forum, and social media accounts. Some of his largest thefts included Disqus (17.5 million), Kickstarter (5.2 million) and Imgur (1.7 million). He also claims to have hit Twitter and Pinterest among many others.
Milliken used lists of login credentials to target accounts automatically, relying on the fact that many people reuse passwords across multiple online services. When he obtained access to an account, he could use it to send spam messages to all that account’s contacts.
He accessed account credentials in numerous ways, including hijacking Yahoo session cookies so that he could spam from users’ accounts, and, in the case of Disqus, by compromising a site developer’s GitHub account and getting at access credentials to its online database.
By the end of his run, he had 168 million login credentials and had earned around $1.4 million. He cooperated with the FBI, gave up a black hat colleague, and received a 17-month prison term in a federal work camp.
Milliken’s own poor security was what undid him. He hacked his targets via a hosted server that he rented under an alias, and always accessed it via a VPN to protect his IP. When he hacked Disqus, he forgot to use the VPN, and in 2014 the FBI caught him.
He was released last week and told ZDNet in an interview that the thing that helped him most was password reuse. He said:
The reuse of login credentials in my opinion is the greatest security flaw that we have today.
The advice for users of online services remains the same. First, use a password manager that automatically generates and stores strong passwords for each account you create. Second, where possible, turn on multi-factor authentication (MFA) for the sites you visit. This could involve SMS verification or, more secure still, a mobile app like Google Authenticator. Milliken told ZDNet that he “despised” this security measure, adding:
I honestly think that the big three email providers (Microsoft, Yahoo, Google) added this feature because of me. I was logging into millions of email accounts and really causing havoc with my contact mail spamming.
Why is Milliken giving this advice in interviews now? He claims to be rehabilitated and wants to start a career as a white hat hacker:
The darkside days are left behind in my 20s, starting the next chapter and joining the whitehats.
— Kyle Milliken (@hackme) September 4, 2019
He also apologised to former Kickstarter VP of data, Fred Benenson, who had lamented the Kickstarter hack on Twitter:
My apologies.
— Kyle Milliken (@hackme) September 4, 2019
Milliken won’t be the first former black hat to seek employment in the cybersecurity field. Other criminal hackers turned white hats include Hector Monsegur (Sabu), co-founder of the LulzSec hacking group, who co-operated with the FBI after his arrest and now works for Rhino Security Labs.
Another LulzSec co-founder, Mustafa Al-Bassam, went on to work for payments and cybersecurity company Secure Trading and is now a PhD student at UCL. Michael Calce, aka Mafiaboy, teamed up with HP to make a cybersecurity documentary after getting out of jail, while Kevin Mitnick, arrested in 1995 after a long hacking career, is now “chief hacking officer” at KnowBe4.
Papi
Lesson learned: I did Infosec the wrong way, starting from desktop support and working my way up.