The most hacked passwords: Is yours one of them?
Your name, your favorite football team and your favourite band: The UK’s National Cyber Security Centre has released a list of the 100,000 most common passwords to appear in data breaches. Read more: https://zd.net/2UYNnKP
At 11:30 pm on Monday, 10 June, my oldest daughter shook my shoulder to wake me up from a deep sleep. She said that it appeared my Twitter account had been hacked. It turns out that things were much worse than that.
I had some of this information, but the hacker changed everything in the list above except for one email address that was still controlled by me. I used this email to fill out the form for Google every day over the past week, adding in lots of other details about the situation, but have not yet been able to get Google to move forward with recovering my account.
A couple of days ago, a message appeared on my Pixel 3 XL that my Google Fi SIM card had been deactivated. I’ve been using Google Fi for a few years and lately have been enjoying a $200 service credit after buying my wife’s Google Pixel 3. There is actually a number for Google Fi representatives, but repeated calls to them reveal nothing can be done without access to my Gmail account. My longtime Google Fi number and service credit may now be gone forever.
Also: How to use Google’s Project Fi cellular service with any smartphone TechRepublic
Maybe I’ve been naive, but I had backed up a ton of personal information on Google Drive. This included tax returns, account passwords for my wife in case I died, personal documents and spreadsheets, and just about everything I had paper copies of at home. Since I change computers, share data with others, and wanted backups in case my house burned down, I trusted cloud services to store my data. I have to admit I am a bit freaked out at the moment and may be moving this data to external hard drives and paper once again.
We pay for Google Drive, Google Fi, and Google Play Movies so I was hoping there would be some level of customer service for paying customers. There are no phone numbers available for customers who pay for services or those who only use free services. Google prides itself on collecting my information and using it to help with search results. Thus, it has all sorts of information on how I conduct my daily life, including tracking my every movement, tracking my business trips, seeing who I contact daily, and much more. You would think it would be smart enough to see when some stranger appears and completely changes my account information.
According to Gmail, my Google account has now been deleted so I’m no longer trying to just reset the password, but instead I am trying to recover my account. I have countless PR folks, friends, family, and others who are in my long Gmail history and am currently unable to access any of that information. I also have thousands of photos that may be lost forever if Google won’t work with me to get my account back.
If anyone has any information on how I can get Google to honestly verify my identification and recover my deleted account, I would greatly appreciate you leaving a comment below.
$25,000 for Bitcoin
Given that I had 2FA enabled for my bank account and the bank account info on Google Drive, it was just a matter of time before the thief started stealing my money. While my wife was concerned about my lost Twitter and Google account, it wasn’t until the criminal used my bank account to purchase $25,000 in Bitcoin that she went ballistic.
My bank initially took the money out of my accounts so we called and told them it was fraud. We were told the bank would investigate, but our accounts could be locked for up to 45 days. Thus, we immediately had everyone in the family run down to the ATM to get the maximum amount of cash out so that bills could be paid. We also had to call all of the new graduates we gave checks to for gifts to not cash them yet. It was an extremely stressful week and the adventure isn’t over yet.
Also: Bitcoin blues: This is how much cyptocurrency was stolen last year
After a couple of days, our bank reversed the $25,000 charge and told us that the fraud department caught the ACH withdrawal before it was fully processed so that neither my family nor the bank lost this money forever. My first instinct was to then change my bank account numbers, but then I realized that every person and company I wrote a check to over the past couple of decades has this same information so I am trusting the bank to protect my assets.
T-Mobile woes and success
My T-Mobile SIM was first stolen on Monday, 10 June, and then I was able to get the company to give it back to me that evening. I headed out on a business trip, actually the Garmin Fitness Retreat, in Whitefish, Montana, on Tuesday, 11 June. While I enjoyed dinner with the group on Tuesday evening after I arrived in Montana, I was stressed out the next morning as so much was unknown about my Google account. Thankfully, the kind Garmin representative was sympathetic to my plight and took me to the town so I could obtain a T-Mobile connection and try to lock down everything.
