[SeanAnderson]

I got hacked late last year. It sucked. Do not recommend.

I'm not going to blog about it, but will at least share how I messed up. Maybe it'll help someone else.

I was phished through Discord. A CEO that I was friends with was phished prior to me and I let my guard down when someone I put on a pedestal reached out to me. The hacker asked me to review a video game prototype they'd been tinkering with in their spare time (the CEO worked in the video game industry) and they came to me because they knew I'd give them "honest feedback." The game's website looked legit enough with AI generated screenshots and boilerplate text.

They also messaged me right around dinner. I had like ten minutes of downtime when the message came in and I immediately shifted to, "Yeah I can bang this request out real quick for a person important to me before dinner arrives." rather than keeping my guard up.

Additionally, I have (or had) two Google accounts. My primary email address is much older and wasn't very business-professional. Over 15 years ago I created a secondary email, that was just my name at gmail, configured it to forward all emails to my first account, and then never logged in to that account again. Naturally, that meant that my primary account had 2FA, but my secondary account did not.

I signed up for Discord using my secondary Google account. So, when I got phished, the hacker assumed that was my primary account and compromised it first.

The way they compromised the account was very quick and efficient. They immediately set parental controls on the account, listed an email address they controlled as the parent, and then changed the accounts age to under 13. Those actions 100% lock an account because all account recovery options must be approved by the parent for children under 13.

Surprisingly, I did get a security notification saying that a suspicion session had been started on my primary email account even through 2FA. I (thankfully) managed to kick the hacker out before they were able to do the same to me. I'm not sure how they got access to the second account.

Laughably, the hacker tried to extort me for only $400 and, when they didn't get it, they pivoted to sending threatening texts then moved on to trying to phish others for quick cash.

Thankfully, I didn't lose much. I lost access to my Discord account and to my Google account, but all my Google data was replicated. I lost a full nights sleep resetting all my passwords everywhere. And I still feel a bit violated and think I always will.

It was really interesting being motivated to interface with the security processes of several hundred companies. Shout out to Kraken and Etsy for having the best security procedures.

Anyway. Just wanted to highlight a scenario which happened. I'm in engineering leadership. I've worked on a computer every day for over 20 years. I use KeePass to store my passwords and generally have fine security hygiene. I do my KnowBe4 training modules, lol.

[anonymous908213]

For a cautionary tale, I'm not seeing a mention of how you were actually compromised? You mentioned losing multiple accounts, but presumably didn't decide to sign up for their 'game' website while entering your gmail address and password plus Discord password. KeePass should rule out having used the same password for all three accounts. KeePass should also, in theory, not immediately give up all of your credentials to a random .exe running on your computer. If it did, it would be useful for people to know to avoid it.

[SeanAnderson]

Oh, hah, fair.

I downloaded and ran an executable from the website under the belief I was checking out a game prototype. My Chrome browser instance crashed the moment it ran. I re-opened Chrome, got an email about suspicious login, and immediately turned the computer off to triage on a clean machine. I knew I was hacked within moments of being hacked and was fully at my computer for it.

I'm assuming I lost access to the Google account through session hijacking / exfiltrating an active session token. That doesn't really make complete sense, though, because I wasn't logging in to that second Chrome account with any regularity. It also doesn't explain how they got access to my 2FA-enabled account. I had some thoughts there about how easy it is to click "Remember this PC" and weaken 2FA and maybe the malicious script made my machine a proxy for their actions to leverage my PC being remembered? I'm not sure how practical that theory is in practice.

[Ancapistani]

Hey, this one got me too!

The DM came from an old gaming friend of mine that actually was a developer. I’d known him for years and had playtested for him before - though it was years prior. Literally nothing about it seemed fishy.

As soon as the game “crashed on load” and Discord took its focus, I realized what had happened. I managed to change my Discord password, revoke all session tokens, and lock them out while they were buying things from the Discord store. Then I went through, changed my critical passwords, froze all the cards that are in my Bitwarden vault except one with a very low limit I kept alive as a canary, and started my post-mortem.

Turns out the malware did in fact attempt to exfil my Bitwarden vault. Thankfully, I have it configured to remain locked always and to require a security token to use, so they didn’t get anything unencrypted.

Between my initial response, analysis, dealing with changing passwords, and wiping my desktop out of an abundance of caution, I lost a total of about 12 hours. The attacker managed to buy about $60 of stuff on Discord before I shut them down there. Oh, and I got extortion messages from various accounts claiming to be them for months.

One thing that did surprise me was that while I was revoking access, they were trying to convince me they had all my credentials. They sent a screenshot logged in to my Autodesk account, of all things. That freaked me out, but I quickly realized that that particular email/password had been leaked and that the attacker was using it to try to convince me they had much more damaging information than they really did.

[n2h4]

what i noticed from you and a couple other similar stories in this thread is that a same email is used at multiple places. Have you looked into email aliases like simplelogin, anonaddy, or anything of that sort?

or at the very least, the basic username+alias@domain.tld? this let's you know at least which thing was compromised.

of course, I don't recommend doing the same for important services like you banking accounts, but for the vast majority, having an alias would be enough.

and compartmentalisation always helps (different emails/accounts for personal, govt, and work domains).

[SeanAnderson]

Honestly, I created the two-email setup at a different time in my life. After the hack, I decided it was easier and more desirable to just use one address. My works speak more for me than a firstname.lastname email now that I've gained some life experience.

I haven't considered looking into other email alias tools. The whole area wasn't something I had put much thought into after getting things the way I wanted a decade prior.

In email, I have used the "+" format in some situations where I'm curious if a third-party is going to leak my contact details. It's not something I use every day, but it is a useful tool, I agree.

The problem with getting a Google account hacked is that Google, by default, really wants to save your passwords for you. So, even though I keep passwords in KeePass, plenty of them ended up remembered inside Chrome, too. Once the hacker compromised the Google account I had to assume every website listed in my password manager needed to be rotated. Plus, I had to change every account that I registered using my "firstname.lastname" email - so I was basically already sold on needing to have to revisit every website I'd ever used.