When your life is exposed and you’re the last to know

Mr Maier was lucky. The money is still in his bank account, nobody used his Amazon account and no one has read his emails in his web.de inbox. Maier’s login data for 47 online platforms were made accessible to the public, without his consent or knowledge. Criminals could have extracted data from his private life or ruined him financially.

Maier’s real last name is indeed Maier and he is a retired resident of the state of Baden-Wurttemberg in southwest Germany. He doesn’t want to reveal anything else about his life for this article, though we already know what matters. His son had set up a private server for him, years ago. On his network drive, Maier stored family photos, old working papers, digital versions of his vinyl jazz record collection — and one Word document with encrypted login data for all of his online accounts. Among them: His bank account, Amazon, eBay, PayPal, three email accounts and an online pharmacy.

“My son is good with computers,” he says. “At least that’s what I’d thought.” As a matter of fact, all the contents of his hard disk were online and freely accessible. Anyone could have retrieved them, without even requiring a password. It’s accessible via Shodan, a search engine that finds connected machines like routers, webcams and servers. That’s where we found Mr Meier’s data, contacted and warned him.

It’s hard to reconstruct how Maier ended up involuntarily revealing his whole digital life. His son had moved to the United States, confirming on the phone that he had set up a password together with the server, not leaving open any unnecessary ports that could have been gateways into the home network. Those are, by the way, the two most common mistakes people make, as a result, inviting strangers into their system.

Maier’s router is connected to a DS212 of Synology, an older server for private use. Such network storage devices (each is called an NAS) can be found in hundreds of thousands of German households. Many people use them as backups of the hard discs on their work stations, storing photos and videos, in order to be able to access this data when on the move. Those who don’t want to entrust their data to one of the big cloud providers like Amazon, Dropbox, Google or Microsoft can install an NAS as a private and supposedly safe alternative. But apparently it isn’t always that safe.

We found sensitive date from dozens of people in Germany: Private photos, videos labelled employer references, bills, an architect’s blueprints and extensive income tax declarations. One man, for instance, had stored the login data for 32 online services like Google, Amazon, eBay and his online banking in a Word document under the obvious title “ProviderUserPassword.docx”. The concerned people use machines from big providers like Synology, Onap or Zyxel. And yet, the companies cannot be held responsible, as most likely the errors were committed by the users during the setup.

We were able to retrieve the data via the so-called File Transfer Protocol (FTP). The FTP makes it possible to access hard discs via the internet, even if you’re not in the same network. Companies and universities use FTPs, but private network storage devices provide it too. In theory, the transmission is supposed to be encrypted.

That’s also what a certain ship captain thought. The officer from the Ministry of Defence had set up a “My-Cloud” hard drive from Western Digital in his apartment. He stored his entire life on it, both private and professional. He used the small home server as a backup for his computer: Account statements, email passwords, data from family members and the CV of his daughter were open and accessible on the internet.

Among the working papers were scanned identity cards from the German army and a detailed agenda with meetings in the Ministry of Defence. None of these documents should have been public.

On the phone, the officer claimed he couldn’t know how the data was hacked, since access to the documents was secured by a password. When he understood that he had been mistaken, he immediately hung up.

Incomprehension, defensive reflexes, calls ending abruptly — that’s how many confrontations with affected people went for our team of reporters. The majority reacted with shock and concern, vowing to take all the necessary precautions and thankful for the warning.

Mr Maier has set up new passwords for the 47 websites listed on his Word document, checking each account for suspicious access. “I had more luck than wisdom,” he says.

From now on, a password manager will store all of his login data. “Now I don’t have to remember a single password on my own,” he says. “Maybe that’s better anyway, at my age.”

— Worldcrunch 2016, in partnership with Suddeutsche Zeitung/New York Times News Service.