Archive | July 2021

The Great Hack of 2021

Jul26

For years I’ve heard stories of how others were hacked, but never thought it would happen to me. I’d been careful with online information and hadn’t put my credit card number out on more than a handful of sites—bank, grocery click lists, etc.—only sites that I used pretty frequently. BUT I made a classic mistake that we’re all warned about. I had one old faithful password that I used on lots of sites. I did NOT use this password on any site that had money attached like the ones I listed above. I felt pretty secure that if someone got access to my info, it wouldn’t be much of a problem. That is why I’m writing this blog. I want to warn others of things hackers do that I had no idea could or would be done.

It all started when I was eating lunch with my daughter and granddaughters. I received a text from my credit card asking if I’d made a rather large purchase on-line through Sam’s Club. I had not and they immediately shut down the card and removed the $800 charge that had been made on my card. While irritating, it didn’t upset me overly since that was the only charge made and they removed it. I didn’t realize that wasn’t the end of the nightmare.

Within an hour, I received notices from ebay, Walmart, and Paypal that someone was trying to access my account information. Again, I wasn’t too concerned since I had already cancelled my credit card, but I went to those sites and changed the passwords to be safe. What I didn’t do was look into my account information. It never dawned on me that someone could or would alter information there. Why would they when there was no way they could access any money now that the card was cancelled?

A week later, I noticed I wasn’t receiving emails from my boyfriend. He often sent links to interesting articles and we couldn’t figure out why they weren’t going through. That’s when I uncovered the really scary stuff. When checking through my emails, I found that his were being sent to my trash folder along with many others that shouldn’t have been there. When I went to the “filters” in my email settings (This is where you can set things to automatically go to the trash) someone had set them so anything from my bank, paypal, credit cards I had in the past, etc. would go automatically to trash so I wouldn’t see them. If my bank sent me a warning, it would go automatically to trash so I would be unaware that something was amiss. The hackers had set 45 filters! When I looked in my account information for my email, there was another email address added that wasn’t mine!

By this time, I had already connected the odd activity to that old password and I went to each site and changed the passwords. It wasn’t until went to my on-line clicklist account with Walmart that I found the hackers had actually changed the phone number on file (mine) to theirs, so if Walmart sent a security text, it would go to their phone for approval!

After finding the information in my accounts had been altered, I returned to the filters in my email. I figured those were a clue of where they were or had attacked. In the list, I found a filter set for any email that had the word “zelle.” Not knowing what that was, I googled and discovered it’s a site for transferring money between banks! Luckily, the hackers weren’t able to figure out my password for my bank so no money had been stolen, but I contacted my bank anyway and alerted them I had been hacked. At that point, the hack seemed to have been shut down before I lost any money, but knowing my personal data was accessed in this manner was extremely upsetting and violating.

Two months later, it all happened again. This time I was alerted by my credit card company again that an unusual purchase had been made with my card. I declined the purchase and my card was quickly shut down before any purchase went through. At least that time, I knew where to start searching for the leak and found my email had been hacked again. I’m still trying to figure out how they’ve been able to get my email password twice, since I’ve changed it to something only used for my email. One thing I discovered the second time was that they had used the “I can’t remember my password” option and had a verification sent to an email account. I don’t know what that account is/was since the verification wasn’t sent to mine. I’ve changed my verification to now go to my phone instead. Hopefully, that will stop this.

I wanted to share what I learned so maybe others can avoid this experience.

