July 14, 2026
Our Household Got Hacked by AI, and Yours Probably Will Too (Part 1)
Comprehensive lessons we learned to radically strengthen your defenses, prevent significant losses, and get back on your feet quickly…

By Brian Julius
10 min read
Comprehensive lessons we learned to radically strengthen your defenses, prevent significant losses, and get back on your feet quickly. Today, the "before" actions…
Getting hacked is perhaps the most terrifying thing that's ever happened to me, which is saying something, given that these actual events also happened to me:
🔸 Leaving a Tarantino-esque bloodbath in my dad's car following my hellacious Alpine slide crash at the infamous Action Park in Vernon, NJ (aka "Class Action Park", "Traction Park", the "World's Most Dangerous Amusement Park")
🔸 After testifying at a trial in Key West, I luckily grabbed the last seat on a small turboprop home. Somewhat unluckily, the usual beautiful aerial view of Miami Beach was difficult to appreciate given the violent turbulence caused by the F1 tornado below us as it rolled through downtown Miami
🔸Ruining 2024's family Christmas Eve dinner by dropping dead for 20 min, and waking up 11 days later in the cardiac trauma center at Pittsburgh Presbyterian Hospital (shoutout Presby ECMO team! 👊)
Upon realizing we had been hacked, I remember thinking the following thoughts:
"Our entire life savings are just a bunch of ones and zeros 'protected' by an easy to guess username and an insufficiently complex password."
"My files representing the last 45 years of my life may be completely gone"
"My files representing the last 45 years of my life may be plastered all over the internet"
Fortunately, none of those things happened, but the distinct possibility that they could have very nearly gave me a second heart attack.
Lest you say "tough break, but I'm probably OK", here are a few grim statistics on how common this actually is now:
- As of 2026, ~86% of phishing attacks are AI-driven — and increasingly lack the telltale misspellings and clumsy grammar that used to give them away (KnowBe4, 2026)
- AI-generated spear-phishing achieves a 54% click-through rate — equal to expert human attackers — at over 95% lower cost (Harvard study, Heiding et al., 2024)
- Account takeover attacks surged 250% in 2024 (Kasada, 2025)
- Traffic from AI agents and automated browsers grew 7,851% year-over-year — roughly 8× faster than human traffic (HUMAN Security, 2026)
- Weak and reused passwords already can be cracked in seconds by standard tools — and AI-assisted techniques, trained on mountains of successfully hacked real-world credentials, are steadily widening the range of passwords within reach
What Happened
All of this went from the theoretical to the very real this past Easter weekend, when my wife Sue and I got hit by a state-of-the-art AI-driven hack. It started with an Easter brunch invitation Sue received from a close friend.
This is not the type of attack Sue would normally fall for, being a very smart woman and a savvy computer user. However, when I saw the message that triggered the hack, I was pretty sympathetic - the graphics were polished and professional, the sender was someone we knew well (and had gone to brunch with in the past), the email addresses and link destination appeared legit when moused over, and it was devoid of the misspellings and fractured grammar that immediately red-flagged the phishing emails we were used to seeing.
Once clicked, the hack:
- compromised Sue's Gmail credentials, photos, and Google Drive
- implemented deeply hidden email forwarding and filtering rules aimed at preventing discovery and stealing additional data
- downloaded her contacts and forwarded an identical hack to her frequent email contacts
- changed her 2FA cell number
Here's where the really high-tech aspect kicked in — when she realized that her 2FA codes weren't showing up in texts, she attempted to log in to her carrier app to check the status of her phone number to insure it was line locked.
The hack, however, had installed a malware version of that app, which stole her carrier login credentials, enabling the hackers to access her account and port her phone to a new number (while the rogue app still showed the # unchanged and line locked).
At this point, we contacted all of our financial institutions and alerted them of the hack, and that the hackers likely had her complete credentials and possibly mine as well.
A call to the carrier customer support, which got nervously elevated numerous times up the chain, finally confirmed and remedied the malware installation, regained control of her phone number, and instituted a line lock on it.
