Tech

Unmasked: The Mystery Hacker Who Stole Data on 168 Million People

ACK

It was a king-sized cybercrime whodunnit. And now, the culprit is finally coming forward.

exclusive
180418-poulsen-hacker-speaks-tease2_oxjwb4
Photo Illustration by Sarah Rogers/The Daily Beast

The FBI has quietly solved a rash of bulk database thefts that affected 168 million users of some of the internet’s most popular websites, The Daily Beast has learned.

The culprit in the breaches is a 28-year-old Arkansas man named Kyle Milliken, who, along with colleagues, stole email addresses and account passwords to feed a lucrative and hugely annoying spam operation that ran from 2010 to 2014.

Last month Milliken was sentenced to 17 months at a federal work camp—a sentence lightened by his cooperation with the FBI. He’s set to begin his sentence on May 24. His case remains under seal in federal court in San Jose, California, and with it the remarkable story of a high school dropout from rural Arkansas who rode a wave of hacking and spam to the pinnacle of California high life, until a moment of carelessness reversed his fortunes overnight.

ADVERTISEMENT

Milliken’s prison sentence comes as Facebook’s privacy issues are putting a spotlight on the precariousness of individual privacy in an era when every click of a mouse can disclose something personal. For every high-profile data spill like Facebook’s, which affected as many as 87 million users, there are countless more that escape public notice, either because the company that lost the data doesn’t know it or because it chose to keep the breach secret.

“There are hundreds if not thousands of databases that haven’t been disclosed,” said Milliken. “Fifty, sixty, seventy percent of these haven’t been reported. For the most part, people sweep it under the rug.”

While there are various uses for bulk consumer data, Milliken’s was prosaic. According to interviews with Milliken and case documents seen by The Daily Beast, the hacker was among the first to perfect an insidious underground innovation called “contact spamming.” Milliken used automated tools to rapidly take over the email and social media accounts of real people, then blast out messages to all their friends, primarily pushing work-at-home-opportunities and miracle diet products—the kind of stuff that gets flogged on daytime TV.

“I sold pretty much everything Dr. Oz was saying was good,” said Milliken. “Garcinia cambogia, green coffee beans, raspberry ketones.”

Some of his spam campaigns drew widespread attention at the time, even as the perpetrator remained a mystery. In January 2013 he exploited a security hole discovered by another spammer to hack 5 million Yahoo accounts in three days, sending, by his count, more than 25 million emails that earned him nearly $30,000 in commissions.

In separate campaigns in 2011 and 2014, he compromised thousands of Twitter accounts at once to spew out work-at-home and diet spam, respectively. The 2014 effort swept in celebrities and politicians, adding a mass audience and the imprimatur of legitimacy to come-ons like “I couldn’t believe it when I lost 6lbs!” and “I lost 13 pounds in 3 weeks, I feel amazing!” The security firm Symantec analyzed the campaign. “It is still unclear how the spammers compromised these Twitter accounts,” the company wrote at the time.

It’s pretty common for someone to pop out of the woodwork and say, ‘I’ve got some data.’ What was unusual about this is it came with about half a dozen pretty large breaches we’ve never seen before.
Troy Hunt

Other thefts remained a secret for years, until the free breach-alert service Have I Been Pwned received a haul of Milliken’s stolen information from an anonymous source last fall. “It’s pretty common for someone to pop out of the woodwork and say, ‘I’ve got some data,’” said site operator Troy Hunt. “What was unusual about this is it came with about half a dozen pretty large breaches we’ve never seen before.”

The secret of Milliken’s success is a sloppy security practice we’ve all been guilty of at one time or another: using the same password at multiple websites. Instead of trying to vault the formidable defenses at Twitter or Facebook, Milliken and his crew would target specialty sites like ReverbNation, Kickstarter, and the image sharing social network We Heart It—anywhere he might find poorly protected user passwords, preferably unencrypted, and the corresponding email addresses. Some percentage of them would inevitably unlock the victim’s accounts at other websites better suited for spamming.

Such databases are passed around like trading cards in the computer underground, where hackers and spammers work out swaps, sales, or profit-sharing deals. Milliken’s biggest data hauls came from the image sharing site Imgur, where he scored 1.7 million user accounts; the crowdfunding site Kickstarter, where he got 5.2 million user names and encrypted passwords; and the message board platform Disqus, which yielded data on 17.5 million users. In some hacks, like Kickstarter, the victim company detected the theft and broadly warned users. In others, including Imgur and Disqus, the companies and their users didn’t find out until years later.

Daniel Ha, CEO of Disqus, said the FBI alerted his company to a breach of Disqus’ code repository in 2014, but the feds described it as limited in scope and assured him that no data was taken.

“Our team was given a courtesy reach out from the investigators on that case letting them know that the individual had accessed a repository containing our code,” he said. “They said they had no reason to believe that anything else was done or taken.”

The FBI didn’t immediately respond to an inquiry for this story on Wednesday.

In recent months Disqus also received updates from the government about the prosecution of the perpetrator, but those also said nothing about stolen user data, Ha added.

By his account, Disqus learned about the theft of user information only last October, when Hunt reached out with the leaked copy. At that point Disqus immediately started contacting the exposed users and changed all 17.5 million passwords, some four years after they were stolen.

Milliken grew up in and around Little Rock, Arkansas. After his parents divorced when he was 9, he lived with his mother during the week and spent weekends with his father. Though he was bright, by his own description he was a “troubled kid” who abused drugs and felt unchallenged at school. He failed out of high school in the ninth grade, later earning his GED at a National Guard boot camp for at-risk youth.

