Have been hacked - lost access to accounts etc

superleeds27 said:
Doesn't that mean they know your password then? If it's triggered the 2nd step?
Click to expand...
No not always, with MS accounts that are correctly secured, if you have the MS Auth app on your phone then simply entering your email address into the logon box should trigger the prompt on your phone and you simply authorise via the app. This only works once you've set up the app and everything else. Alternatively someone trying to get in could attempt to use a backup method in which you'd get a prompt anyway like if you'd forgotten the password and requested a prompt.

Google accounts work the same way but via the native Android authentication built into Android.
 
Last edited:
dlockers said:
Can you not tell lol?
Click to expand...

Well usually yes, but recently I’ve been on the end of quite a few of these emails and they’re becoming more clever and harder to spot. It’s like the two messenger requests I got. They looked official but I didn’t think Facebook would contact me this way so I’ve blocked them. But I just don’t know anymore it’s becoming so abstract
 
Do key loggers etc have to be physically installed? Another 3 £25 transactions were taken today using my business account. I’ve no idea how they are doing this.

All accounts frozen, all cards replaced. PayPal contacted (twice). Just need to get hold of Facebook
 
Last edited:
BananaDunka said:
No not always, with MS accounts that are correctly secured, if you have the MS Auth app on your phone then simply entering your email address into the logon box should trigger the prompt on your phone and you simply authorise via the app. This only works once you've set up the app and everything else. Alternatively someone trying to get in could attempt to use a backup method in which you'd get a prompt anyway like if you'd forgotten the password and requested a prompt.

Google accounts work the same way but via the native Android authentication built into Android.
Click to expand...

So what about all the random login attempts that happen on a daily basis (the ones we see under the account activity section), would that then trigger these alerts to log in on the Auth app? Or is the system cleverer than that?

Assuming it's not that clever, I guess the way round this is to setup an alias and use that as the primary email to login to the account with?
 
Last edited:
superleeds27 said:
So what about all the random login attempts that happen on a daily basis, would that then trigger these alerts to log in on the Auth app? Or is the system cleverer than that?
Click to expand...
If you're seeing daily login attempts then that's just online bots polling accounts with details that have been included in various breaches on servers containing your details. Nothing you can do about that other than just ignore until the bots move on after failing x amount of times.

Once a month I get 3 back to back emails from facebook telling me what my password reset code is, obviously my FB is MFAd and the both system being used is attempting to reset my password but doesn't have access to my MFAd email account so it just goes into a loop until it's taken offline or blocked by FB (I use the "it wasn't me" link in the email). Just the world we are in now with automated bots trying to hijack accounts.
 
BananaDunka said:
If you're seeing daily login attempts then that's just online bots polling accounts with details that have been included in various breaches on servers containing your details. Nothing you can do about that other than just ignore until the bots move on after failing x amount of times.

Once a month I get 3 back to back emails from facebook telling me what my password reset code is, obviously my FB is MFAd and the both system being used is attempting to reset my password but doesn't have access to my MFAd email account so it just goes into a loop until it's taken offline or blocked by FB (I use the "it wasn't me" link in the email). Just the world we are in now with automated bots trying to hijack accounts.
Click to expand...
Yeah that's my point really. If it's a case of entering an email address and pressing login and it alerts the user on the app, surely after a while it's going to get annoying rejecting bots etc.

Having a Hotmail email that's been with me for 20+ years and involved in god knows how many breaches, theres quite a few daily login attempts from bots etc
 
superleeds27 said:
Yeah that's my point really. If it's a case of entering an email address and pressing login and it alerts the user on the app, surely after a while it's going to get annoying rejecting bots etc.
Click to expand...

Yeah has to be more to it than that, otherwise screw that for a laugh.

At least if I start getting random authenticator code prompts I know that my password is likely breached.
 
HungryHippos said:
Yeah has to be more to it than that, otherwise screw that for a laugh.

At least if I start getting random authenticator code prompts I know that my password is likely breached.
Click to expand...
Hang on, if you still enter your password and then it triggers the Auth app that's what I'd expect to happen with normal 2FA, then yeah, chances are password has been breached.

