Got hacked via email address reset method

nightHawk12

nightHawk12

Contributor
1. My instagram account was hacked. Email address changed and an app based 2fa was enabled. The account is now deactivated which they most probably will activate later. I cannot reset the password as instagram sends an email otp for the procedure but I dont get the otp no matter how many different email id give.
2. 1 Hour later I got to know from email and 3 hours later ubisoft account password changed followed by email address. When I received the email I tried to change the password but it was too late.
3. After this I changed my email address because both the accounts had same email address. Unlinked recovery email address and removed logged in devices. Since then no issues yet but I am worried. Worried about what else they have access to?
4. Ran a malwarebytes scan and got arround 9 trojans in system32 directory and 5 in downloads folder which I quarantined. I am on windows 11. This is the first time any of my account got hacked and I could not believe my eyes.
5. I suspect the following:
  • I use a password manager which is synced across my pc and android. Both my account details was there only. But if the hacker had access to the password manager why would he reset my password? Yes for permanetn access but that leads my doubts towards my email account.
  • My email account seems to be compromised becaust both attacks were done using my email address reset method but how they got access to it? Then why such trivial accounts(my insta is empty af because I use it only to watch and share reels with friends) ,why not bank accounts?
  • Any sort of malware/keylogger/rootkit in my system. But I think it might have played a role in giving access to email indirectly.

What needs to be changed and what precautions needs to be taken for the future? That instagram account was not much important but I would like it to delete it myself than relying on the hacker.
 
nightHawk12 said:
My email account seems to be compromised becaust both attacks were done using my email address reset method but how they got access to it? Then why such trivial accounts(my insta is empty af because I use it only to watch and share reels with friends) ,why not bank accounts?
Click to expand...
If your pc is hacked and you are logged in within browser, then virus can read browser cookies and get access.
 
  • Like
Reactions: rsaeon
I can't say how exactly the hack happened.

If you have a virus on your machine, they can steal passwords from chrome (or other browsers). Passwords are saved in plain format in Chrome. All programs running on your machine have access to your browser saved passwords. It's by design. You may have saved email credentials before you started using your password manager.

Or the virus could have stolen the session cookies. It's better than the password.

How to know? Well, log into your email and see if it has a new login (apart from your current login). For Gmail, you can check it here > https://myaccount.google.com/security (if you are using multiple Gmail, make sure the correct hacked Gmail is selected from the top-right corner)

If you see new login, that means they stole your password. If you don't see that, it's more likely your session cookie got stolen. Anyway, you should sign out from all devices before doing anything more.
----
Coming to your second question, why Instagram got hacked, of all things. It's simple, Instagram log-in page doesn't incorporate top of the line security. That's by design. Instagrammers aren't supposed tech-smart. No matter what you do, Instagram doesn't block or asks twice, it doesn't suspect.

People sometimes go crazy on their Instagram and FB accounts with passwords and F2A etc. And then they forget everything the next day. So meta has developed a system where you ask its customer care, they see you on video call, match to your saved photos and then unlock everything for you.

Anyway, tell us what password manager you are using. How is it usually unlocked [meaning you insert a pin code or password every time open a browser]?
nightHawk12 said:
clearing all browser cookeies history and data should fix this?
Click to expand...
No. Your email provider, for that matter, doesn't know those cookies have been discarded by their original owner. Cookies stolen or deleted are still valid.

How to fix this? Login in into every account. Then for every account, go to their security and click 'Sign out from all devices'. Doing that will invalidate all the cookies from all the devices.

In any case, you shouldn't use the infected machine before formatting everything.
 
Last edited:
  • Like
Reactions: Tracer_Bullet, tapestry and rsaeon
lockhrt999 said:
Anyway, tell us what password manager you are using. How is it usually unlocked [meaning you insert a pin code or password every time open a browser]?
Click to expand...
its keepass, i need to open it using a passocde and then the windows passcode if on pc or if its android then fingerprint. Whether I open browser or not I can access it.
 
Which email was it ?
Was 2FA enabled ?
Do you use passkeys ?
Did you have any antivirus enabled other than windows defender?
Was windows 11 fully updated ?
 
nightHawk12 said:
What needs to be changed and what precautions needs to be taken for the future?
Click to expand...

I don't use Windows on a daily basis but I am most of my extended family's tech support (20+ machines) in different countries. What's worked for me is to set up a Administrator account but never log-in to it. This'll allow you to have every user account as a non-admin user while still retaining the ability to install new programs by entering that Administrator's password.

Not a single breach or hack or virus in the last 8 years I've been doing this. I even do this to my own personal Windows machines I have around at home. This practice offends some people, those who think they absolutely must be a Administrator but that's probably because they have undiagnosed personality issues.

The most common hacks these days are session hijacking attacks, which is pretty easy for malware to do once it's in your system. That's likely what's happened here and why it didn't go after your password manager, just the accounts you were logged into. Keyloggers are usually reserved for targeted attacks like soured friendships/relationships or corporate espionage.