I arrived in the middle of Whitefish, but for some reason I still had no T-Mobile cellular service. I toggled airplane mode on and off, without success. This was also when I discovered that the hacker had shut off my Google Fi service so I had no ability to call T-Mobile to find out what was going on. I found a local Safeway store with free Wi-Fi and then contacted my wife via Facebook Messenger. Through all of these hacks, it was interesting to find that Facebook was the one reliable and secure service under my control.
Read More
You’ve been hacked, now what? How the UK’s cybersecurity and privacy watchdogs deal with incidentsWhat attackers want when they hack email accounts TechRepublicIf you’ve been hacked, don’t count on the police for help CNETHackers are collecting payment details, user passwords from thousands of sites
While connected to my wife via Facebook Messenger, she contacted T-Mobile on my daughter’s cell phone while at home. T-Mobile then confirmed that it had once again taken away my SIM and gave it to someone else. I became enraged while hearing this and told them that my same SIM was still in my iPhone XS and that I wanted T-Mobile to stop giving it away and leave it associated with the physical SIM in my phone. I was told that this request was not possible, but that notes could be added to my account. While I had a PIN associated with my SIM, I still do not know how the thief was able to get past this the first time, I changed this PIN on the call.
Thankfully, I have a good friend at T-Mobile who was very concerned with my plight and was able to get someone to contact me to indeed enable a requirement that my SIM could not be changed unless someone went into the store with at least one means of physical identification. Since that requirement was attached to my account, my T-Mobile service has remained under my control.
Lost services?
Unfortunately, my Google account was tied to a number of services, including Google Chrome and I had saved hundreds of account passwords in Chrome that the criminal now had possession of. The first evening I immediately changed the email and password for all accounts related to financial data. Over the next several days I went through and changed every other account I could think of.
Also: Verizon wants to lock down phones to protect consumers CNET
A handy tip that has served me well, related to my role as a mobile tech reviewer, was to start one of my review phones and leave it in airplane mode. I then went into Chrome on the phone to view all of the sites where I had accounts and passwords saved. The thief could potentially hijack all of these so I have been meticulously going through them over the past week.
Unfortunately, some services and websites will not allow me to change my password or email associated with the service without having access to my Gmail account that I used to sign up for these services. Thus, I currently have no access to services like Redbox and Movies Anywhere, in addition to Twitter and Google, obviously.
Recommendations for your security
In addition to contacting T-Mobile, Google (useless), and Twitter (useless), I took and recommend you take the following actions:
File a police report with your local authoritiesTurn on a credit freeze and fraud alert with the three credit reporting bureausFill out a report with the Federal Trade CommissionMake sure your financial institutions know of the possible identity theftChange the email and passwords for all accounts that may be connected with the stolen accountConsider using an email and password for logging into accounts rather than simply relying on Facebook, Google, or Twitter as your global login for services. If one service gets stolen, you could bring everything down like I did.Consider using password manager software or letting your device, like an iPhone, help you create extremely long and complicated passwords. I’m exploring some of these tools now to increase the level of security on all of my accounts.Close out old accounts that you never use. Going through my saved Chrome data I found many accounts and services I no longer use, but they are still all subject to damage by the hacker.While two-factor authentication is a minimal standard, look for options beyond having a text message sent for verification. If you get your SIM stolen like I did, 2FA is worthless.
Also see: How to protect yourself against a SIM swap attack via WIRED
I’ve been considering changing my bank account number, social security number, and other accounts that are critical to living and working in the US. I am also freaked out about using cloud services so my strategy at the moment is to only use OneDrive for photo backup while writing my passwords down on paper and leaving everything else off the cloud.
If anyone has tips on how I might get my Google and Twitter accounts back, I would greatly appreciate the feedback. Also, if you have other tips for what to do before and after a security breach, I would love to hear more in the comments.
Security
Can Russian hackers be stopped? Here’s why it might take 20 years
Cyberwar predictions for 2019: The stakes have been raised
A spotter’s guide to the groups that are out to get you
Cyberwar and the future of cybersecurity (free PDF download)
Related Topics:
Security TV
Data Management
CXO
Data Centers