Lesson Learned - Secure Your Logins

Joined
Jan 13, 2006
Messages
5,203
Location
Columbia, Maryland
Real Name
Walter Rowe
Public Service Announcement - Secure your Logins!

Two days ago I awoke and saw half a dozen emails containing a Facebook password reset PIN. I never requested a password reset. Someone apparently got into my email, then used it to reset my Facebook account login overnight. I was unable to get into the account. I use my account to manage multiple photography groups with thousands of members each, and to manage my portrait photography business page. This was quite distressing. My heart sank.

I immediately reset my email password and secured that account. I then submitted a claim to Facebook that my account had been hijacked. That required providing my drivers license via web-cam instant picture. This got the account locked while Facebook reviewed the situation. The notice on the screen after submitting the request said it would take up to 2 days. I had doubts it would ever happen. Facebook has over 2B users.

Now I waited. Will I hear from Facebook? Photographer Joe Edelman posted a video on his YouTube channel describing his experience in recovering from being banned from Facebook. I was hoping I didn't have to jump through all the hurdles he did to reclaim my account. I could do nothing but wait.

This morning I awoke with an email from Facebook indicating they validated my ID. The email provided a special link, a key, and a 1-time code to get reclaim my account. I followed the instructions and was successful. I then set about immediately updating all of the security settings including turning on 2-factor authentication, and enabling notifications for suspicious logins. The 2-factor login uses a separate app (I use Microsoft Authenticator, but Google Authenticator also works) that receives an initial, unique, one-time code from Facebook. Each time you log into Facebook, it asks for your password, ten asks for a one-time which you will get from the 2-factor app. It is an extra step but I now know my account is secure.

If you don't have 2-factor authentication set up for all your logins (banks, social media, etc), set it up. It ensures someone else cannot take over your account like they did mine. It was distressing that someone had hijacked my account which gave them admin access to many of the groups I manage and to my portrait photography business page. I have now looked through the activity log for my account. I was lucky. They just got into the account, removed my email address and mobile number, and turned on 2-factor auth for themselves. I could only have reclaimed access using Facebook's process.

Credit goes to Facebook for locking my account when I filed my case, and for getting me access again in the time frame they promised. Instagram provides the same 2-factor feature. Many other services to as well.

My recommendation? Secure all your accounts!

Here are settings I made sure to enable once I got back access to my account. I also made sure their email address was removed and mine was added, and my mobile number was the only number associated with the account.

Facebook-Security.png
Subscribe to see EXIF info for this image (if available)
 

Butlerkid

Cafe Ambassador
Administrator
Joined
Apr 8, 2008
Messages
24,424
Location
Rutledge, Tennessee
Real Name
Karen
YIKES! I've refused to use social media, especially FB. But then I'm not selling anything! LOL!

Justin's email was hacked the beginning of April. They sent "help" requests to most of his contacts. What a mess. He had been resisting getting a new email address, but was forced to.

We now have 2 step verification on all accounts.
 

Commodorefirst

Admin/Moderator
Administrator
Joined
May 1, 2005
Messages
23,987
Location
Missouri
Real Name
Wade
I had two step turned on with FB. ( read that again, yes I had two step turned on). My account was still hacked. I saw the emails stating that the country code for my two factor and also my password were changed. I noticed within 20 minutes at 2:00 am.

I too clicked notified them stating that I was hacked. The hacker had already deelated my account completely, but the FB automated bots stated you could still recover your account. I too submitted my picture (of my drivers license) for authentication.

Days passed, nothing, more attempts by me, 17+ emails to various email address, using the FB process, several more photos. Nothing. Useless. A few days before the 30th day, which means I can never get my account back, I attempted to contact a human about doing FB Ads for my photography business. I wrote two final emails stating that I was wanting to place ads, however, I needed my primary account recovered before I was willing to spend the funds. Once again crickets, even attempting business support contact with humans.

I am at 2.5 months, and my biggest problem is my messenger contacts are gone, and I communicated, did business through messenger, would be contacted about clinics, jobs, music judging from my messenger contacts. You cannot have messenger without FB anymore.

The keep in touch social aspect of FB was nice, I only had about 400 contacts mostly professional, family, and about 200 former students whom I kept in touch with (from 3-5000 worked with during my career.

What was lost was access to professional access for both photog and fine arts, music, judging, at state level and national level events from contacts on messenger. Extremely frustrating. My visits to various professional FB page private groups is unable to occur. I am extremely upset about this occurring, but not getting my 12 years of contacts back is what is most discerning. I communicated professionally with 3-10 people each day via messenger. Set up clinics, judging, etc. fortunately with Covid I am not missing notifications right now, but planning for 2022 is underway.

I do plan on starting another account, but having been hacked with two factor turned on gives me pause.

