My PayPal hacked! 2 2

[ChiSoxFan]

So it's a good thing I checked my email first thing this morning before heading out on a day trip.  Much to my surprise, I saw two separate emails from PayPal sent to me at a little after 4 AM my time -- sent in French.   Since I haven't taken French since college, I couldn't read them, but it threw off enough immediate red flags for me to try and log into my account, only to find that my password didn't work anymore.

An hour later, after spending time trying to reset my password with someone from customer service (which was an interesting time, since the emails he was sending me to do so were also coming in French, and my entire account had been switched over to the French language), I was finally able to change passwords and access my account -- only to see a $1000 transfer pending from one of my bank accounts to my PayPal balance.   Thankfully, PayPal has the transaction flagged as fraud, and a trip to my bank has a hold on that account being accessed by PayPal, so it looks like I'm in the clear and no further headaches ahead (though I'll be keeping a close eye the next few days for anything else fishy).

This is just a heads-up to everyone, since we all use PayPal for our transactions, that theft is always a danger when we transact online, and it's easy to feel complacent. I'm continuously monitoring my accounts online, and if I didn't do so, there would have been the chance this would have gone undetected.  It's a world filled with some pretty shady people -- as many safeguards as I have on anything I do online, today was a reminder for me that there are people always trying to do harm if they're given the chance. 

[SilverAgeGuy]

Glad you caught it quickly and it all worked out!

[Bomber-Bob]

Wow, scary stuff. Glad you caught this in time. When the thief changed your password and the language, did you get an E-Mail alert ? Any clue as to how this may have happened ?

[Big.Mike]

Thanks for the information.

Glad you handled the situation rather quickly!!

 

[WoWitHurts]

34 minutes ago, Bomber-Bob said:

Wow, scary stuff. Glad you caught this in time. When the thief changed your password and the language, did you get an E-Mail alert ? Any clue as to how this may have happened ?

As someone in Information Technology most hacks come from a phishing attack where you click on a link loaded with malware. Where there is no two step authentication there are bad actors using brute force attacks on accounts and if you have an easy password it does not take long to crack. When a four digit pin is used it is easily cracked. There are only 10000 possible combinations and fewer when people use multiple of the same digit like 1153. Hackers use these first in their attacks because they are commonly used. Be safe out there in digital land.

[James J Johnson]

29 minutes ago, WoWitHurts said:

As someone in Information Technology most hacks come from a phishing attack where you click on a link loaded with malware. Where there is no two step authentication there are bad actors using brute force attacks on accounts and if you have an easy password it does not take long to crack. When a four digit pin is used it is easily cracked. There are only 10000 possible combinations and fewer when people use multiple of the same digit like 1153. Hackers use these first in their attacks because they are commonly used. Be safe out there in digital land.

Your best off creating a different password for each and every site you log into. Don't use the REMEMBER ME feature. If the site logs you out, log in again each time, user name and password.

Create passwords that will not easily be guessed or realized by random password generators. Avoid passwords like Scotty1357 and ILoveComics123, instead opting for ones that seem to make no traditional grammatical sense, like: X4b1rM7nQa6, You get the idea. Make them long and write them down as you compose them. Remember, letters are better than numbers. More choices, 26 versus 10, and 52 versus 10 when you use caps and lower case letters. Nobody will ever guess your password using this formula, and if they do the impossible and guess it for one site, it won't be the same on another.

[PunisherPunisherPunisher]

Scary to think how easily it can be done, but great job in handling the situation and informing everyone.

[ChiSoxFan]

2 hours ago, Bomber-Bob said:

Wow, scary stuff. Glad you caught this in time. When the thief changed your password and the language, did you get an E-Mail alert ? Any clue as to how this may have happened ?

I did get a notification -- it was completely in French, so I didn't know exactly what it was, since I don't lnow how to read the language anymore.   I didn't click on anything in the email, but I tried to log in to PP at that point, and my password wasn't working, so I knew something was up.  So far as to how it happened -- I have no idea.  I'm incredibly careful when it comes to my online security -- I never use the "remember me" functions (as someone mentioned), never click on any links in emails, use different paswords on different sites, etc.  I also have malware/antivirus protection on my laptop and a scan that runs daily, and nothing has shown up, so I'm not sure how I ended up getting nailed.

1 hour ago, WoWitHurts said:

As someone in Information Technology most hacks come from a phishing attack where you click on a link loaded with malware. Where there is no two step authentication there are bad actors using brute force attacks on accounts and if you have an easy password it does not take long to crack. When a four digit pin is used it is easily cracked. There are only 10000 possible combinations and fewer when people use multiple of the same digit like 1153. Hackers use these first in their attacks because they are commonly used. Be safe out there in digital land.

A two-step authentication is something I wasn't aware PayPal had until I talked with their representative on the phone today.  It can be set up in the security section of the site, and it essentially requires you to enter an authorization code after your password to log in every time you do so.  The code is sent via text only to the verified phone number on the account, changes every time, and expires after five minutes.  Essentially, you can't log into PayPal without both the correct password and the code, and you won't have the latter unless you have the physical phone in your possession, so it seems like a good safeguard against this type of thing happening to me again.  The rep I talked to said he hadn't heard of anyone having any issues with their account being compromised who had both steps required in place. 

Edited April 13, 2018 by ChiSoxFan

[Dark Knight]

I'm glad you were able to recover your PP account and change the password.  So scary that this can happen to anybody and not just through paypal but through bank accounts, emails, etc.   I continually get an email from "Paypal" in my junk mail daily saying that I need to change my password and create a new one or that I was hacked and need to click on the link in that junk email, etc etc.  I know for a fact not to do it and to just continue to trash those fraudulent emails.  

Don'y ever click on the link from a fraudulent PP email to see what is going on, instead just go to the actual website and sign in.

[01TheDude]

2 hours ago, James J Johnson said:

Your best off creating a different password for each and every site you log into. Don't use the REMEMBER ME feature. If the site logs you out, log in again each time, user name and password.

Create passwords that will not easily be guessed or realized by random password generators. Avoid passwords like Scotty1357 and ILoveComics123, instead opting for ones that seem to make no traditional grammatical sense, like: X4b1rM7nQa6, You get the idea. Make them long and write them down as you compose them. Remember, letters are better than numbers. More choices, 26 versus 10, and 52 versus 10 when you use caps and lower case letters. Nobody will ever guess your password using this formula, and if they do the impossible and guess it for one site, it won't be the same on another.

A potentially better method-- as well as easier to use/remember while still being very secure is using four (or more) random words along with some numbers and special characters. Mix up the capitalization a little to help with case sensitive as well.

article

I used to believe that those random ones were more secure as well but the thinking behind it makes sense and is less of a pain to try to remember in the first place. I mean-- who wants to remember Kff3twF9367G5lk# 2)ds30sljs instead of DonkeykickSmyballs45times! or IntruderalertLet'sgetBeserk83$ (just made those up but you can see how you would be able to remember something along those lines much easier. Word of caution-- don't make it something you would be embarrassed to have to tell someone else to enter.

plus those phrases can be pretty fun and might lead you to make specific ones for specific websites. And if you forget-- you can always reset.

Edited April 13, 2018 by 01TheDude

[01TheDude]

oh yeah-- one more thing. For dumb websites that you use quite often but have zero financial or social implications, using a very basic password is not a terrible thing. I have used a similar one for these types of websites for decades. There is no reason for someone to hack your account. None. So why put too much thought into the password in those cases? I mean-- if someone really wants to hack my account on TV.com or some website I use to find coupons--- be my guest. I sign up to those websites using an anonymous name anyway.

For social media sites like Facebook or twitter-- I would strongly recommend NOT using your actual name if you intend on posting anything even remotely defining. I have one that has my real name and base information that is used to connect to all friends. I have another account used for me to express myself that only a small portion of my close friends are associated with. Been trying to get my brother -- who works in the government -- to go to this model for a long time but he doesn't. He came close to getting fired (and was for a short period) by a politician who didn't like what he was posting.

One last bit to consider-- pictures. Once you post them on any site, they are no longer your property (even with watermarks/copyright etc) on places like Facebook. That might sound paranoid but even FB will occasionally just grab someones pictures and use it in someones Ad.

Anyway-- just my two cents.