But just entering the email address and no password and it triggering an Auth notification would be super annoying - (mainly down to the bot thing!) - that sounds more like 'passwordless'
 
Last edited:
superleeds27 said:
Hang on, so you still enter your password and then it triggers the Auth app? That's what I'd expect to happen.

But just entering the email address and no password and it triggering an Auth notification would be super annoying - (mainly down to the bot thing!)
Click to expand...

Not sure but old banana dunka seemed to suggest it just prompts you when you enter the email address.

Passwordless Authentication I think it's called? sounds balmy to me anyway.
 
HungryHippos said:
Not sure but old banana dunka seemed to suggest it just prompts you when you enter the email address.

Passwordless Authentication I think it's called? sounds balmy to me anyway.
Click to expand...
Having a quick Google and search in Reddit. Looks like the system is clever and doesn't seem to alert you about the bot attempts.

Anyway. Strong unique password and 2FA. That's all that matters!
 
Last edited:
superleeds27 said:
Hang on, if you still enter your password and then it triggers the Auth app that's what I'd expect to happen with normal 2FA, then yeah, chances are password has been breached.

But just entering the email address and no password and it triggering an Auth notification would be super annoying - (mainly down to the bot thing!) - that sounds more like 'passwordless'
Click to expand...
No not quite that straight forward, you can try it right now just open an incognito window and try to log into your MS account, you enter the email address, then on the password box do nothing, click "other ways to sign in" - You can then choose the app verification method, text etc etc.

If the server detects your IP /sesison cookie etc as having already having previously logged in from that client, then you may see a "send notification" button to go straight to the prompt on the auth app. The bots aren't clever enough to do that bit of extra legwork, only do the basic initial enter email/username and try to reset password.

Youa lso don't even need to use strong unique passwords, just 3 completely random words is typically more secure than a complex password, for example.

www.ncsc.gov.uk

The logic behind three random words

Whilst not a password panacea, using 'three random words' is still better than enforcing arbitrary complexity requirements.
www.ncsc.gov.uk www.ncsc.gov.uk

As far as I am concerned, entering a password is antiqued. Passkeys are the way forward whether through MFA app notifiers or biometrics or whatever else. The sooner that passwords are removed from most services the better. Google, MS and all the big players are or have already moved to passkey based authentication.
 
Last edited:
BananaDunka said:
No not quite that straight forward, you can try it right now just open an incognito window and try to log into your MS account, you enter the email address, then on the password box do nothing, click "other ways to sign in" - You can then choose the app verification method, text etc etc.

If the server detects your IP /sesison cookie etc as having already having previously logged in from that client, then you may see a "send notification" button to go straight to the prompt on the auth app. The bots aren't clever enough to do that bit of extra legwork, only do the basic initial enter email/username and try to reset password.
Click to expand...
AHH. That's makes sense!
 
superleeds27 said:
So what about all the random login attempts that happen on a daily basis (the ones we see under the account activity section), would that then trigger these alerts to log in on the Auth app? Or is the system cleverer than that?
Click to expand...
I think Bananarama is talking about Microsoft's 'Passwordless' setup which requires their Authenticator app and makes it a one-click type login.
But similar to those 2FA setups (after you've entered username and password) where your 2FA device (phone etc) alerts you that you/someone wants access and then displays a the Yes/No option, it's not trivial for an attacker to just simply spam the user with 2FA requests and unfortunately, most users get fed up and with eventually press 'Yes' just to stop the spam.

It why some platforms, like MS, also have 2FA setups where you're required to enter (into their Authenticator app) digits or a code that's displayed on the screen rather than just 'press yes/no'.

BananaDunka said:
Passkeys are the way forward whether through MFA app notifiers or biometrics or whatever else.
Click to expand...
Passkeys have their own issues and there's plenty of Reddit and blog posts (like, https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/) that demonstrate it.
 
Just checking out my Microsoft account making sure that I'm all secure as some of the things I've read on here put the wind up me, and people all around the globe are trying to hack my Hotmail account at least 14 times per day, everyday.

Should I be worried about this?
 
You must log in or register to reply here.
Back
Top Bottom