When I researched how this could happen, I learned their were approx 80 million US FB users whose data was stolen from FB in 2019, and little to no news reports mentioned all the details of the hack. A few of these accounts somehow also had their two factor numbers modified at the time and hackers were able to change change the country code and keep the other numbers the same This has been fixed by FB, and further two factor should work properly like my email accounts and banking accounts which all have different passwords and two factor turned on.

In conclusion, please do use two factor, but as my example demonstrates, anything is possible. Very happy you got your account back Walter. I also as a precaution changed all passwords everywhere even though my email was not affected. Even updated my admin password here too.
 
Last edited:
Joined
Mar 25, 2011
Messages
3,241
Location
London
I had two step turned on with FB. ( read that again, yes I had two step turned on). My account was still hacked. I saw the emails stating that the country code for my two factor and also my password were changed.

I too clicked notified them stating that I was hacked. The hacker had already deelated my account completely, but the FB automated bots stated you could still recover your account. I too submitted my picture (of my drivers license) for authentication.

days passed, nothing, more attempts by me, 17+ emails to various email address, several more photos. Nothing. Useless. A few days before the 30th day, which means I can never get my account back, I attempted to contact a human about doing FB Ads for my photography business. I wrote two final emails stating that I was wanting to place ads, however, I needed my primary account recovered before I was willing to spend the funds. Once again crickets, even attempting business support contact with humans.

I am at 2.5 months, and my biggest problem is my messenger contacts are gone, and I communicated, did business through messenger, would be contacted about clinics, jobs, music judging from my messenger contacts. You cannot have messenger without FB anymore.

The keep in touch social aspect of FB was nice, I only had about 400 contacts mostly professional, family, and about 200 former students whom I kept in touch with (from 3-5000 worked with during my career.

What was lost was access to professional access for both photog and fine arts, music, judging, at state level and national level events from contacts on messenger. Extremely frustrating. My visits to various professional FB page private groups is unable to occur. extremely upset about this occurring, but not getting my 12 years of contacts back is what is most discerning.

I do plan on starting another account, but having been hacked with two factor turned on gives me pause.

when I researched how this could happen, I learned their were approx 80 million US FB users whose data was stolen from FB in 2019, and little to no news reports mentioned the detail of the hack. A few of these accounts somehow also had their two factor numbers modified at the time and hackers were able to change change the country code and keep the other numbers the same This has been fixed by FB, and further two factor should work properly like my email accounts and banking accounts which all have different passwords and two factor turned on.

In conclusion, please do use two factor, but as my example demonstrates, anything is possible. Very happy you got your account back Walter. I also as a precaution changed all passwords everywhere even though my email was not affected. Even updated my admin password here too.
Whao, that is a terrible outcome.

Was it a Professional account?
Are there alternatives you could use to ensure business continuity?
 

Butlerkid

Cafe Ambassador
Administrator
Joined
Apr 8, 2008
Messages
24,424
Location
Rutledge, Tennessee
Real Name
Karen
I had two step turned on with FB. ( read that again, yes I had two step turned on). My account was still hacked. I saw the emails stating that the country code for my two factor and also my password were changed.

I too clicked notified them stating that I was hacked. The hacker had already deelated my account completely, but the FB automated bots stated you could still recover your account. I too submitted my picture (of my drivers license) for authentication.

days passed, nothing, more attempts by me, 17+ emails to various email address, several more photos. Nothing. Useless. A few days before the 30th day, which means I can never get my account back, I attempted to contact a human about doing FB Ads for my photography business. I wrote two final emails stating that I was wanting to place ads, however, I needed my primary account recovered before I was willing to spend the funds. Once again crickets, even attempting business support contact with humans.

I am at 2.5 months, and my biggest problem is my messenger contacts are gone, and I communicated, did business through messenger, would be contacted about clinics, jobs, music judging from my messenger contacts. You cannot have messenger without FB anymore.

The keep in touch social aspect of FB was nice, I only had about 400 contacts mostly professional, family, and about 200 former students whom I kept in touch with (from 3-5000 worked with during my career.

What was lost was access to professional access for both photog and fine arts, music, judging, at state level and national level events from contacts on messenger. Extremely frustrating. My visits to various professional FB page private groups is unable to occur. extremely upset about this occurring, but not getting my 12 years of contacts back is what is most discerning.

I do plan on starting another account, but having been hacked with two factor turned on gives me pause.

when I researched how this could happen, I learned their were approx 80 million US FB users whose data was stolen from FB in 2019, and little to no news reports mentioned the detail of the hack. Many accounts had their two factor numbers modified and hackers changed the country code. This has been fixed by FB, and further two factor should work properly like my email accounts and banking accounts which all have different passwords and two factor turned on.

in conclusion, please do use two factor, but as my example demonstrates, anything is possible. Very happy you got your account back.
Sorry this happened to you. The loss of all the Contacts has to be very frustrating! All my contacts are in Google Contacts.....AND.....important ones are in an Excel spreadsheet save and backed up on various internal and external HDs!
 

