Hacked for a Twitter account

fury

Administrator
Staff member
So, I was busy at work yesterday, and at about 7pm, I got emails that my passwords were changing on my Yahoo and Apple accounts. They were legit, as I could no longer log into those emails. My Amazon password got changed, too. I started freaking out and reset them all back, and called Amazon to disable the account until an investigation can be done, but the damage was already done by that point - as I would later find out, the attacker was doing it all just to get my Twitter account so he could delete it and sell the name "fury" for quick cash. He also happened to add an extra email account to my Apple ID as an alternate address, which I deleted. I had a conversation with him on AIM (he happened to conveniently put his aim name in his new profile before he sold the Twitter account), and he wanted $75 for it. I'll take my chances with Twitter support, maybe they'll give it back to me, but he seemed to think they'll turn a blind/suspicious eye to it, thinking I'm some scammer trying to claim I was hacked.

I've locked down my Yahoo and Gmail accounts with 2 step verification, but I can't do that with my Apple ID. I'm just astonished the stuff was hacked so fast.

Anyone been through anything like that before?
 

catocom

Well-Known Member
several years ago I had my yahoo acct. hacked, and they got my bank info on one of my accts.
They go 50 bucks before I caught it and had the acct. disabled.
I've had a really long and tough password on my yahoo now since then and no more trouble.
My back has since changed hands too and has better security.
I still check my bank accts. several time a day anyway though, most of the time.
Yahoo too.
I use 'keepass' password manage because I now have longer tougher passwords, and
many sites to keep up with.
 

Gonz

molṑn labé
Staff member
My wife & kid get so annoyed when I create accounts for them. I don't use Cutepuppydog for my password, it's crap like Y%e9J1G7, shit you can never remember.
As for his idea that, in short, you're SOL, he's probably right. Twitter, FB, etc don't seem to do much to help (from what I've heard)
 

Winky

Well-Known Member
that's old Gonz, setting the example
heh then they change it to their birthdays
 

fury

Administrator
Staff member
I changed all my passwords from "password" to "password123" :beerbang:

actually, I use LastPass to generate 8 character passwords, which I have now increased to 16 characters as I go around on every site changing all of my passwords. But 16 characters is probably not enough. I should pad it to 32 or something like that to make brute forcing impractical. Doesn't mean it has to all be 32 characters of randomness, it can be just a few, as long as the alphabet size is decent (i.e. at least one of each upper and lowercase, number, and symbol), then the rest of it can be padding. It's not like a brute force attacker is going to get a message saying "yes, the first 6 characters you guessed are correct" like on those hacker movies.

Then again, brute forcing is the least of my worries when the guy can just issue a couple of password reset requests and socially engineer Amazon into changing my password, and crack into my email to retrieve all of the password reset links he needs to take over my Internet.

Time to start keeping a better eye on those password emails. I got one "forgot your password?" email for my Yahoo account some days ago and thought nothing of it. Also got one for my Twitter account a couple hours before the blur of my other accounts changing before my eyes. It didn't occur to me at that time that someone was going to break in and use the link to get control of my account.
 

Gonz

molṑn labé
Staff member
I got one "forgot your password?" email for my Yahoo account some days ago and thought nothing of it

That would have awakened me, since I don't change them, or ask for them to be sent, unless I'm trying to currently access (whatever it is). But, sometimes,
shit happens & we don't see it until there's brown crap in our eye
 

fury

Administrator
Staff member
That would have awakened me, since I don't change them, or ask for them to be sent, unless I'm trying to currently access (whatever it is). But, sometimes,
shit happens & we don't see it until there's brown crap in our eye
I got used to seeing password reset emails for things, because people obviously think they're the only fury in the world that could have possibly signed up at [insert random site name here]. I just didn't think they'd actually get into my email account and use the password reset email. From now on, I'm deleting on sight, and locking down with 2 step authentication everything that I can. Yahoo, Google, PayPal are set up with it now, my bank was already. Twitter will be, too, if I get that back. LastPass has a 2 step authentication method too, I'm gonna look into that.

Can't see any way to do it with Amazon or Apple, though, which kind of sucks.
 

fury

Administrator
Staff member
I got my name back at last. No warning, it just switched up on me all of a sudden. Strangely enough, first thing this morning was an email from Twitter support saying "this guy who's fury right now looks legit, I'm afraid we can't change your username back". I was absolutely gutted, and then an hour and a half later, it was like, I'm back. I wish I knew who exactly to thank, the Twitter support guy wasn't sure.
 

fury

Administrator
Staff member
Fuckers are always trying something new to sneak in. I turned off guest posting in town hall, that should help
 

Gonz

molṑn labé
Staff member
We've had that turned on for years...why the sudden surge? I've trashed over a dozen this weekend
 

fury

Administrator
Staff member
The problem is they either cracked reCAPTCHA, or have people getting paid a couple cents for every post they make (so a captcha doesn't even make a difference).

I could throw them a curveball by modifying the registration page a bit with a human verification question, but there'd still be some that get through.

The good news is XenForo 1.2 has tight integration with StopForumSpam and that should prevent most of it. It's supposed to come out later this year.
 

catocom

Well-Known Member
I know cleaning, and stopping spam is an everyday job for me, and I've got
things at a barley usable level now. (balancing usability and security)
 

Professur

Well-Known Member
Now, go and do what you should have done to start with. Create a heavily locked down set of accounts with your real info for online business stuff .. and never ever use it for anything else. If they can't find it, they can't hack it. Use an alias (you're already good there) for everything else, but keep anything that's personal/private off the radar.
 

catocom

Well-Known Member
heavily locked down twitter? , or facebook?
I don't think it's actually possible.
Just 'feel good' locking down.
 

Gonz

molṑn labé
Staff member
Facewbook can still be somewhat safe. Fiends Only. Don't allow every single person who asks to be your friend. Most importantly, don't
put every single facet of your life there. I have children of friends whose life I could destroy, just by their open FB info.
 
Top