Karim Baratov on life after email hacking

For this week’s MVP, we’re chatting with Karim Baratov.

Karim Baratov has not hacked a single email for many years, but he could if he wanted to, notes the former “hacker for hire.” Most of us do the bare minimum for digital privacy protection—many people still use the same password across multiple platform accounts, for example. Baratov figured out how to access others’ email accounts at just 13, when he broke into his father’s email (at the request of his mother), and before long was selling the service for a hundred bucks a pop. 

By 18, Baratov was driving around Ancaster, Ont., in flashy cars (he started with Mercedes, later Lamborghini, Porsche and Aston Martin), and by 20, he bought his first house, after his father suggested he invest more prudently. 

The high life didn’t last long. Caught up in the Yahoo! security breach, Baratov was arrested in March 2017, indicted for hacking and wire fraud, and promptly pled guilty. Baratov was sentenced to five years plus a fine of $250,000. He spent his time in prison turning his life around. Back at home now in Ancaster, he’s dedicated to health and fitness and stays away from computers whenever he can. 

That said, he still knows more about hacking and digital safety than most of us, so we went straight to Baratov to ask how and why he did it, why he’s not doing it anymore, and how you can protect yourself from hackers like the one he used to be. 

You wrote a book called Disconnected: A Memoir of the Yahoo Hacker. Why did you decide to tell all? 

After I was arrested, I tried to keep my mind occupied and do something productive. I’ve read newspaper articles and watched news stories that speculated I hacked the 2016 election or exposed Hillary Clinton’s emails. Some thought I was a KGB agent sent by Putin, and others thought I was just stealing millions from the banks. I wasn’t doing any of that, and I knew eventually I’d have to explain exactly what happened. I tried to capture everything while it was fresh and started by documenting exactly what was happening. I mailed my notes home. And as soon as I got released, I pulled them out and got to work. 

What drew you into hacking when you were  just 13?

I always wanted to possess a skill that was rare and couldn’t just be learned by anyone. As a kid, the idea of hacking was equivalent to having a superpower. When I was seven, I saw my dad install an antivirus on his laptop and asked him what it was for. He said it was to protect himself against hackers, so I asked what hackers were. He described them as geniuses who were so skilled in computers and could think outside the box on such a level that they could basically do anything they wanted with just a click of a button. I knew it wasn’t something you could learn in school and I was always into technology, so hacking really intrigued me. I was just constantly reading and putting my own knowledge together.

When, if ever, did you feel like you were doing anything wrong?

At 13 years old, I didn’t understand life enough to realize that revealing certain information does more bad than good. My first client, though I obviously didn’t charge her, was my mom. She was jealous, and having access to my dad’s account—who’s an honest man—gave her inner peace of mind and helped her sleep better at night. As a kid, in my mind, I was like a vigilante helping people find out the truth. My clients were curious about whether their spouse was faithful or what their kid was up to. I never stole anything, I never had any ill intent, and people were always thanking me. I thought I was being helpful. I didn’t realize that some bad people might do bad things with the information. Now, I stay out of people’s business.

Could you hack into my email account right now if you wanted to?

Probably. If I learned anything, it’s that there’s always a way. Back when I first started, websites did not require passwords to contain special characters or capital letters. So most popular passwords were either the word password itself or QWERTY, the first six characters on the keyboard. In 2008, you could set a three-character password and it would be fine. Nowadays, any website will require you to make the password somewhat difficult by including at least some numbers. If someone wants to make a reasonably secure password that’s easy to remember and simple, think of a phrase or something relatable to you and add a few numbers that are relatable to you in the end, the middle or the front. Use a special character, use a capital letter. But depending on the method hackers use, the password and how difficult it is to hack is not that important.

What—what? What do you mean? 

Most scammers don’t really care about your emails. If someone wants to spy on you, it’s going to be somebody you know like your boyfriend or your business competitor who specifically wants your email to see what you’re doing. But mainstream scammers, who don’t know you, only want your password to steal your credit card or bank information. Here you should be wary of phishing, when a scammer is pretending to be a legitimate institution. 

It’s actually very simple to check an email’s source: In Gmail, for example, if you click on the three dots above every email and then “Show Original,” you’ll see all the information about where it came from. If you get an authentic-looking email from support at Facebook, for example, “Show Original” will show you if it came from Facebook. This will always reveal the source.

What’s the most common digital privacy mistake people make?

Not having two-factor authentication on at all times, on all accounts. The most familiar method is when you receive a one-time, randomly generated password code sent to your phone and you have to enter it within a short period, say 30 seconds. Hacking into a phone and an account simultaneously without getting noticed is next to impossible in that short window of time. If you have that feature on, you’re pretty much protected. But, too many people are too lazy to even bother.

What’s the most important thing about digital privacy that you’d want people to know? 

That it pretty much doesn’t exist. Your phone, your apps and even your TV is basically spying on you at all times. Notice that if you talk to your friend on Instagram about visiting Hawaii, for example, the next thing you see a bunch of TripAdvisor ads on the app for flights to Honolulu. Siri is programmed to constantly listen to you. And nothing ever goes away. While I was questioned by the FBI, they pulled out a laptop and logged into my email that was suspended many, many years ago. That account contained emails that I deleted. My point is, your digital footprint is forever, and there are files on every single person out there. Everyone is being watched all the time.

You’re scaring me. Is there any way around this at all? 

It’s a scary world, especially with AI. The point is, if something’s online, it’s there forever. The digital footprint is always there. That you can avoid it is a misconception.  For example, incognito mode isn’t anonymous at all. It just doesn’t save your history, but it’s still there. People have to realize it, acknowledge it, and proceed with caution. 

It’s scary, but sometimes being scared is good because it makes you more cautious and aware.