Commodorefirst

Admin/Moderator
Administrator
Joined
May 1, 2005
Messages
23,987
Location
Missouri
Real Name
Wade
Sorry this happened to you. The loss of all the Contacts has to be very frustrating! All my contacts are in Google Contacts.....AND.....important ones are in an Excel spreadsheet save and backed up on various internal and external HDs!
What was frustrating is not having their phone numbers and many for some reason just preferred to contact via messenger FB messenger groups. My contacts for phone addy still just fine, but probably several hundred messenger contacts lost.
 

Commodorefirst

Admin/Moderator
Administrator
Joined
May 1, 2005
Messages
23,987
Location
Missouri
Real Name
Wade
Whao, that is a terrible outcome.

Was it a Professional account?
Are there alternatives you could use to ensure business continuity?
No, not professional, and supposedly if you have one, and use ads, etc you get human contact and service, hence my request to start ads. The photog use is more limited I no longer do event work, but judging, and most importantly music judging, piano work, at music festivals at the state and national level were effected most. That is my retirement gig after retiring from teaching a number of years ago. (And also being a hay farmer. ;)).
It was just me being lazy and communicating via messenger, and never writing down their email or phone addy. Why, I figured,? Oops… long sigh… I just click their name, drop a note, bam, better than email… I thought.. lol. Usually, they are the ones contacting me via messenger anyway, asking hey Wade, can you judge April 3-4 over in Kansas City or Arkansas?
 

Growltiger

Administrator
Administrator
Joined
Apr 26, 2008
Messages
13,546
Location
Up in the hills, Gloucestershire, UK
Public Service Announcement - Secure your Logins!

Two days ago I awoke and saw half a dozen emails containing a Facebook password reset PIN. I never requested a password reset. Someone apparently got into my email, then used it to reset my Facebook account login overnight.
Walter @Walter - what a terrible nightmare, I feel for you. Thank you for the public warning.

Do you know how they got into your email? In many ways security of email accounts is incredibly important, since it is a way in to identity theft, taking out loans, taking over website logins through password recovery and more.

Typical ways in are weak passwords, or using the same password for multiple sites (so any one of those could be hacked), or phishing, or hacking of the email provider itself. I have heard for example that yahoo has been hacked many times.

I do not trust any cloud service completely. All data I have on a cloud or hosting service is also on my own systems. I don't use gmail (except as an emergency backup), but I do use Google's Contacts and Calendar. I back that data down to my computer, and of course it is also replicated on my phone.

2FA is not infallible. For example if an operational phone is stolen the thief can quickly do a password recovery changing the credentials of any service which replies on 2FA sending a message to the phone.

I fear that the convenience of cloud services, such as Google, Apple's iCloud, Microsoft's OneDrive and so on, is making more and more people vulnerable. I went through a terrible struggle to get someone's iCloud data back after they had a technical problem. I did eventually manage to retrieve the only photos they had of their deceased husband, but I could easily have failed.

I am pleased that all my banking transactions require me to use a proper hardware device that generates a code every time I login, with additional security for adding new payees.

Wade @Commodorefirst that is a shocking story about Facebook. I absolutely despise Facebook.
 
Joined
Jan 13, 2006
Messages
5,203
Location
Columbia, Maryland
Real Name
Walter Rowe
What was frustrating is not having their phone numbers and many for some reason just preferred to contact via messenger FB messenger groups. My contacts for phone addy still just fine, but probably several hundred messenger contacts lost.
Look for Joe Edelman on YouTube. He has a video accounting of his being BANNED from Facebook. He managed to get a Facebook Community concierge to contact him personally and help him restore his account. It took him a month. The major lesson he discussed in the video is maintaining alternative methods of contacting important people - email, phone numbers, etc. You have to be able to contact people when something happens.

Really sorry to hear of your outcome. Distressing I am certain.
 
Joined
Jan 13, 2006
Messages
5,203
Location
Columbia, Maryland
Real Name
Walter Rowe
Walter @Walter - what a terrible nightmare, I feel for you. Thank you for the public warning.

Do you know how they got into your email? In many ways security of email accounts is incredibly important, since it is a way in to identity theft, taking out loans, taking over website logins through password recovery and more.
I feel certain it was a) a weak password, and b) probably in some compromised passwords dark web database.

I tried sending several emails from my photo business email address this week. All bounced back stating my email address had been flagged as a spammer. I opened a case with my web hosting company who looked through their logs and found the hackers had used my account to send spam. They are now working to "restore my good name" (get my email unblocked). I would have never known this aspect of my story without opening a case with my web hosting provider.
 

