Got hacked, need advices

[Dux]

I'm betting it came from twitter.
Listening "level1tech show" makes me glad I don't use it anymore.

"tiny rant"
Social media is terrible
Seond it's just "virutal networking" there is nothing "social" about twitter facebook or any others. They're not "media" either That would inferer, it's 1. either entertainment or 2. a report of some kind with a reported giving you imformation. Social Media is none of these options.

what ever moron started calling it "social media" needs a

Quite possible because 2 days prior to this hack someone got access to my twitter acc and started congratulating new year to a bunch of mentions. Also i see bot infestation got even worse. I guess firing most of workforce that was maintaining hardware and software side of network was a bad idea, huh?

 

[Bill_Bright]

Write your passwords on a piece of paper.

Yeah, that's really the worst advice - ever.

Years ago I was at a security seminar and one of the guest speakers was a [hopefully - supposedly] reformed house burglar. He said there are several types of burglars. One the most common is just someone looking for cash, or something he/she can sell/pawn/fence quickly for cash so they can score their next fix. These types typically are in and out quickly.

Another type is one (often working pairs) who take a little more time, looking for more high-value items, like computers. He explained one of his common practices was to sit down at the victim's computer desk, and take a quick look around at everything that was within arm's reach - such as desk drawers, under keyboards, index card boxes, binders, etc. looking for written down passwords. He said they found them a lot - along with credit card numbers, PINs, social security numbers and more.

When started my own repair business and went out on client service/house calls, I started to do the same thing. And sure enough - I often found users lists of passwords. Many wrote them down on sticky notes attached to their monitors! Since these were all my clients - I read them the riot act.

Yea if your a high value target

Don't have to be a "high value" target at all! Many victims are the targets of neighborhood whiz kids, the people in the adjacent apartment who see your wireless network, the daughter's ex-boyfriend, a mischievous visiting nephew, or someone just driving down the street pointing their directional antenna at your house.

If your joe shmoo nobody is going to scan through bulk data looking for you

Yeah right. If only that were remotely true. I am afraid you are out-of-touch with reality here.

What is true is most bad guys are lazy opportunists. They are going to take a quick look, see if your system is updated and that you are using an antimalware solution. They are going to look for the "easy pickings" (because there are many out there). And if they get much resistance, they move on to check the next guy. But again, you don't have to be a high value target at this point. In fact, the "remote" bad guy likely has no clue who, or where you are, and doesn't care.

HOWEVER - you don't have to be a high-value target to be the target of a determined bad-guy either. Anyone who knows you personally, and wants to hurt you in some way, could target you.

 

[TumbleGeorge]

well two or three in fact, and when prompted to renew I add or change numbers in it.

Renew a passwords with changes in it is good practice.

 

[A Computer Guy]

Don't have to be a "high value" target at all! Many victims are the targets of neighborhood whiz kids, the people in the adjacent apartment who see your wireless network, the daughter's ex-boyfriend, a mischievous visiting nephew, or someone just driving down the street pointing their directional antenna at your house.

There is an aspect here that is your password is only as secure as the system that is used to authenticate you.
This is probably the "most important" aspect of a password. (sorry I had to work in some humor somewhere)
This is many times overlooked in conversation and instead the total burden of security is put on the user to memorize, and change frequently, something they won't remember, don't want to remember, or will find some other external storage to remember it thus defeating the purpose of having a secret.

Yeah right. If only that were remotely true. I am afraid you are out-of-touch with reality here.

I do live on an island of sorts so I can't discount the idea I might be wrong from time to time but if I was right all the time I'd never bother chatting with people so here we are having a nice chat.

What is true is most bad guys are lazy opportunists.

I agree. If the prospect of cracking your password is going to take more time or cost than sending you a phishing email they would probably take the path of least resistance with highest probability of gain.

HOWEVER - you don't have to be a high-value target to be the target of a determined bad-guy either. Anyone who knows you personally, and wants to hurt you in some way, could target you.

I thought I had that point covered via "people with axes to grind" latter half of the sentence that was not quoted. I suppose there are certain types of focused vindictive people who would hack your wireless instead of slashing tires or pay others to do so.

 

[Bill_Bright]

This is many times overlooked in conversation and instead the total burden of security is put on the user to memorize, and change frequently, something they won't remember, don't want to remember,

I fail to understand why you keep repeating this! Multiple people in this thread have illustrated, some multiple times, that this is simply wrong!

I do live on an island of sorts so I can't discount the idea I might be wrong from time to time but if I was right all the time I'd never bother chatting with people so here we are having a nice chat.

Except, you are not listening to what others are telling you. You are fixated on your misconception and understanding of reality here, apparently refusing to accept the facts.

With a decent password safe (and there are many that are simple, free, and extremely effective) the user only has to remember one password. And, unless they give it away to someone else (not smart, or safe), they never have to change it either.

or will find some other external storage to remember it thus defeating the purpose of having a secret.