[Martin Sinescu]

Randall, sorry to hear you had to go through this, but at least you nipped it quickly and thanks for sharing your tale with the community. Really great info from others here, I've got so many passwords on so many sites it drives me nuts, but I'm going to sit down this weekend and do a thorough reconsideration of my security strategy thanks to the info here. Also, @01TheDude, those password suggestions ...nearly sprayed my morning coffee across my laptop. Pretty sure at least one of my password revisions is going to involve getting humbled by donkeys.

[namisgr]

8 hours ago, WoWitHurts said:

As someone in Information Technology most hacks come from a phishing attack where you click on a link loaded with malware. Where there is no two step authentication there are bad actors using brute force attacks on accounts and if you have an easy password it does not take long to crack. When a four digit pin is used it is easily cracked. There are only 10000 possible combinations and fewer when people use multiple of the same digit like 1153. Hackers use these first in their attacks because they are commonly used. Be safe out there in digital land.

Two-step authentication for the win.  Enable it, use it.  Let's be careful out there.

Edited April 13, 2018 by namisgr

[comicwiz]

7 minutes ago, namisgr said:

Two-step authentication for the win.  Enable it, use it.  Let's be careful out there.

This. Over a year ago, I had my account cleaned out by someone in Spain. It was a complete coincidence that I happened to login that day, and noticed it. PayPal half didn't want to believe me, and I told them to compare the IP log activity for the time/period when the hack occurred, and only then did PayPal realize it was compromised. The two-step authentication is a must, but I would also make sure you have the email address linked to your PP account to send emails to a mobile device, to monitor any activity, as PayPal ordinarily sends notifications when any activity occurs with your account. You will need a mobile device anyway for the two-step authentication as it sends a code to you by text anyway.

[DjMartini]

48 minutes ago, namisgr said:

Two-step authentication for the win.  Enable it, use it.  Let's be careful out there.

Actually did not know about this. Thanks fellas! 

(for anyone else that does not know about this, it's in the settings menu, then security, then "security key")

[c_mkv]

Thanks fellas...just setup my 2 step authentication...beauty tip

[Wall-Crawler]

I was hacked about two years ago now.  I'll give the short version.

For some reason, I had the app on my phone open and as I am literally about to go out the door for work, I get a notification on my phone. I was thinking oh joy, something sold on eBay and has been paid for. I looked and...NOPE!

It was showing I sent a payment to some weird "company". And then another. And then another.  Different "companies" and different dollar amounts.  As soon as I got to work, I got the bank to put a hold/stop on anything coming from PayPal.  I called PayPal right away to report that my account was hacked and that payments were going out to places that I was not making.  I can't remember the exact sequence of events but after they could no longer make payments to these "companies" they started to try to issue refunds to eBay buyers via PayPal! 

I guess it was a case of "if we can't have your money, someone else can!"

Long story short, PayPal was very good to deal with, the theft was stopped and I was refunded everything.  They did say though it was lucky that I noticed  the theft was occurring "in real time" as it made putting a stop to it and recovering funds easier. 

 

[Crimebuster]

I had my PayPal account hacked many, many years ago. They actually hacked my email, as I had a weak password at the time. Then they got my Paypal info from my email account, and set up a filter on the email to block all notifications from Paypal so I wouldn't be notified of their activity. They didn't change any of my passwords, so I was able to still use everything as usual without any idea something had happened.

In my case, Paypal actually caught the fraud themselves and called me about it. 

Here's the kicker - the hackers actually added $6,000 to my account! Apparently they were trying to launder money through Paypal. Since at that time I rarely used Paypal, and only for like $20 ebay purchases, Paypal noticed the abnormally large transaction and caught it. 

I got off pretty lucky, but that was weird!

[lizards2]

I got a message purportedly from Paypal that said someone in Canada was attempting to access my account, and I should change my password.  My password is fairly complex so I was a little miffed.  I didn't click on anything in the email, and just logged in directly to Paypal and changed my password.  I really have no idea whether the original email was legit or not.

These captchas are getting out of hand

by Xlxtx via Android20 days

[Lazyboy]

10 hours ago, 01TheDude said:

One last bit to consider-- pictures. Once you post them on any site, they are no longer your property (even with watermarks/copyright etc) on places like Facebook. That might sound paranoid but even FB will occasionally just grab someones pictures and use it in someones Ad.

That's not true, but many sites do have something in their terms that says you grant them a license to use any images you upload to their service.