From there we were able to recover her Google account and change her credentials. But fully recovering from the hack cost us weeks of lost time, high stress and major expense while we worked with cybersecurity experts and reps from our bank, investment firms, and credit cards companies to remedy the hack, reestablish secure access to all our financial accounts, harden our security, and ensure that all of our computers, tablets and phones (plus a lengthy list of internet-connected devices including wifi-routers) were completely clean.
We agreed that the experience was a -1,000 out of 5 stars, and one we never want to repeat. However, the silver lining was that we learned an enormous amount from it, and wanted to share our lessons learned in hopes that they would prevent you from having to experience it for yourselves.
Before an Incident
This is one of those areas where an ounce of prevention truly is worth a pound of cure. Most hacks can probably be avoided by taking these steps, and the ones that still slip through will be 10x easier to handle without the weight of an ongoing incident bearing down on you.
1) Implement a Secure, Easy to Use Password Keeper Across All Users and Devices
I was using a well-established open source, AES-256 strong encryption system with a local randomized key file (KeePass), synced to a compatible commercial mobile app (Strongbox). This held firm against the attack, but the security of your system is defined by the weakest link in the chain, not the strongest.
My system, while superficially top-tier, required regularly updating multiple components manually, and was not user friendly. A theoretically strong system that is too complex for all household members to use, and difficult to maintain is a weak system in practice. Far better to deploy a proven secure, easy-to-use system that can be updated automatically, effortlessly scaled, and compliance can be evaluated and enforced effectively by a central administrator.
Using those criteria and relying heavily on the cybersecurity experts we engaged as well as friends who'd successfully used it for years, we selected 1Password (other popular alternatives include NordPass and Bitwarden). After working daily with 1Password since the hack, Sue and I are very happy with the choice we made.¹
¹A strict policy I've maintained over the five years I've been creating content on LinkedIn and YouTube is that I do no sponsored content, and have no financial interest in or affiliate agreements with any of the companies, products or services I recommend, and pay out of my own pocket for them (on average, > $8K/year). Thus, you can be certain that if I recommend something, it's for no other reason than I use it for my own work and think it's awesome.
2) Implement a strong, easy to use anti-malware system across all users and devices
The "you're only as strong as your weakest link" argument above applies here as well. Bitdefender and Malwarebytes are two popular options with reasonably priced options covering multiple users/devices. I will come back to the option we chose later in Part 2.
3) Passkeys > Passwords
Passwords have two key weaknesses — those that AI can't crack easily are long and complex (i.e., difficult to remember) and random (humans are terrible at generating truly random patterns). Also, because passwords and associated security questions are "something you know", your knowledge of them doesn't preclude others from knowing them as well.
This is why cybersecurity is increasingly geared around passkeys, rather than passwords. A passkey is a pair of cryptographic keys. A private key is created, encrypted, and stored on your specific device and never leaves it; the website keeps only the matching public key. To log in, your device has to prove it holds the correct private key - and will only do so after you unlock it with something unique to you.
The "something unique to you" is either "something you are" (e.g., biometrics like a fingerprint or face scan) or "something you possess" (e.g., a YubiKey that securely stores the encrypted private key and only releases it when you plug it in or tap it to the device).
Consider why this is so much better than a password — the user has little or nothing to remember, and even if a hacker had a perfect mask of your face, it wouldn't enable them to defeat your passkey without physical access to your specific device.
If your goal is to create the strongest possible passkeys, it's hard to go wrong with the YubiKey 5C NFC at $116 USD/pair. Pro tip: ALWAYS buy in pairs, and keep the spare in a secure place, since if you lose your main key, neither Yubico nor God will be able to log you in.
Increasingly, high-security sites are providing the option of YubiKey-based passkeys either directly or via the YubiKey authenticator found on the key, the Yubico website, and the Google, Apple and Microsoft app stores.
4) Minimize the "Surface Area for Attack"
An estimated 90% of the "wide-net" hacking attempts we are discussing here (as opposed to hacks targeting specific individuals) are aimed at one thing: money (Verion DBIR, 2025).
This argues strongly for reducing the "surface area" over which hackers can attack your financial accounts - accomplished in the following three specific ways:
a) Minimizing the number of your financial accounts (easier to secure and notify, fewer accounts for hackers to attack)
When we got hit, we had money spread all over the place. This dispersion of assets makes getting hacked even MORE of a nightmare, since you need to individually contact each org where you have active accounts promptly following a hack, and the more active accounts you have, the harder it is to tightly secure all of them.
