Got hacked via email address reset method

[nightHawk12]

1. My instagram account was hacked. Email address changed and an app based 2fa was enabled. The account is now deactivated which they most probably will activate later. I cannot reset the password as instagram sends an email otp for the procedure but I dont get the otp no matter how many different email id give.
2. 1 Hour later I got to know from email and 3 hours later ubisoft account password changed followed by email address. When I received the email I tried to change the password but it was too late.
3. After this I changed my email address because both the accounts had same email address. Unlinked recovery email address and removed logged in devices. Since then no issues yet but I am worried. Worried about what else they have access to?
4. Ran a malwarebytes scan and got arround 9 trojans in system32 directory and 5 in downloads folder which I quarantined. I am on windows 11. This is the first time any of my account got hacked and I could not believe my eyes.
5. I suspect the following:

• I use a password manager which is synced across my pc and android. Both my account details was there only. But if the hacker had access to the password manager why would he reset my password? Yes for permanetn access but that leads my doubts towards my email account.
• My email account seems to be compromised becaust both attacks were done using my email address reset method but how they got access to it? Then why such trivial accounts(my insta is empty af because I use it only to watch and share reels with friends) ,why not bank accounts?
• Any sort of malware/keylogger/rootkit in my system. But I think it might have played a role in giving access to email indirectly.

What needs to be changed and what precautions needs to be taken for the future? That instagram account was not much important but I would like it to delete it myself than relying on the hacker.

 

[Tracer_Bullet]

My email account seems to be compromised becaust both attacks were done using my email address reset method but how they got access to it? Then why such trivial accounts(my insta is empty af because I use it only to watch and share reels with friends) ,why not bank accounts?

If your pc is hacked and you are logged in within browser, then virus can read browser cookies and get access.

 

[nightHawk12]

If your pc is hacked and you are logged in within browser, then virus can read browser cookies and get access.

clearing all browser cookeies history and data should fix this?

 

[lockhrt999]

I can't say how exactly the hack happened.

If you have a virus on your machine, they can steal passwords from chrome (or other browsers). Passwords are saved in plain format in Chrome. All programs running on your machine have access to your browser saved passwords. It's by design. You may have saved email credentials before you started using your password manager.

Or the virus could have stolen the session cookies. It's better than the password.

How to know? Well, log into your email and see if it has a new login (apart from your current login). For Gmail, you can check it here > https://myaccount.google.com/security (if you are using multiple Gmail, make sure the correct hacked Gmail is selected from the top-right corner)

If you see new login, that means they stole your password. If you don't see that, it's more likely your session cookie got stolen. Anyway, you should sign out from all devices before doing anything more.
----
Coming to your second question, why Instagram got hacked, of all things. It's simple, Instagram log-in page doesn't incorporate top of the line security. That's by design. Instagrammers aren't supposed tech-smart. No matter what you do, Instagram doesn't block or asks twice, it doesn't suspect.

People sometimes go crazy on their Instagram and FB accounts with passwords and F2A etc. And then they forget everything the next day. So meta has developed a system where you ask its customer care, they see you on video call, match to your saved photos and then unlock everything for you.

Anyway, tell us what password manager you are using. How is it usually unlocked [meaning you insert a pin code or password every time open a browser]?

clearing all browser cookeies history and data should fix this?

No. Your email provider, for that matter, doesn't know those cookies have been discarded by their original owner. Cookies stolen or deleted are still valid.

How to fix this? Login in into every account. Then for every account, go to their security and click 'Sign out from all devices'. Doing that will invalidate all the cookies from all the devices.

In any case, you shouldn't use the infected machine before formatting everything.

 

[nightHawk12]

Anyway, tell us what password manager you are using. How is it usually unlocked [meaning you insert a pin code or password every time open a browser]?

its keepass, i need to open it using a passocde and then the windows passcode if on pc or if its android then fingerprint. Whether I open browser or not I can access it.

 

[ronnie_gogs]

Which email was it ?
Was 2FA enabled ?
Do you use passkeys ?
Did you have any antivirus enabled other than windows defender?
Was windows 11 fully updated ?

 

[rsaeon]

What needs to be changed and what precautions needs to be taken for the future?

I don't use Windows on a daily basis but I am most of my extended family's tech support (20+ machines) in different countries. What's worked for me is to set up a Administrator account but never log-in to it. This'll allow you to have every user account as a non-admin user while still retaining the ability to install new programs by entering that Administrator's password.

Not a single breach or hack or virus in the last 8 years I've been doing this. I even do this to my own personal Windows machines I have around at home. This practice offends some people, those who think they absolutely must be a Administrator but that's probably because they have undiagnosed personality issues.

The most common hacks these days are session hijacking attacks, which is pretty easy for malware to do once it's in your system. That's likely what's happened here and why it didn't go after your password manager, just the accounts you were logged into. Keyloggers are usually reserved for targeted attacks like soured friendships/relationships or corporate espionage.

An uncle's dell had persistent malware that embedded itself in the bios, that was not fun. Ended up needing to replace the BIOS chip because the area where the malware was hiding wasn't being erased during a reflash.

If this account was an Administrator account, then you'd need to wipe the drive clean and reinstall Windows at the very least.

How to fix this? Login in into every account. Then for every account, go to their security and click 'Sign out from all devices'. Doing that will invalidate all the cookies from all the devices.

SImple and straight forward. Also, do this periodically even if you're not hacked, I do this about once a month.

Malwarebytes used to be great, hopefully it still is.

 

[dvader]

Man at his point instead of running Malwarebytes, just Nuke the OS. Get any non-executable data out, it's too much risk at this point.

@rsaeon is on point regarding the admin account. This is a basic practice used in enterprise deployment. Even the admins avoid (and are asked to) the local Administrator unless it's a P1 event.