Huh? That makes no sense. Beyond the requirement for everyone to have a backup plan anyway (in case their house burns down, floods, is struck by lightning, drive failure, etc.) managing our passwords doesn't require extra external storage. Even if it did, it does not defeat the purpose of having a secret - whatever that means. ???

Since this conversation seems to be a one-way dead end, I think it is time for me to move on.

So I will just say this, then move on. For those who see the wisdom of using a password manager (and I sure hope everyone does) and the convenience of having to remember just one single password, and a safe that has a generate [very strong} password feature too, I highly recommend the very simple (and free) Password Safe. This is a simple, easy to learn, stand-alone, local password manager. It does NOT use or depend on "the cloud" - a good thing, IMO.

There are certainly many others and I am NOT suggesting this is the best. I am just saying if you don't use one, this is a great, and secure, easy to use password manager to start with.

 

[1freedude]

But i did install malwarebytes 2 week premium trial. It found 18 trojans on my PC. Windows defenedr is shite. So idk. Time to get some better antivirus. I need to scan that master boot record somehow as well


Also, if you use google password manager to have your passwords saved for different sites, and someone gets access to your google acc, do they then get access to all your passwords for all sites as well?

Do you suppose this got rid of the problem? Did you research any of the findings? Did you get control of google?

 

[Dux]

Do you suppose this got rid of the problem? Did you research any of the findings? Did you get control of google?

well got access to my mail and youtube again. So far not seeing any new activity. Time will tell

 

[mplayerMuPDF]

So only when one of your devices got lost/stolen...

Someone must have had access through one of your devices, or otherwise there must have been a SIM swap / SIM spoofing and those are rare I think, unless you are are a very important person and target....

Actually, at least in the US, those are not as rare as I (and I imagine most people) thought they were. Not too long ago some people working at a carrier (I think it was AT&T) got busted for collaborating with such a scheme. Apparently, it is now "popular" to recruit insiders in the telecom industry and bribe them. However, I am pretty sure that the criminals are typically interested in making money rather than hijacking a random person's social media accounts. This only goes to show that people should be less trusting of 'authorities' such as carriers, ISPs, cloud service providers etc because even if you assume the organization has your best interests in mind, some employed individuals may not, for one reason or another... (another example would be the Twitter employee who got caught spying for Saudi Arabia).

 

[lemonadesoda]

I don't like password managers that are software installed on one machine. I don't use one machine. I use many machines, over different OS's, and in many different locations. Laptop A, desktop B, phone C, Work A, Work B, House A, House B, Friend C, Client D, etc. And can you imagine the grief if your password file got lost or corrupted?

Why do people keep recommending password managers that are local, and are not cloud based? It makes no sense unless you are chained to your mum's basement.

But as soon as you go cloud based, you open yourself up a whole new set of risk vectors.

This is what I do, and I share it with all, to criticise or to gain. Each to their own. And it is the password I use for this site, and for all others. (Public websites with logins, online shops etc).

DNS.1A$.fixedsecretpassword.#hash#

example
techpowerup.com@1A$.12345.XX

The @1A$ deals with those horrible password complexity requirements you get on some sites, ie, "you MUST have a number, you MUST have upper case, you MUST have a non-letter-number character", the fixedsecretpassword is a password that is common to 99.9% of the sites where I am registered, and the #hash# is a two letter cipher at the end that is based on some easy algorithm that is uniquely mine and I can work out in half a second when drunk, and based off the DNS.

I do not use 2FA on ANYTHING other than banking sites. The fewer times you use 2FA the less likely you are to be compromised or spoofed.

These passwords are unique to each and every website, and will not be machine hacked in any plausible form. And if any one were, the risk of quickly finding the others is remotely small. It would need human intervention to spot the readable pattern. So that is the risk, a nefarious person who got a copy of a password from one site, getting the gist of the password structure, and wanting to spend their time hacking others trial and error on the .xx hash. But they'd never reach a banking site, and any shopping site requires 2FA after CC entry. Don't let websites store your CC!

I could upgrade and make it human unreadable, converting the DNS to a cipher. e.g. http://practicalcryptography.com/ciphers/simple-substitution-cipher/. This would immediately stop any pattern spotting by human intervention.

E.g. but infinite others

But I can't be bothered...

 

[A Computer Guy]

And can you imagine the grief if your password file got lost or corrupted?

Have encrypted backups with a password! LOL.

Why do people keep recommending password managers that are local, and are not cloud based? It makes no sense unless you are chained to your mum's basement.

I think it's an issue of trust. How much do you trust your cloud provider? LastPass got breached not too long ago. But then again if someone is targeting your local network it's probably a lot easier to breach that unless you have air gapped your password manager except when you need it.