Since the hack, we have consolidated to just three main organizations
- A single large investment firm providing a full range of investment, retirement, and banking services, with outstanding security and 24/7 support staffed by knowledgeable humans, a huge plus when you get hacked at the start of a holiday weekend and are not keen on waiting three days to confirm you still have retirement savings…
- A local checking account we use for bill paying and cash withdrawals (though I likely will also transfer these functions to the investment firm down the road)
- The org that holds Sue's and my gov't retirement accounts
In addition, we now have only two credit cards — a primary card for all regular monthly charges, and a backup if the primary card gets compromised (which it did in this hack).
b) Hardening the accounts themselves
Investment and retirement accounts frequently offer an additional "moneylock" option — a long alphanumeric key you need to provide in addition to your UserID and passkey to unlock actions involving trades or withdrawals.
Putting credit freezes on your accounts with each of the three major credit bureaus prevents a hacker who has obtained your credentials from opening new accounts, taking out loans, or applying for credit cards in your name
- Equifax: Call (888) 298–0045 or visit Equifax Credit Freeze.
- Experian: Call (888) 397–3742 or visit Experian Security Freeze.
- TransUnion: Call (888) 909–8872 or visit TransUnion Credit Freeze.
After a hack occurs, you can also place a fraud alert with one of the above credit bureaus, and they are legally required to notify the other two. The credit freeze is the big dog - it's permanent until you remove it while the standard fraud alert only lasts one year. The main advantage of a fraud alert is that it stays in place even during the window when you remove the credit freeze temporarily, say when buying a house.
I also recommend obtaining an IRS PIN, which prevents someone else from filing a tax return using your Social Security number (SSN) or individual taxpayer identification number.
c) Minimizing the access points for financial data
The third way to reduce the attack surface is to sharply limit the computers (and potentially the users) accessing financial data. Following the hack, we purchased a new Asus Chromebook laptop with biometric access, and a new pair of YubiKey 5C NFCs.
Chromebooks are highly secure, and easy to maintain. The only apps we have on it are apps to access our three financial organizations, two credit card companies, the Social Security Administration, IRS, a cash transfer app, and 1Password.
Sue and I have agreed that this is the only computer that will be used to access financial data, and that it will NOT be used for general browsing, social media, or other non-financial purposes.
5) Confirm all your cell numbers are line locked
As discussed above, unless your cell phone number is line locked, hackers who steal your credentials may be able to use them to generate a port-out PIN and change your phone number, defeating traditional email or text-based 2FA, and making it very difficult for you to recover your Google account.
Thus, using the web interface or calling your carrier directly, confirm that all of your numbers are line locked. Confirmation should look like this:
6) Assemble a "Caveman Kit" in Advance
This lesson was one we definitely learned the hard way. In the early day(s) of a hack, you're likely not going to be certain which of your devices are compromised and which are clean. Thus, the safest approach is to "go analog" and ditch your cloud-connected devices until the extent of the hack is clear. For example, you don't want to be snapping pictures of the hack and documenting remedial actions that are automatically synched to Google Photos and Google Drive if those resources are not yet fully under your control.
Unfortunately, in an early 2026 Marie Kondo-type decluttering spree, those were exactly the types of devices I purged as inferior to my shiny new Pixel 10 and Pixel 4 watch, so managing the hack became even more difficult and stressful.
So, in advance of writing this article, I ironically repurchased crappier versions of the "outdated and useless" items I had just purged in order to restock my analog "Caveman Kit" — a process that distinctly did NOT "bring me joy".
Coming later this week in Part 2:
A detailed discussion of the "During" and "After" activities, and the comprehensive checklist I'd wished we'd had to smoothly guide us through our hack incident (Pro Tip: store a copy with your Caveman Kit!)
Note: though I have been writing about data science, data analysis, and AI for five years on LinkedIn (https://www.linkedin.com/in/brianjuliusdc), this is my very first article for Medium. Thanks for reading! I hope to post a couple of new articles each week, and would love your feedback.