An uncle's dell had persistent malware that embedded itself in the bios, that was not fun. Ended up needing to replace the BIOS chip because the area where the malware was hiding wasn't being erased during a reflash.

If this account was an Administrator account, then you'd need to wipe the drive clean and reinstall Windows at the very least.

lockhrt999 said:
How to fix this? Login in into every account. Then for every account, go to their security and click 'Sign out from all devices'. Doing that will invalidate all the cookies from all the devices.
Click to expand...

SImple and straight forward. Also, do this periodically even if you're not hacked, I do this about once a month.

Malwarebytes used to be great, hopefully it still is.
 
  • Like
  • Love
Reactions: Neotheone, blr_p, dvader and 2 others
Man at his point instead of running Malwarebytes, just Nuke the OS. Get any non-executable data out, it's too much risk at this point.

@rsaeon is on point regarding the admin account. This is a basic practice used in enterprise deployment. Even the admins avoid (and are asked to) the local Administrator unless it's a P1 event.
 
  • Like
Reactions: Neotheone, rsaeon and nightHawk12
Update:
Seems like the hacker is on a hacking spree because after that incident, my reddit which was linked to a 3rd email id was hacked. Next, my discord which had 2fa enabled both app and sms based was hacked. I have changed the password after each hack. But how did he got into my discord which had 2fa enabled even if he has the password?

I didn't nuke my windows os or my android phone thinking once I change email passwords he will leave me alone, turns out thats not the case. I still can't figure out exactly where my backdoor is.
 
nightHawk12 said:
Update:
Seems like the hacker is on a hacking spree because after that incident, my reddit which was linked to a 3rd email id was hacked. Next, my discord which had 2fa enabled both app and sms based was hacked. I have changed the password after each hack. But how did he got into my discord which had 2fa enabled even if he has the password?

I didn't nuke my windows os or my android phone thinking once I change email passwords he will leave me alone, turns out thats not the case. I still can't figure out exactly where my backdoor is.
Click to expand...
Which 2FA app is it? If you can log in to the 2FA app using email or SMS, then probably those are compromised as well.
 
nightHawk12 said:
Seems like the hacker is on a hacking spree because after that incident, my reddit which was linked to a 3rd email id was hacked. Next, my discord which had 2fa enabled both app and sms based was hacked. I have changed the password after each hack. But how did he got into my discord which had 2fa enabled even if he has the password?
Click to expand...
2FA or not. It doesn't matter if your session cookies are stolen.

nightHawk12 said:
I didn't nuke my windows os or my android phone thinking once I change email passwords he will leave me alone, turns out thats not the case. I still can't figure out exactly where my backdoor is.
Click to expand...
Wrong choice. You should do it yesterday.

At the very least, don't connect your PC to the internet.
 
  • Like
Reactions: Tracer_Bullet
Log out of everything that was connected + change passwords - both from a different computer or after reinstalling windows.
Reinstall windows. Why take chance ?

Also, its not 100% foolprrof, but probably turn on secure boot too.
 
interestingly the discord attack happened when i was offline and asleep in the morning 5AM. seems like they have access to my credentials
lockhrt999 said:
At the very least, don't connect your PC to the internet.
Click to expand...
t3chg33k said:
Which 2FA app is it? If you can log in to the 2FA app using email or SMS, then probably those are compromised as well.
Click to expand...
google authenticator and I probably log into it using my google account login
i have 4 devices
1. WIndows PC
2. Linux laptop
3. Rooted redmi running android 14
4. Non rooted moto running android 14.

Should I wipe all of them and then separate essential accounts to a different database for my password manager?

Instead of google authenticator should I use Aegis? If yes should i move my 2fa of other apps to aegis before moving on with system wipe?
There is an internal HDD too which has all my data, dont tell me I need to wipe that too? I use that to backup my androids before system wipe.
 
Last edited:
nightHawk12 said:
interestingly the discord attack happened when i was offline and asleep in the morning 5AM. seems like they have access to my credentials
Click to expand...
Overthinking Pro Max.

Stop thinking everything in terms of attack, hack…

You installed a virus. It stole your session cookies. Now someone is logging into your accounts one by one using those cookies at their leisure.

You haven't invalidated those cookies by clicking 'Log out from everywhere' from all possible accounts. So you will keep receiving such notifications like you received for Discord.
 
  • Like
Reactions: nightHawk12
but i dont login to discord using browser, I have installed the application on both windows and android. Session cookies can be stole via that route too? I thought its meant for browsers only.
 
nightHawk12 said:
but i dont login to discord using browser, I have installed the application on both windows and android. Session cookies can be stole via that route too? I thought its meant for browsers only.
Click to expand...
The Discord app is wrapped Chromium browser. All electron apps are like that. Though, I have no idea if all electron apps save credentials like browsers.
 
  • Like
Reactions: nightHawk12
Top Bottom