That Time I Got Hacked: A Lesson in Heeding Password Change Warnings

This past weekend was a big one at my house for a couple of reasons. First and foremost, it was the Ottawa Race Weekend, which means that we had a house full of runners and walkers participating in the half marathon. Secondly, I got hacked.

Now I don't mean hacked in the Twitter spoofing I-was-an-idiot-and-clicked-a-dm-link not-really-hacked kind of way. I mean, account credentials stolen and credit card used to make a purchase kind of way.

Here's how it happened:

Last week when eBay told people to change their passwords, I immediately tried to log into my account but couldn't remember which email address I had used to register, let alone the password I'd used. So after a couple of tries, and my lunch hour being over, I made a note to check on it later and got back to work. Naturally, later never came. And then race weekend came and it was still not done.

As I was picking up my race kit Saturday afternoon, my phone received a huge influx of spam emails. All of them were welcoming "John" to his new subscription and every single one required clicking through a link to confirm the email address. I thought it was weird, so I checked the receiving address to see if they were BCC-ed, but realized that the "To" field was my actual email address. I thought back to the eBay warning and figured I would definitely log into my account when I returned home to change my profile information. I also refrained from clicking on a single link out of curiosity because I didn't want to accidentally download malware or somehow pass on any information to the spammer.

Then I got a PayPal transaction notification. That one I opened. It was a receipt for a USD$100 transaction for an Apple iTunes gift card, to be exact. My guess was that this was probably a trial transaction to see if my credit card was working, and if so, it could lead to bigger unauthorized transactions if I didn't take action.

That's when I got very busy, very quickly. Standing in the middle of the race expo, I went to the PayPal site and:
  • went through the forgot password steps for my primary email address
  • logged in
  • changed my password
  • added security questions
  • deleted my credit card from my account
  • found the transaction in my account history
  • submitted it to PayPal Claims and Disputes (using their very handy feature for this very purpose).
From the time the emails started to the time they stopped, 45 minutes elapsed. Luckily, I was able to react quickly.  In fact, there were a number of factors working in my favour:
  • I had my phone on me and was paying attention to notifications
  • I happened to be in a location where I still had data connectivity
  • I caught the PayPal in the middle of the 119 spam emails I received in that half hour
If any of those factors had not been present, I might be out some serious cash.

[Aside: 119 spam emails. And I discovered over 150 more in my Spam folder after I got home. For a lovely total of over 270 spam emails.]

I called PayPal on Monday to confirm that the transaction was being reversed and they assured me that it would be done by the end of the week. Needless to say, since then hubby and I have taken measures to protect ourselves and our credit card information, including:
  • logging into every single site where I had a credit card number saved and deleting the card info
  • setting up a password manager (in this case, LastPass*)
  • changing the passwords on every single site and app I use to a 20 character-long varied password generated by the password manager
  • setting the password manager to log me out constantly so that if someone uses my computer they can't access my passwords
  • securing my phone with a longer password than before
All of this took me a couple of hours. Time well invested in my opinion.

The one area I feel most vulnerable is Google since that one account logs me into so many services. For that one, I have two-factor authentication set up and only approved devices can log in. LastPass also offers this option, which makes the system that much more secure.

This form of security isn't perfect but I'm much more secure than I was a week ago. No more re-used passwords, no more saved credit cards. If one site gets hacked and my email/ password combo is compromised, it won't get the hackers anywhere on my other systems. And right now, that's about as good as it gets.

Have you been hacked? What steps have you taken to protect your accounts?

* Note: I'll be doing a more detailed post on LastPass in the coming weeks. Stay tuned.

Related posts: