Help - I got hacked !

[Mint8]

I am hoping some of you can help with this.

I got some Steam and Playstation gift cards for Xmas and added these via my PC on Boxing day.

A couple of days later I discovered that both my steam and playstation accounts were accessed somehow and the funds used on ftp transactions etc. I have now got the steam account recovered but cant contact playstation until they are back at work tomorrow.
As a precaution I have stopped both credit cards that were attached to the accounts - although these havent been used.

What I cant get my head around is how "they" got hold of my email and passwords for these sites. I have not been given my details away, been on any dodgy sites or had any suspect emails etc but obviously its happened somehow - neither did i get the auto emails saying someone has asked for a change of email etc.

I have Norton running on my PC and that is coming back as clean - I also added AVG today and that also cant find anything. Also tried Nortons power eraser and again - nothing.

Obviously I am worried that I am at risk of further issues as I dont know how it was done in the first place. Basically sat here worrying myself stupid and afraid to sign into anything financial etc.

Any ideas ?

 

[Finners]

Did you use the same password for both steam and playstation? Did you have steamguard set up?

If using the same password across sites it might be that that the breach may have happened on a 3rd party site and they just tried it on steam etc.

 

[BubbySoup]

A password manager and randomly generated strong passwords along with MFA should keep your accounts safe in the future.

 

[TheVoice]

Have I Been Pwned: Check if your email has been compromised in a data breach

Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.

haveibeenpwned.com

This will tell you if your email address(es) have been released in a data breach along with any passwords. It sounds like you didn't have Multi-Factor Authentication enabled either, you really should have this turned on whenever it's available. I'd suggest changing passwords and enabling MFA for your email accounts too.

 

[throwaway4372]

the vulnerability is the human (you) using the same credentials on multiple services, when one of them gets compromised it's trivial for an attacker to try the same credentials to access other services.

you need to use different passwords for each service, and ideally different usernames and email addresses too. use a password manager to manage it all. one free example: https://bitwarden.com/

now this has happened to you, set up 2fa on important accounts, change your passwords on everything, starting with your email.

 

[Kautya]

It could mean that your credentials may have been in a data breach on some other site that you may have used. Check on the suggestion by @TheVoice where you can find out if any of your email addresses have been in a breach recently. Firefox also has a monitoring service that uses the same database that "have I been pwned" created to notify you of any data breaches that your email addresses in use may have been a part of. Chrome has a similar service. But as everyone above has said, enable multi factor authentication on all your accounts if any of them dont have it. That would mostly stop such unauthorized access.

 

[opethdisciple]

It could be from a password dump.

In other words hackers purchase (or get for free) dumps of user names and passwords that have been involved in previous breaches.

 

[Noxia]

Unfortunately a lot of people only think about 2fa after the incident, this is one of many. It happened to me too, took about 2 weeks to get my PSN account back. My PayPal was linked to it and they spent about £700 before I saw all the emails on my phone.

 

[OspreyO]

the vulnerability is the human (you) using the same credentials on multiple services, when one of them gets compromised it's trivial for an attacker to try the same credentials to access other services.

you need to use different passwords for each service, and ideally different usernames and email addresses too. use a password manager to manage it all. one free example: https://bitwarden.com/

now this has happened to you, set up 2fa on important accounts, change your passwords on everything, starting with your email.

I'm curious if you have 200 hundred logins how do you manage 200 email accounts which themselves now create another 200 passwords.

Personally I have a different passwords for most things. But I have a disposable dummy email account for things that are unimportant and I can walk away from that account if it got compromised.

 

[OspreyO]

New Years a good time to spring clean your PC with a fresh install if Windows.

 

[Doughnut007]

I'm curious if you have 200 hundred logins how do you manage 200 email accounts which themselves now create another 200 passwords.

Personally I have a different passwords for most things. But I have a disposable dummy email account for things that are unimportant and I can walk away from that account if it got compromised.

You do not need 200 email accounts to have 200 emails address. Most email providers will allow you to append the username section of the email to create unique emails.

For example with Gmail you can append a + and anything after is ignored by Gmail.

[email protected]
[email protected]

A decent password manager will manage this for you and create the email and password.

I like bitwarden.

 

[OspreyO]

Then it's not a different email. It's the same email..

A hacker/spammer will just try every variation including trimming it.

It's trivial to cross match and correct/extract user details across datasets.

Sony have been hacked multiple times most recently a few months back. I would suggest anyone using Sony would be wise to change their login details on a schedule. Obviously MFA etc.

 

[Mint8]

Thanks for the replies - yes I know I should have been using steam guard etc however i WAS using a different email address and different passwords for both the sites - that is why I cant work out how they did it. (separate Virgin media emails) I also didnt receive an email warning me of an email change on either the steam or playstation account.

I added the cards to the two sites within a few minutes of each other on Boxing day - nothing else seems (so far) to have been compromised - so I cant work out what went wrong or if it could still be an issue.

They have now tried to make a purchase on the Playstation account but luckily I cancelled my credit card this morning so it was declined.

Having virus checked my PC I am assuming there is nothing suspect going on now - but who knows ?!?

 

[throwaway4372]

I'm curious if you have 200 hundred logins how do you manage 200 email accounts which themselves now create another 200 passwords.

I have my own domain, so I can make whatever addresses I want and have them deliver to wherever I want. Pretty good for knowing who got compromised and blocking compromised addresses.
Another way is the gmail + thing already mentioned.
Another way is "masked email" (via the password manager), e.g. https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/

 

[Mint8]

How can they get access to two separate accounts that use different emails and passwords on the same day - just after I added funds to them ??

Thats what I dont understand and yes - its driving me crazy.

 

[throwaway4372]

Sounds like the accounts were previously compromised and you weren't aware of it. It only being exploited once there was credit to steal.

You say the passwords were different to each other, but not that they were unique. If they were re-used anywhere and that site gets compromised, e.g. if it doesn't defend against brute forcing and your passwords are weak, then you're pwnd.

Try googling your email addresses and passwords, or using https://haveibeenpwned.com/

Another way would be if you stored your credentials somewhere insecure and that was compromised.

As for viruses, it seems less likely to me, but it doesn't really matter whether it could be that or not, if you've lost confidence in your security then it's worth a clean Windows install just to get confidence back.

It could also be someone you know IRL, kids sometimes do this sort of stuff.

 

[Coolasmoo]

Keepass is a great free alternative

 

[Semple]

I'm curious if you have 200 hundred logins how do you manage 200 email accounts which themselves now create another 200 passwords.

Personally I have a different passwords for most things. But I have a disposable dummy email account for things that are unimportant and I can walk away from that account if it got compromised.

For that you'll want to use a service that acts as an email alias, something like simplelogin. You create an alias which you use to sign up for whatever, and it then forwards emails onto your main email account. That way if a third-party provider has their data stolen, they'll have a useless email alias which can be scrapped, and a unique password which is of no use elsewhere.

 

[OspreyO]

How can they get access to two separate accounts that use different emails and passwords on the same day - just after I added funds to them ??

Thats what I dont understand and yes - its driving me crazy.

Either your machine is compromised and/or those accounts details are in some hacker database/file somewhere.

 

[OspreyO]

For that you'll want to use a service that acts as an email alias, something like simplelogin. You create an alias which you use to sign up for whatever, and it then forwards emails onto your main email account. That way if a third-party provider has their data stolen, they'll have a useless email alias which can be scrapped, and a unique password which is of no use elsewhere.

That's just a dummy/alias email. You can do the same with forwarding Gmail account.