My accounts were "hacked". Lessons learned.

[suchamoneypit]

So last night someone got into my email and subsequently used it to get complete control over my eBay account. I got an email change notification from eBay from and IP that was not mine and I instantly knew what was happening. I was able to react and use my Paypal to override my eBay login (I was completely blocked out. They changed email, password, and connected phone) and change my password back which I did within 20 minutes of being taken over and then I had to call eBay at 11pm while I was at a "gathering" to get ebay to revert the email back to mine.

 

Interestingly the person got into my email, but never changed its password. I had to change the passwords and enable two-factor authentication on all of my accounts for everything. Thankfully I always add my phone as a backup for all my accounts and this saved me an insane headache getting back control of my accounts and changing passwords. eBay was very helpful in getting access back. eBay guy helping me was like yeah everything on your account changed in a few minutes I'd say your account is compromised, and after he reverted it back he went "well, good luck, get your email secured first though", which I found pretty funny.

 

I had knew my ebay password was pretty weak, I considered it a "low security" password and I knew this. It was also the same password as my email which I never used. I can't say in the back of my mind I knew this could happen but I was lazy and never went to secure it. If he had gotten control (by changing its password) of my email he could have taken over pretty much every account I owned. He could have really messed up my stuff. I can't even imagine the damage he could have done If I had been asleep and he went through my emails to see what else he could take.

 

Moral of the story: Keep better and more complicated passwords, and use your phone number and two-factor authentication to secure you accounts.

[Mr.Meerkat]

2 minutes ago, suchamoneypit said:

Moral of the story: Keep better and more complicated passwords, and use your phone number and two-factor authentication to secure you accounts.

Me:

All the accounts I don't care about - the password I've used since 2003

The accounts that I somewhat care about (such as this forum or steam account) - My newer 15 character password

Accounts that I genuinely do not want to be hacked - mix of old, new and school password  

 

Oh shit, people now know how to hack into all my accounts...ah well, they won't get past my 31 character email password so I'm not worried...

[suchamoneypit]

Just now, Mr.Meerkat said:

Me:

All the accounts I don't care about - the password I've used since 2003

The accounts that I somewhat care about (such as this forum or steam account) - My newer 15 character password

Accounts that I genuinely do not want to be hacked - mix of old, new and school password  

 

Oh shit, people now know how to hack into all my accounts...ah well, they won't get past my 31 character email password so I'm not worried...

All my accounts I call important - accounts linked to my bank account, have strong passwords (my eBay was linked to my paypal which to purchase still has my phone verify and this was the reason I could get control back). My mistake was having a weak email password which allowed them to reset my complex passwords for my important accounts. 

[Batteries Included]

Me: use the worst possible password for anything I don't care about

use a decent password for my email

uses a 256 character password for WoT because I got hacked

[DildorTheDecent]

They probably intended to use your account for those £40 GTX 1080s. 

[suchamoneypit]

5 minutes ago, DildorTheDecent said:

They probably intended to use your account for those £40 GTX 1080s. 

They probably get a lot of accounts and people just don't pay attention and they do that. Luckily I was on top of getting access back very quickly so they never got the chance.

[Cryosec]

5 minutes ago, Mr.Meerkat said:

The accounts that I somewhat care about (such as this forum or steam account) - My newer 15 character password

same pass for both? that's still a mistake

 

6 minutes ago, Mr.Meerkat said:

they won't get past my 31 character email password so I'm not worried

lenght keeps you safe from bruteforce or dictionary attacks, not phishing (and believe me, if somebody is aiming specifically at you, phishing will work)

 

5 minutes ago, Batteries Included said:

uses a 256 character password for WoT because I got hacked

holy shitballs 256? I've actually never seen a database that permitted these kind of passwords. chapeau to them

[Mr.Meerkat]

Just now, Cryosec said:

same pass for both? that's still a mistake

Well my steam account is secured by 2FA so I think I'm all guld  

 

1 minute ago, Cryosec said:

lenght keeps you safe from bruteforce or dictionary attacks, not phishing (and believe me, if somebody is aiming specifically at you, phishing will work)

Too bad the only way they'd get it is by installing a keylogger without me knowing so... 

[Cryosec]

1 minute ago, Mr.Meerkat said:

Too bad the only way they'd get it is by installing a keylogger without me knowing so... 

you may not be interested in this, but try giving a read at this blog post (not my stuff). It might surprise you how easy phishing can turn out for an attacker 

[Creed1]

I had someone targeting all my accounts a couple of weeks ago. My gmail, steam, Lastpass account, etc. I was able to get a new email address and change my passwords on my accounts. 

[SCHISCHKA]

i use several different email accounts.

One for personal use.

I use a seperate one for each account like google and facebook and i never send emails from these accounts it is just for managing other services.

I have several for work that are only used for that work.

I have one for signing up to competitions.

I have a junk account that must be on every spammers address book.

Putting everything on one email account is like having one password for everything, a single point of failure.

[Guest]

Someone hacked into my Minecraft account and I noticed it like 2 or 3 months ago. Never bothered to change it. Just did. So now I have someones stats on a game I never play :b

[TetraSky]

Why would someone hijack a Ebay account... What purpose does that serve them? Hijack paypal or something at least instead.

[suchamoneypit]

1 minute ago, TetraSky said:

Why would someone hijack a Ebay account... What purpose does that serve them? Hijack paypal or something at least instead.

If not set up properly they could probably buy stuff off a linked paypal. Also they could get accounts people don't monitor to make false listings. Or they could just be an asshole and want to mess with someone?

[TetraSky]

Just now, suchamoneypit said:

If not set up properly they could probably buy stuff off a linked paypal. Also they could get accounts people don't monitor to make false listings. Or they could just be an asshole and want to mess with someone?

Wait, you mean it could be made so Paypal doesn't ask you for your password every time you even try to buy anything?
I thought that was the default...

[suchamoneypit]

Just now, TetraSky said:

Wait, you mean it could be made so Paypal doesn't ask you for your password every time you even try to buy anything?
I thought that was the default...

Even amazon has a "1 click buy" where you set it up where you literally click "buy now" and it charges a credit card and ships. No extra authentication.