DNS.1A$.fixedsecretpassword.#hash#

That's a nice pattern. I like it. And you could even keep it in a password manager (omitting the password part) keeping the easy to remember secret password in your head.

 

[Dr. Dro]

I recommend using Bitwarden and Authy. Before setting these up, run a malware scan on your data drives and do a fresh reinstallation of Windows.

Once Bitwarden and Authy are set up, change your login data (password, etc.) from every website you visit and enable 2FA on all websites which support it.

 

[Upgrayedd]

Yeah, that's really the worst advice - ever.

Well I didn't say stick it to your monitor either. Put it somewhere safe, like a safe. Maybe your attic, basement, outa sight etc etc..
If you put it in your desk drawer or stick it to your monitor those are also the people that use Password as their password.

 

[Dux]

Well nothing changed. Again this morning i find that someone took control of my multiple gmail accounts. I have no choice than nuclear option of wiping hard drive clean and again changing all passwords

 

[TumbleGeorge]

Maybe a government agency is investigating whether you're doing something illegal? Because having many accounts sharpens attention. LoL.

 

[Dux]

idk. With the amount of scanning and cleaning i did yesterday, seems weird that something would be left over on my system. Somehow, someone hast the ability to reset my google credentials over & over.
And glorious google now doesn't let me reset my password for the next 48 hours. So attacker/s are free to do whatever they want in the meantime. Thank God i don't do any online banking or paying for anything online whatsoever. I had paypal account connected to one of these mail accounts in the past. But there is no money on it and bank account that was connected to that paypal was closed last year.

Hah. Well i just reseted password for my other gmail acc and got 2FA SMS asking did i ask the password to be reset, and SMS came not from google but some other number +43657954572. That's Turkey phone number. So attacker also gets text when i try to reset my password. Idk clean windows instalation will do anything about that. I think it's time to just say goodbye to those gmail accounts as i don't use them for anything important anyways.

 

[Dr. Dro]

Maybe a government agency is investigating whether you're doing something illegal? Because having many accounts sharpens attention. LoL.

Then i'm on a hit list, I have 3 emails, 3 phone numbers, etc., press F for me

OP, looks like you have to nuke your Windows boot drive, and disconnect whatever else until you are able to scan them. Then follow up and do the Bitwarden/Authy setup and blanket change of all your credentials on every website you can remember. Always be mindful to never reuse your password, Bitwarden can generate random, secure passwords for use with all websites. Good luck.

 

[Dux]

OK, so what's happening is every time i try to reset my password and ask for 2Fa SMS, attacker gets that same code sent to him. So i can reset indefinitely as attacker can just do the same.

 

[Upgrayedd]

OK, so what's happening is every time i try to reset my password and ask for 2Fa SMS, attacker gets that same code sent to him. So i can reset indefinitely as attacker can just do the same.

Do you have any periods in your gmail?

 

[Dux]

Do you have any periods in your gmail?

I have no idea what periods are.

 

[thewan]

So I woke up this morning ( I mean I exited REM state. Didn't go woke) and found out I have been hacked somehow. My Google acc & Twitter hijacked. Idk how. I guess having TFA enabled on those acc's doesn't mean much.

MFA does nothing if the hacker accessed your own device which is already authorized to login to your account, especially when you choose to: "remember me", "don't ask me again", "autologin", etc. MFA protects your account from being accessed on other devices that you do not own.

So please do not say that MFA does nothing. This is your own doing of not being careful and not protecting your own local device. It is not that MFA didn't work. It is your job and responsibility to protect your own local device, not Google, not Twitter, not any other company and their technologies such as MFA.

 

[Dux]

MFA does nothing if the hacker accessed your own device which is already authorized to login to your account, especially when you choose to: "remember me", "don't ask me again", "autologin", etc. MFA protects your account from being accessed on other devices that you do not own.

So please do not say that MFA does nothing. This is your own doing of not being careful and not protecting your own local device. It is not that MFA didn't work. It is your job and responsibility to protect your own local device, not Google, not Twitter, not any other company and their technologies such as MFA.

I guess you didn't bother reading past first post, huh?

If you scroll down this article, you will learn just what kind of scumbags work at google. Looking forward to getting rid of their accounts and browser for all eternity.

 

[Chomiq]

Check the list of connected devices, burn everything that's not yours.

See devices with account access - Google Account Help

You can see computers, phones, and other devices where you are or were signed in to your Google Account recently. You can check google.com/devices to make sure no one else has signed in

support.google.com

Most likely you also have malware sitting in your MBR or something.

 

[Upgrayedd]

I have no idea what periods are.

You know those small dots at the end of a sentence? That you use and read everyv single day of your life?

 

[P4-630]

You know those small dots at the end of a sentence? That you use and read everyv single day of your life?

Or the red period?..

 

[Upgrayedd]

Or the red period?..

Might not know that either lol