You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Is someone about to steal all my money and if so how?
I’ve woken up this morning to about 1,200 emails (and climbing) requesting for me to confirm my email for sign up to mailing lists.
Scrolling to the bottom the last “normal” message was an unknown person joining my Spotify family, I’ve removed them.
A couple of days ago I got logged out of my Apple ID on the phone and a request to change my password, which I did and had thought no more of.
No one seems to have stolen my money yet but presumably this is the goal, so now what?
A Google says it’s a “classic DOS attack” to flood my email so I don’t spot a confirmation email from a purchase etc that I haven’t made.
Cheers for any help on what I should do next? Yes I will be changing all my passwords I guess.
I guess it depends what system you're using. Gmail is good at filtering junk emails but if you're on a computer, something like Thunderbird can set filtering rules (for example dump everything with the phrase "confirm email" into a separate folder - there should be bits of text that help filter them out and likewise to keep an eye out for purchases).
If you've used the same email and password combo several times, you need to change them ASAP.
There are websites that will tell you if your details have been compromised. Most obvious one being: https://haveibeenpwned.com/
Good luck
My Spotify account was hacked a couple of years ago as well as my Netflix account. I'm on a Yahoo email account. Was a PITA as they effectively had to cancel and close my accounts and set up fresh ones which for Spotify meant I lost all my playlists. I had to alert both Spotify and Netflix but they both responded quickly as soon as I called them.
A couple of days ago I got logged out of my Apple ID on the phone and a request to change my password, which I did and had thought no more of.
Are you completely confident that the Apple email was genuine?
If concerned phone up and cancel all your cards that you've used online.
Be really careful.
My "attack" started with them trying my mobile network (that failed - 2 factor auth), but they did manage to get my wife's (so they got PAC code and transferred her number off - there was no way to get it back then!!).
They were quite brazen (and successful), the security on some organisations was quite shocking! (eg they phoned my bank and provided VERY loose details, and managed to get past security!!!)
I had the same with the Spotify family then the ddos emails last week. Basically they used my email to request access to a ton of websites.
Been and changed the passwords i can remember and booted the Spotify addition.
Are you using a password manager so you have a unique password for every login? That is the #1 priority if not. Then turn on 2FA for every account that has it.
this... if any doubt I would (manually - i.e. not by following any links) change my password again (and set up 2FA if not done so already)Are you completely confident that the Apple email was genuine?
Not currently on password manager.
any suggestions as to the best one?
Don't know Spotify other than it streams music, but surely a Spotify Family has more controls over who is in it? Can people just add themselves to Spotify Families? That doesn't sound right. If not, then how did they get added? Are they a known person (that would be considered part of the Family in Spotify)? If so, have they been compromised as well?
@grahamt1980 the one built into your iPhone is the best and really easy to use BUT not sure if/how it would work on non-Apple devices e.g. Windows PC so if that's any issue someone else will have to advise!
The real question is ....how do we know that the real phil5556 started this thread?
Not currently on password manager.
any suggestions as to the best one?
I use Lastpass, but thinking of migrating everything into chrome just so it works a bit smoother. Laspass sometimes misses sites so then you have to open it up, login, manual search for whatever it is, open the password and copy and paste. For the other 95% it just gives you a little icon to click on and prompts you for a master password once in a blue moon.
2FA is obviously best, but can be a PITA if you live in a reception blackspot.
Can people just add themselves to Spotify Families?
I always thought only the main account holder was able to send family membership invites. I can't see how someone could just add themselves.
That was what threw me too. Discussion that Spotify have a nice little security hole, but they are denying it
The pac code and number swap is particularly concerning. How on Earth did that happen?
If you’ve used the same email and password combo several times, you need to change them ASAP.
There are websites that will tell you if your details have been compromised. Most obvious one being: https://haveibeenpwned.com/
/blockquote>Thanks, I've checked and apparently my address has been twice. One Adobe and can't remember the other.
Yes I am guilty of using the same password. I have 3 different ones that I use in rotation on different things, I know this is bad!
My Spotify account was hacked a couple of years ago as well as my Netflix account. I’m on a Yahoo email account. Was a PITA as they effectively had to cancel and close my accounts and set up fresh ones which for Spotify meant I lost all my playlists. I had to alert both Spotify and Netflix but they both responded quickly as soon as I called them.
I'm on online chat with Spotify now. He is "securing my account" - although I have no idea what that actually means.
Are you completely confident that the Apple email was genuine?
Yes as it wasn't an email, it was a notification on my phone.
Are you using a password manager so you have a unique password for every login? That is the #1 priority if not. Then turn on 2FA for every account that has it.
No. But I will do. Any good recommendations that work across Windows (with Chrome browser) and Apple devices?
My “attack” started with them trying my mobile network (that failed – 2 factor auth), but they did manage to get my wife’s (so they got PAC code and transferred her number off – there was no way to get it back then!!).
That is a bit scary! 2FA on my Three account? No idea?!
That was what threw me too. Discussion that Spotify have a nice little security hole, but they are denying it
I just asked and he said "as much as I'd like to tell you there's no way of knowing"
The real question is ….how do we know that the real phil5556 started this thread?
😂
2FA is obviously best, but can be a PITA if you live in a reception blackspot.
Use Google Authenticator if you have the option - don't need reception to get the 2FA code from the app
Well if nothing else I got 2 free months out of Spotify.
Is that just bad luck both you and your wife targeted or some other common link.
The PAC thing is really concerning as I said since 2fa is meant to give security!
Use Google Authenticator if you have the option – don’t need reception to get the 2FA code from the app
This is good advice, but be aware if you don't copy some emergency keys for every site or device you access via an authenticator app, if you lose or wipe the device with the app there is no way to recover the keys. Some sites are pretty good at managing this, others just say tough and you have to create a new login...
I use 1Password and it seems fine. Integrates pretty nicely with iOS and has useful browser extensions and stuff.
Plenty exist though (LastPass, Bitwarden, KeePass as some other examples). It’s also a handy place to keep spare codes in case you lose your 2FA app!
Yes as it wasn’t an email, it was a notification on my phone.
A pop up?
A pop up?
Yes. A proper iPhone system one, not from a browser etc. It seemed very legit. I hope.
No. But I will do. Any good recommendations that work across Windows (with Chrome browser) and Apple devices?
LastPass works well for our whole family. We have a shared folder for the general ones we need to share (e.g. utilities logins) and personal ones for the rest. Works well
PAC code - they got info from credit card company, said the 2 phone contracts that were being paid - they attempted to compromise both - plus.net and vodafone. vodafone has 2FA - so they failed (I received the spurious login attempt), plus.net did/do not have 2FA - so they successfully got PAC code.
Considering most "hacks" are quite basic, I was surprised how many steps this involved.
Yes as it wasn’t an email, it was a notification on my phone.
I has one yesterday for Paypal - obvious Phising attempt to get my password...
The pac code and number swap is particularly concerning. How on Earth did that happen?
Very easy apparently as Mobile operators are quite lax about security. If someone is specifically targeting you, they don't need much info to convince the MNO that they are you and you want to move network.
2FA is obviously best, but can be a PITA if you live in a reception blackspot.
*Proper* 2FA doesn't need reception, because the codes can be generated offline. My phone has the Google Authenticator app which generates codes for my work, Google, Microsoft, GitLab, GitHub, and my web host. This sending-you-a-SMS thing is nonsense.