Have been hacked - lost access to accounts etc

[jaybee]

Then you need to format your pc.

Ah the good old set fire to the house to get rid of the spider.

 

[Flor_Fina]

I had an email
From Spotify saying the password had been changed, but thought it was spam?

Tried to log in?

 

[BananaDunka]

Doesn't that mean they know your password then? If it's triggered the 2nd step?

No not always, with MS accounts that are correctly secured, if you have the MS Auth app on your phone then simply entering your email address into the logon box should trigger the prompt on your phone and you simply authorise via the app. This only works once you've set up the app and everything else. Alternatively someone trying to get in could attempt to use a backup method in which you'd get a prompt anyway like if you'd forgotten the password and requested a prompt.

Google accounts work the same way but via the native Android authentication built into Android.

 

[dlockers]

I had an email
From Spotify saying the password had been changed, but thought it was spam?

Can you not tell lol?

 

[philstanbridge]

Can you not tell lol?

Well usually yes, but recently I’ve been on the end of quite a few of these emails and they’re becoming more clever and harder to spot. It’s like the two messenger requests I got. They looked official but I didn’t think Facebook would contact me this way so I’ve blocked them. But I just don’t know anymore it’s becoming so abstract

 

[philstanbridge]

Do key loggers etc have to be physically installed? Another 3 £25 transactions were taken today using my business account. I’ve no idea how they are doing this.

All accounts frozen, all cards replaced. PayPal contacted (twice). Just need to get hold of Facebook

 

[superleeds27]

No not always, with MS accounts that are correctly secured, if you have the MS Auth app on your phone then simply entering your email address into the logon box should trigger the prompt on your phone and you simply authorise via the app. This only works once you've set up the app and everything else. Alternatively someone trying to get in could attempt to use a backup method in which you'd get a prompt anyway like if you'd forgotten the password and requested a prompt.

Google accounts work the same way but via the native Android authentication built into Android.

So what about all the random login attempts that happen on a daily basis (the ones we see under the account activity section), would that then trigger these alerts to log in on the Auth app? Or is the system cleverer than that?

Assuming it's not that clever, I guess the way round this is to setup an alias and use that as the primary email to login to the account with?

 

[BananaDunka]

So what about all the random login attempts that happen on a daily basis, would that then trigger these alerts to log in on the Auth app? Or is the system cleverer than that?

If you're seeing daily login attempts then that's just online bots polling accounts with details that have been included in various breaches on servers containing your details. Nothing you can do about that other than just ignore until the bots move on after failing x amount of times.

Once a month I get 3 back to back emails from facebook telling me what my password reset code is, obviously my FB is MFAd and the both system being used is attempting to reset my password but doesn't have access to my MFAd email account so it just goes into a loop until it's taken offline or blocked by FB (I use the "it wasn't me" link in the email). Just the world we are in now with automated bots trying to hijack accounts.

 

[Jack_green]

Do key loggers etc have to be physically installed? Another 3 £25 transactions were taken today using my business account. I’ve no idea how they are doing this.

All accounts frozen, all cards replaced. PayPal contacted (twice). Just need to get hold of Facebook

Use another pc to change all your passwords.
Then copy over your documents to a external drive.
Format hdd and restart router, so it will find a new IP.
.

 

[superleeds27]

If you're seeing daily login attempts then that's just online bots polling accounts with details that have been included in various breaches on servers containing your details. Nothing you can do about that other than just ignore until the bots move on after failing x amount of times.

Once a month I get 3 back to back emails from facebook telling me what my password reset code is, obviously my FB is MFAd and the both system being used is attempting to reset my password but doesn't have access to my MFAd email account so it just goes into a loop until it's taken offline or blocked by FB (I use the "it wasn't me" link in the email). Just the world we are in now with automated bots trying to hijack accounts.

Yeah that's my point really. If it's a case of entering an email address and pressing login and it alerts the user on the app, surely after a while it's going to get annoying rejecting bots etc.

Having a Hotmail email that's been with me for 20+ years and involved in god knows how many breaches, theres quite a few daily login attempts from bots etc

 

[HungryHippos]

Yeah that's my point really. If it's a case of entering an email address and pressing login and it alerts the user on the app, surely after a while it's going to get annoying rejecting bots etc.

Yeah has to be more to it than that, otherwise screw that for a laugh.

At least if I start getting random authenticator code prompts I know that my password is likely breached.

