Yah I Got Hacked – Facebook & Hotmail – Don’t Save Passwords!

So almost a year ago I got hacked, hacked real bad in fact and I literally (almost) pooped my pants – it was scary watching your whole online life disappearing before your eyes. Ironic in a way as I spend my time securing other people’s sites and lives – but often forget about my own.

Seriously, getting hacked – in front of your own eyes in not fun or nice – it’s really very terrifying thinking you could lose all those memories/connections/messages/e-mails.

I’d been ‘meaning’ to transition to some kind of online password management system for a long time – but as usual never actually got around to it.

I Got Hacked

I was super lucky that I was actually online when it was happening, I was browsing something on Facebook then suddenly I got logged out and I couldn’t get back in – then the panic set in because when I tried to login..Facebook said there was no account with that e-mail!

Incorrect Email
The email you entered does not belong to any account.

You can login using any email, username or mobile phone number associated with your account. Make sure that it is typed correctly.

Luckily it prompted me and I tried to login with my mobile number (and luckily I HAD put my mobile number in against my internal privacy complaints) and the hacker couldn’t change it (because they probably didn’t want to put their mobile number and get it verified).

As you can see though the e-mail had already changed to something ending in the Albanian TLD .al – it was @fbi.al actually.

Facebook Password Reset

Another reason I was ok, is that my primary e-mail was @gmail.com which I kept very secure (I actually use the Google Authenticator app for that account so it was safe, even if the password was leaked).

And the smart thing is (Which I didn’t know) and I guess Facebook does for cases like this – it actually remembers your previous e-mail addresses – so it can test you on them and revert the account back to you.

But he was in my secondary e-mail @hotmail.com which was a recovery account for my Gmail account – so that was pretty scary.

My Gmail account was also a secondary for my @hotmail.com account though, so I managed to lock it up pretty quickly. It also now supports 2 factor authentication using the same Google Authenticator app – so I turned that on to secure the @hotmail.com account for good.

I managed to get the reset code via SMS though and eventually I managed to get back in – although after regaining access I was locked out of Facebook for 24 hours after answering a bunch of stuff.

Facebook lock-out Timer

Facebook actually has a lot of cool security features I didn’t know about, like the fact that during a dispute (this was pretty much a real time tussle between the hacker to lock me out, and me to lock the hacker out) it does stuff like show you pictures of your friends and asks you to identify them from a list of names.

Obviously if it wasn’t really your account the best you could do was guess – this was how I managed to get back in – by identifying my friends.

Another feature I discovered during this whole debacle, was that Facebook also has a trusted friends feature where you can add friends or family members that can verify your identity during a dispute over an account.

Facebook Trusted Contacts

After some research I figured out some time in 2011 my passwords had been snatched, sometimes we get complacent and save passwords in our browsers for convenience, what we forget is that the passwords are saved in plain text (that’s how the browser can retrieve them to fill in the web forms) and thus any nefarious little piece of software (security tool/keygen etc) can grab ALL our passwords from whatever browsers we use (Chrome/IE/Firefox) and other software too (I found passwords in the list from Filezilla too – FTP passwords to all my sites).

Another irony, in 2011 I wrote this –

How To Secure Yourself Online – Twitter, Facebook, Google (Gmail) & WordPress

Sometime early in 2012 they were posted in public on some kinda script kiddie hacking blog and so my blog, Shutter Asia and some other sites that I had saved in my browser had kept getting attacked and defaced.

I’m fortunate in two parts:

  • Firstly, nothing really serious happened, some annoying defacements and a lot of time was wasted trying to figure out how they got in
  • I’d stopped using FTP a long time ago for important sites and only use SSH access with keypairs (no password access at all)

So they couldn’t actually get any raw server access, only WordPress admin panel access – which can cause some mischief but nothing that couldn’t be repaired.

What did I do to stop it happening again? I signed up for Passpack and went onto every single site that I could remember (especially those in the ‘hacked’ list of which there were 57 – yes FIFTY SEVEN of my login/password combinations) and changed them to secure passwords and saved them in Passpack.

I also went into the browser saved password list, and trolled through ALL those sites and transfered them to Passpack too with secure passwords, I ended up with about 87 sets of passwords in Passpack all with unique strong (12-15 mixed upper/lower with special char) passwords.

There are other choices if you want – LastPass, 1Password, KeePassX on Dropbox etc – just PLEASE use at least one of them.

It’s actually really important to do this, not only for this scenario but if you use 2-3 combinations of passwords for everything, and one of the sites you use gets hacked and exposes your e-mail address password you’re pretty screwed.

But if you use a unique password for every site you use – you’re gonna be fine (especially if you turn on 2FA for all important accounts).

So yah, that’s my cautionary tale of being complacent online – I managed to keep my shit together because it’s what I do for a living (don’t panic and fix it!) but if it happens to you, you might not be so lucky.

So get your passwords in order and save yourself the stress of what I went through, or what I’ve seen of some friends who’ve completely lost control of their Facebook/e-mail accounts.

Subscribe

You can subscribe via e-mail to get my posts in your Inbox, or stalk me on numerous other platforms.

, , , , , , , , , , ,


7 Responses to Yah I Got Hacked – Facebook & Hotmail – Don’t Save Passwords!

  1. Ryan Hellyer May 6, 2014 at 7:15 pm #

    Not all browsers store your passwords in clear text. Firefox stores them on a keychain, and I believe Chrome may have upgraded to use a similar system recently (based on something I saw in the backend a few weeks ago).

    I doubt the use of SMS would bother the hacker. They can just use a phone/sim combo which isn’t linked to their name.

    • ShaolinTiger May 6, 2014 at 7:21 pm #

      Yah agreed, the passwords implementations are much better in 2014 than they were back in 2011 when mine got lifted. But I still reckon it’s better to use a dedicated password manager.

      And re SMS, yah for a dedicated/targeted attack – but this wasn’t that, this was opportunistic kiddies ‘having fun’.

      If I was attacked by people with a clue, I wouldn’t have stood much of a chance of keeping hold of anything.

  2. imantulen May 7, 2014 at 9:32 am #

    I use a freeware password manager to manage all my many, many accounts.
    Problems arises when I happened to change the password without updating the password manager. So, I instituted a sequence to my password formation to help me narrow down my passwords. For important accounts, I just use the password generator and I use up to 18 chars long.

    You recommend Passpack, which is online-based – how safe is it, as compared to password manager which can be saved offline, into usb drives ?

    • ShaolinTiger May 7, 2014 at 2:19 pm #

      Very safe, I audited all the major solutions as I need to use one at my company, basically with Passpack it’s decrypted via JavaScript in your browser and if you lose the packing key (the key used to carry out the encryption) not even Passpack themselves can retrieve your passwords.

      Plus the way the store/decrypt is distributed, so yah – very safe technology wise.

      Something like USB + KeePassX is pretty safe too, apart from when you need to use the USB in a non-secure location..

      Passpack you can generate one time use ‘Guest’ logins too, for when you travel and need to use it in insecure locations.

      http://help.passpack.com/knowledgebase/idx.php/47/101/article/What-is-a-Disposable-Login.html

  3. The Hecticity May 7, 2014 at 3:25 pm #

    You’re on the list.

  4. Lee Lee Allen May 7, 2014 at 6:48 pm #

    Thanks for the security tips! Will take caution because no body knows what SHEEZUS is but I do.

  5. Danesh June 5, 2014 at 10:50 am #

    lastpass works well for me compared to the other solutions. It’s worth the 1USD/month i have to pay.