Just had a load of password reset emails

Pawnless Endgame · 9 Apr 2020 at 20:32

Is anyone else having this at the moment? Someone's just tried to log into my Gmail, Facebook, Curry's accounts and also on a gambling site. Gmail already has 2FA. FB didn't but I have now enabled it and changed the passwords on all 4 accounts. ASDA as well now.

A friend of mine just had 3 password reset emails for Just-Eat. And now their BT account.

Can anyone else here confirm if they're being attacked too. To see if this is isolated or widespread, and what I can do to buff up security?

MrRockliffe · 9 Apr 2020 at 20:35

Lots of people bored at home I would imagine

wez130 · 9 Apr 2020 at 20:47

I had something similar a couple of weeks ago, hotmail, facebook, steam and a couple of others, I've changed all my passwords and made them different for each account, scanned my PC and laptop for malware etc but found nothing.

Deleted member 77746 · 9 Apr 2020 at 20:51

Nothing here all emails quiet.

Pawnless Endgame · 9 Apr 2020 at 20:51

Yeah, I'm in the process of changing my affected account passwords too. They tried my Tesco and Argos accounts too since I last wrote.

Checked with my family WhatsApp group and my mum said they tried her FB account too.

Dangerous Dave · 9 Apr 2020 at 21:00

Are you sure the emails are genuine ? Could be phishing emails attempting to get you to take links to fake sites off the email.

Pawnless Endgame · 9 Apr 2020 at 21:05

^^ I'm deleting the emails and just logging into the sites themselves to change my passwords.

Deleted member 77746 · 9 Apr 2020 at 21:05

Dangerous Dave said:
Are you sure the emails are genuine ? Could be phishing emails attempting to get you to take links to fake sites off the email.

More likely to be this. I can’t see loads of companies changing them at the same time.

Alex_6n2 · 9 Apr 2020 at 22:00

Or your email and a password previously associated with it are in a database and someone has finally gotten to your information whilst trawling through a list of millions

Check your email address here: https://haveibeenpwned.com/

Troy has also developed a very clever way to check if your passwords have been leaked. He has an extensive blog post about how his software hashes your password and checks against other hashes.

https://haveibeenpwned.com/Passwords

Marky · 9 Apr 2020 at 22:05

Nothing my end

Pawnless Endgame · 9 Apr 2020 at 22:06

Dangerous Dave said:
Are you sure the emails are genuine ? Could be phishing emails attempting to get you to take links to fake sites off the email.

I think they're genuine. They're now attacking some fairly obscure accounts I have such as Brewdog and Untapp'd. I'm beginning to think it's getting personal. Someone who knows me.

Alex_6n2 said:
Check your email address here: https://haveibeenpwned.com/

I do check that site from time to time and my email address has never been pwned. Not even now, unless there is some lag and the database hasn't updated yet.

Alex_6n2 · 9 Apr 2020 at 22:16

Pawnless Endgame said:
I do check that site from time to time and my email address has never been pwned. Not even now, unless there is some lag and the database hasn't updated yet.

Yeah it depends on Troy getting access to leaked databases, which often appear on the dark web long before he has a copy of them to upload into his data set.

The more obscure websites are odd though

Have you checked for a key logger and/or root kits?

Pawnless Endgame · 9 Apr 2020 at 22:23

Alex_6n2 said:
Have you checked for a key logger and/or root kits?

Ah what would you recommend for root kit / key logger scanning? I just use the built-in AV (Windows 10) and Spybot Search & Destroy at the moment. Browser is Firefox.

Alex_6n2 · 9 Apr 2020 at 22:26

Pawnless Endgame said:
Ah what would you recommend for root kit / key logger scanning? I just use the built-in AV (Windows 10) and Spybot Search & Destroy at the moment. Browser is Firefox.

If you want free Malwarebytes has always been good for me

https://www.malwarebytes.com/antirootkit/

Must admit it's been a while since I've looked into what's new in the field though

The_Arbiter · 9 Apr 2020 at 22:31

Update your drivers and check windows update is working.

No weird emails here. But one of my old accounts frequently gets paypal, netflix, courier, etc type emails. Nothing on that account from argos, facebook or anything. Though i don't use it for anything useful, just waiting to see what emails/newsletters do come through that i may have missed since i changed all my email accounts ages ago.

Deleted member 77746 · 9 Apr 2020 at 22:34

The_Arbiter said:
Update your drivers and check windows update is working.

What?

HungryHippos · 9 Apr 2020 at 23:56

Had a couple of these for DeviantArt, an account I've not used for a long, long time. I reset the password and set the email address to one I don't use day to day, so I can just ignore the emails

Deleted member 77746 · 10 Apr 2020 at 00:06

I just had a thought. If we could get rid of the password and just enable 1FA authentication so your mobile phone is your password. (Password Generated on the fly every log in).

So for someone to get into any accounts they must be able to have physical access to your phone.

There would be no need for a password reset. When you change your phone number then obviously the phone number must be updated.

Maybe the problem is here - would then be your phone number might be hijacked some how. Maybe by trying to port out your number to a new sim or something.

There has to be a way to stop all of this. I know Apple Authentication could be a way forward but not all sites will implement it same with 2FA or 1FA.

Pawnless Endgame · 10 Apr 2020 at 00:20

Thanks guys.

@Alex_6n2 - that root kit scan came out clean. The only change I've made this week IT-wise was installing a 2nd SSD into my laptop (my main PC) and it was brand new, unopened with the seal intact.

@mrbell1984 - good shout on using 1FA only. I did change mobile providers from Three to BT a couple of weeks ago and kept the same phone number that I've had for 20 years. I don't think the attacker knows my number though as they only get as far as attempting to log in and then asking for a password reset. As soon as I see those emails, I go onto the web site and change the password for each attempt.

Hilly · 10 Apr 2020 at 00:28

mrbell1984 said:
I just had a thought. If we could get rid of the password and just enable 1FA authentication so your mobile phone is your password. (Password Generated on the fly every log in).

So for someone to get into any accounts they must be able to have physical access to your phone.

There would be no need for a password reset. When you change your phone number then obviously the phone number must be updated.

Maybe the problem is here - would then be your phone number might be hijacked some how. Maybe by trying to port out your number to a new sim or something.

There has to be a way to stop all of this. I know Apple Authentication could be a way forward but not all sites will implement it same with 2FA or 1FA.

wouldn't work; You need MFA, coupled with biometrics for a great balance between user journey and security. Windows hello is a good example of this. I've seen companies take up Windows Hello and a device based MFA

Apple auth is MFA, coupled with sign on with Apple-id, which loosely follows OpenID specifications to achieve it. They have an option to use a randomly generated email address, when signing on via an IdP - which means you can't tie in the authentication to a specific subject - which in theory works great. However it's not realised yet so unsure of how it would work practically.