Hacker News new | ask | show | jobs
by davidscoville 271 days ago
I think the attacker had my password, and they just needed a recovery method, which was the code I read over the phone.

I have no idea how they had my password, I never share passwords or use the same password. But I hadn’t changed my Google password in a while.
3 comments
cpncrunch 270 days ago
No, if they had had the password they wouldn't have needed to do all of that. They could have just logged in, perhaps just needed the 2FA code. However, you say that you gave them both enhanced security codes (I'm guessing this was a gmail backup key), and you also gave them the 2FA SMS code. These are the only two things you need to take over any gmail account, and it doesn't require knowing the password. It's just purely social engineering.

The only question mark is the email from google. It sounds like it was a scam email, so it would be interesting to know whether/how it was spoofed.

link
ratorx 271 days ago
Gotcha, thanks for clarifying!

And did you have passwords using chrome password manager as well (which were also compromised by the Google account access, and this is how they got access to e.g. Coinbase?), or did they get passwords through some other means and just needed 2FA?

link
davidscoville 271 days ago
I did have saved passwords in Chrome password manager but they were old. My guess is that the attacker used Google SSO on Coinbase (e.g., "sign in with Google"), which I have used in the past. And then they opened up Google's Authenticator app, signed in as me, and got the auth code for Coinbase.

By enabling cloud-sync, Google has created a massive security vulnerability for the entire industry. A developer can't be certain that auth codes are a true 2nd factor, if the account email is @gmail.com for a given user because that user might be using Google's Authenticator app.

link
ratorx 271 days ago
Hmm, I see what you mean, although technically this is still a 2 factor compromise (Google account password + 2FA code). Just having one or the other wouldn’t have done anything. The bigger issue is the contagion from compromising a set of less related two factors (the email account, not the actual login).

Specifically, the most problematic is SSO + Google authenticator. Just @gmail + authenticator is not enough, you need to also store passwords in the Google account too and sync them.

Although, this is functionally the same as using a completely unrelated password manager and storing authenticator codes there (a fairly common feature) - a password manager compromise leads to a total compromise of everything.

link
blactuary 270 days ago
You used Google SSO for Coinbase?
link
lokar 270 days ago
Did you reuse that password on another site?

I don’t see how this happens if you use strong passwords without reuse.

link
nixosbestos 270 days ago
500+ comments in this thread and there's still no information as to what the hella actually happened.

I sleep fine at night, this is a Hallmark of these "omg I got owned and it could happen to you!" posts that never quite add up.

link