Lessons learned:

  1. Hackers don’t just steal information; they also alter your accounts to hide the fact they’re accessing your data. Check your account information for your bank, credit cards, and email periodically to see if someone is altering your verification information. See if there’s an alternate email address or phone number you did not add. Check any site where you keep a credit card on file, like shopping sites (amazon, Walmart, Sam’s, ebay, etc.)
  2. Once they have access to your email password, they can add filters so you aren’t aware they’ve diverted warnings from your other accounts. Check the filters and delete them. Surprisingly, they didn’t change my email password the first time. I suspect this was so I wouldn’t realize something was wrong and they could continue they’re hacking without my knowledge. The second time they had to change my email pw by using the “Forgot my password” option because they weren’t able to guess my new password. Your email account should have a link where you can go to see what happens if you’re hacked. Yahoo had a list of things to check. It was helpful.
  3. If they can get into your email, they can see what emails you receive (your bank, shopping accounts, etc.) so they know where to target their attacks. They can also send a mass mailing to all the people in your contact list in an attempt to send a malicious link. They attempted that with my second hack, but luckily, Yahoo flagged something unusual and didn’t send the emails.
  4. Use something other than your email for your user name on accounts if possible. If they have your user name, that’s the first step to accessing your account. All they have to do after that is to guess passwords or use a bot to break your pw.
  5. Use a different password for every account so if they figure out one, they don’t have them all. Make it something weird…a sentence from a book, or phone numbers of friends, old movie stars, or sports figures/teams etc. Don’t use variations of the same basic password. Don’t just add numbers or exclamation points to the same word. Don’t use your kids or dogs names or the street where you grew up. That information is easily accessible on the web. A tech advisor told me to make the PW at least 16 characters long. An 8 character PW only takes 5 minutes to crack. Sixteen characters takes over a year.
  6. Set up a schedule (every 6 months or so) to check the account information for your email, banking, and shopping sites where you have a credit card on file.
  7. Make sure you’ve set up two step verification for your credit cards, banks, etc. This is usually your phone or email address the site can use to notify you if someone is attempting to access your account. This one thing is what alerted me to the hack into my data. I would suggest using your phone number as your verification. If the hackers have access to your email and the verification goes to that, they can approve a purchase before you even realize a notification has been sent.
  8. If you suddenly get notifications from several sites that someone is attempting to log into your account, you’ve been hacked on a deeper level than just one site. You need to act ASAP. They’re going across all your data to find a hole. They attack multiple sites and do it very quickly, hoping to hit paydirt before you even realize you’ve been hacked. In both of my hacks, the total time of attack was just a few hours. Luckily, I realized I was being targeted and shut down the cards before much damage was done. HOWEVER, they still tried again a couple of months after my first attack because evidently, my info has been sold. I no longer have the option of taking my internet security for granted. The hackers still have my basic information and I can’t change that. Now I have to constantly watch for future attacks.

Biggest mistakes I’ve made:

  1. Not setting up 2 step verification using my phone for the verification. I never dreamed someone would secretly hack my email so they could intercept those notifications without my knowledge.
  2. Using my email addy as user names for most of my accounts. It was an easy way to set up an account and years ago, it was fairly secure. Not anymore.
  3. Not realizing hackers can alter your account information without you realizing it. If you don’t check your information periodically, you’d have no idea it was altered-unless you have 2 step verification set up. They typically don’t change your password because they don’t want you to realize they’re using your account.
  4. Thinking the only accounts that really mattered were my bank accounts. Make sure you check accounts like: Walmart, Amazon, Ebay, Banking, email, Facebook…etc. Be especially careful with those that have a credit card on file.
  5. Underestimating the depth of the attacks. I always assumed they just went for your credit card number and if I was careful with that, I was secure. This was not just credit card # theft. This was an across-the-board attempt to infiltrate all of my on-line accounts.

Unfortunately, the techniques the hackers use is constantly changing. According to the person I talked to at the credit card company, they only way they can protect our information is to try to stay one step ahead of the hackers. I was surprised to learn that many companies don’t even report a hack unless it affects millions of dollars or accounts. So the chances that your information has also been hacked is pretty high. Don’t wait until you’re hacked. Go right now to all of your important accounts and set up two step verification. It’s your best defense for now.

*New tips given to me by tech advisors: Since my email has been hacked twice, I was advised to delete that account and start a new one. I’ve also now added Malwarebytes to my security and was told to lengthen my passwords to at least 16 letters/characters long.