 

[dlockers]

I don't why I expected more of the man who has his full first/last name as his forum name to be more security aware tbh. Fool on me.

 

[superleeds27]

Yeah has to be more to it than that, otherwise screw that for a laugh.

At least if I start getting random authenticator code prompts I know that my password is likely breached.

Hang on, if you still enter your password and then it triggers the Auth app that's what I'd expect to happen with normal 2FA, then yeah, chances are password has been breached.

But just entering the email address and no password and it triggering an Auth notification would be super annoying - (mainly down to the bot thing!) - that sounds more like 'passwordless'

 

[HungryHippos]

Hang on, so you still enter your password and then it triggers the Auth app? That's what I'd expect to happen.

But just entering the email address and no password and it triggering an Auth notification would be super annoying - (mainly down to the bot thing!)

Not sure but old banana dunka seemed to suggest it just prompts you when you enter the email address.

Passwordless Authentication I think it's called? sounds balmy to me anyway.

 

[superleeds27]

Not sure but old banana dunka seemed to suggest it just prompts you when you enter the email address.

Passwordless Authentication I think it's called? sounds balmy to me anyway.

Having a quick Google and search in Reddit. Looks like the system is clever and doesn't seem to alert you about the bot attempts.

Anyway. Strong unique password and 2FA. That's all that matters!

 

[BananaDunka]

Hang on, if you still enter your password and then it triggers the Auth app that's what I'd expect to happen with normal 2FA, then yeah, chances are password has been breached.

But just entering the email address and no password and it triggering an Auth notification would be super annoying - (mainly down to the bot thing!) - that sounds more like 'passwordless'

No not quite that straight forward, you can try it right now just open an incognito window and try to log into your MS account, you enter the email address, then on the password box do nothing, click "other ways to sign in" - You can then choose the app verification method, text etc etc.

If the server detects your IP /sesison cookie etc as having already having previously logged in from that client, then you may see a "send notification" button to go straight to the prompt on the auth app. The bots aren't clever enough to do that bit of extra legwork, only do the basic initial enter email/username and try to reset password.

Youa lso don't even need to use strong unique passwords, just 3 completely random words is typically more secure than a complex password, for example.

The logic behind three random words

Whilst not a password panacea, using 'three random words' is still better than enforcing arbitrary complexity requirements.

www.ncsc.gov.uk

As far as I am concerned, entering a password is antiqued. Passkeys are the way forward whether through MFA app notifiers or biometrics or whatever else. The sooner that passwords are removed from most services the better. Google, MS and all the big players are or have already moved to passkey based authentication.

 

[superleeds27]

No not quite that straight forward, you can try it right now just open an incognito window and try to log into your MS account, you enter the email address, then on the password box do nothing, click "other ways to sign in" - You can then choose the app verification method, text etc etc.

If the server detects your IP /sesison cookie etc as having already having previously logged in from that client, then you may see a "send notification" button to go straight to the prompt on the auth app. The bots aren't clever enough to do that bit of extra legwork, only do the basic initial enter email/username and try to reset password.

AHH. That's makes sense!

 

[Chuk_Chuk]

Can you not tell lol?

TBF the guy is probably stressed out of his mind and has spent the past few days battling MS. He’s probably mentally exhausted from all of this.

 

[visibleman]

So what about all the random login attempts that happen on a daily basis (the ones we see under the account activity section), would that then trigger these alerts to log in on the Auth app? Or is the system cleverer than that?

I think Bananarama is talking about Microsoft's 'Passwordless' setup which requires their Authenticator app and makes it a one-click type login.
But similar to those 2FA setups (after you've entered username and password) where your 2FA device (phone etc) alerts you that you/someone wants access and then displays a the Yes/No option, it's not trivial for an attacker to just simply spam the user with 2FA requests and unfortunately, most users get fed up and with eventually press 'Yes' just to stop the spam.

It why some platforms, like MS, also have 2FA setups where you're required to enter (into their Authenticator app) digits or a code that's displayed on the screen rather than just 'press yes/no'.

Passkeys are the way forward whether through MFA app notifiers or biometrics or whatever else.

Passkeys have their own issues and there's plenty of Reddit and blog posts (like, https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/) that demonstrate it.

 

[sx_turbo]

Just checking out my Microsoft account making sure that I'm all secure as some of the things I've read on here put the wind up me, and people all around the globe are trying to hack my Hotmail account at least 14 times per day, everyday.

Should I be worried about this?