His run-ins with the law started early. At 18 he drew a four year suspended sentence for aggravated assault, and a year later got five years’ probation for burglarizing cars. Milliken said his surroundings were a factor. “There was nothing here but either drugs or going to jail, or working on a factory or farm,” Milliken said. “There was nothing to do, you’re fresh out of school and don’t know what’s what.”

He found more stable footing online. Milliken formed lasting friendships on AOL when he was 12 years old, and he later haunted MySpace. That’s where the siren song of junk email first called to him.

MySpace message boards were rife with scammy offers of free ringtones and retail gift cards. Depending on the spam, a user who clicked might be taken to a questionnaire used to build targeting lists for further marketing, or tricked into installing adware.

Milliken was intrigued. He began studying the affiliate marketing programs that made the MySpace spamming profitable: Companies were paying a cash commission—as little as $1, as much as $12—every time someone clicked on an affiliate’s link and fell for the pitch. And it was an industry that tended to follow a no-questions-asked policy about how the clicks came in. Milliken was 17 years old and earning minimum wage at a local pet shop. He sensed a better opportunity in spam.

Kyle_Millikan_vl4m2i
Courtesy of Kyle Milliken

With some help from a friend with coding skills, he engineered his own campaign propelled by a self-propagating phishing attack, he says. He started by targeting about 300 celebrities with MySpace accounts, tricking them with a fake MySpace login page that would pass their password to Milliken. Then he used clever coding to turn the hacked MySpace profile into a carrier: Everyone who clicked on the compromised profile would be directed to the fake login page prompting them for their password. If they fell for it, their profile was infected with the same phishing code, ad infinitum. Before he was done, Milliken was harvesting 20,000 to 50,000 MySpace accounts each day, he said, and using them all to push spam.

The scam earned him $5,000 in a week and set him on his new career path. He dropped the pet store gig and ran more campaigns, eventually saving enough money to decamp to Florida and rent a spacious house with two friends from his AOL days who were also getting into affiliate marketing. In 2010 he moved once more to California to live with a girl he’d met online, upping his spam game to keep pace with the higher cost of living in Los Angeles. He was making contacts in the Russian underground, doing deals, partying at the annual affiliate marketing convention in Las Vegas, and hacking in earnest.

Contact spam required a steady supply of databases with consumer passwords. Sometimes he worked out profit-sharing deals with a particular Russian who seemed to have an endless supply. “I used to ask him for certain ISPs. He would just break me off a batch of 5 million,” Milliken recalled.

On other occasions he hit his own targets. The databases varied in quality. Email addresses were plentiful, but savvy companies knew to “hash” customer passwords, effectively scrambling them. Sometimes that rendered them useless, but older hashing algorithms crumble against the right attack.

By January 2014, Milliken was living in a $2 million home behind the gates of a 25,000-square-foot estate in the Burbank Hills. His spam was paying the rent and, he said, a private chef and a personal driver, because Los Angeles traffic freaked him out. That’s when he finally pulled one hack too many.

Milliken was targeting Disqus, a San Francisco-based message board company with a huge userbase. He started by looking at Disqus developers with accounts on the code repository site Github, running them one by one through his database collection. He scored a hit on one of the company’s programmers, logged into the man’s Github account, and downloaded Disqus’ code.

Inside he found what he was looking for: hard-coded credentials for Disqus’ Amazon cloud, where the company’s files were stored. He logged on and downloaded a database of at least 17.5 million people, their usernames, email addresses, and hashed passwords.

Then he realized he’d forgotten a step.

Milliken was living in a $2 million home behind the gates of a 25,000-square-foot estate. His spam was paying the rent and, he said, a private chef and a personal driver, because Los Angeles traffic freaked him out.

He’d staged the hack through a server he’d rented under an alias at a Colorado data center. For security, it was his practice only to connect to that server through an anonymous VPN in Turkey, so his home IP address wouldn’t show up in any logs. But in a slip that’s tripped up hackers since time immemorial, on this occasion he forgot to use the VPN.

“I missed my jump,” he said. “I knew that was it, right there.”

The feds sometimes move slowly, but they move, and in July 2014 Milliken was awakened with a jolt just after 5 a.m. by the sound of a flash-bang grenade going off in his guesthouse. When he walked into his living room to check out the noise, he was met by an armed FBI tactical team.

“Do you know why we’re here?” one agent asked.

“Well you’re not here for a fucking barbecue,” he replied, according to a blog post he later wrote about the raid.

Milliken decided to cooperate. He gave up a friend he’d been working with, and the U.S. attorney’s office in Silicon Valley filed charges against both men under seal so that word of their arrests wouldn’t reach potential targets in the underground. They found out anyway, said Milliken. “After I got raided, I was basically shunned by everybody.”

Milliken moved back home to his mom’s house in Arkansas, where he’s now preparing for his prison term. In all he’d earned about $1.4 million from his hacking and spamming. But he says he’s not interested in returning to that life. A probation office report prepared for his judge recommended a reduced sentence, noting that Milliken stayed out of trouble after the FBI raid, passed all of his drug tests while on pretrial release, and accepted responsibility for his crimes. The one note of caution was the observation that Milliken “presents himself with a sense of entitlement and questions authority.”

Milliken said that when he gets out of jail he hopes to work as a computer security consultant and maybe even start his own company, using his experience in a positive way. If that doesn’t work out? “I may trade cryptocurrency,” he said.