Growltiger

Administrator
Administrator
Joined
Apr 26, 2008
Messages
13,546
Location
Up in the hills, Gloucestershire, UK
I feel certain it was a) a weak password, and b) probably in some compromised passwords dark web database.
I recommend everyone put their email address into this useful website: https://haveibeenpwned.com/
You can read about it here: https://en.wikipedia.org/wiki/Have_I_Been_Pwned?
And this service has 5 billion stolen passwords, see if you are listed: https://www.avast.com/hackcheck/

The creator downloaded lots of criminal databases (containing stolen data) and combined them into one giant database.
He then made this available so you can check to see if you are on it and how many times.
In some cases you will recognise the company, and you should make sure you have changed the password you use for them. And if you used that password anywhere else, change every one of those too.
In other cases you can't tell - the details came from somewhere, and they are out there.

The single most important lesson is to NEVER use the same password for more than one website or service.
The other lesson is to always use a really good password for anything which is important to you or where you will lose money if someone else knows it.

If one of your passwords is out there, then you may also be subjected to blackmail attempts, such as when you get told that they have photos and video of you, from your webcam, and they are going to send them to all your contacts. They tell you your password as proof you have been hacked. Of course it is all a lie. At one time I was receiving about 10 of these a day - mostly going into my spam. Presumably some poor suckers pay up.
 
Joined
Aug 18, 2011
Messages
856
Location
USA
If you want to do a deep dive on defensive computer kung fu, have a look here. I just stumbled upon this site today when researching the latest QNAP/Synology attacks. I haven't read through all of it or even most of it, but the things I checked appeared correct. Moreover, this page is apparently kept current (most recent updates were this month).
 
Last edited:

Growltiger

Administrator
Administrator
Joined
Apr 26, 2008
Messages
13,546
Location
Up in the hills, Gloucestershire, UK
If you want to do a deep dive on defensive computer kung fu, have a look here. I just stumbled upon this site today when researching the latest QNAP/Synology attacks. I haven't read through all of it or even most of it, but the things I checked appeared correct. Moreover, this page is apparently kept current (most recent updates were this month).
Thank you so much, that is a brilliant document. I have only read some of it but it looks well researched and very comprehensive.
 

Growltiger

Administrator
Administrator
Joined
Apr 26, 2008
Messages
13,546
Location
Up in the hills, Gloucestershire, UK
I recommend everyone put their email address into this useful website: https://haveibeenpwned.com/
You can read about it here: https://en.wikipedia.org/wiki/Have_I_Been_Pwned?
And this service has 5 billion stolen passwords, see if you are listed: https://www.avast.com/hackcheck/

The creator downloaded lots of criminal databases (containing stolen data) and combined them into one giant database.
He then made this available so you can check to see if you are on it and how many times.
In some cases you will recognise the company, and you should make sure you have changed the password you use for them. And if you used that password anywhere else, change every one of those too.
In other cases you can't tell - the details came from somewhere, and they are out there.

The single most important lesson is to NEVER use the same password for more than one website or service.
The other lesson is to always use a really good password for anything which is important to you or where you will lose money if someone else knows it.

If one of your passwords is out there, then you may also be subjected to blackmail attempts, such as when you get told that they have photos and video of you, from your webcam, and they are going to send them to all your contacts. They tell you your password as proof you have been hacked. Of course it is all a lie. At one time I was receiving about 10 of these a day - mostly going into my spam. Presumably some poor suckers pay up.
You should also check that none of your important passwords are on the database. This is because although they may have been added as someone else's passwords, they may still be used to attack your accounts. Here is the link, this time you just have to type a password in each time and see if it is in the database. If it is, change it. It is a different part of the same website you used before:
https://haveibeenpwned.com/Passwords
 
Joined
Jan 13, 2006
Messages
5,203
Location
Columbia, Maryland
Real Name
Walter Rowe
An added feature Facebook offers and I have configured for testing is to encrypt all notifications you get from Facebook. It isn't for the faint of heart as it requires having an email app that can read emails encrypted with Open PGP. There is a paid plugin for Apple Mail from GPGtools.org that adds support to Apple Mail. They offer a 30-day trial. Not sure I want to keep it. I'm still in the trial. It is comforting to know that even if someone hacked my email account they still would not be able to read any password reset links or pins.

There are also some online services that offer mobile device apps and support PGP encryption, but they appear to charge and you have to use their email servers. I'm not jazzed about that, but I do like the concept of knowing that the email provider (eg Google, Yahoo, Apple, etc) cannot peruse and source ad info from my emails.
 
Joined
Jan 12, 2018
Messages
993
Location
Puget Sound
Real Name
Ken
If you want to do a deep dive on defensive computer kung fu, have a look here. I just stumbled upon this site today when researching the latest QNAP/Synology attacks. I haven't read through all of it or even most of it, but the things I checked appeared correct. Moreover, this page is apparently kept current (most recent updates were this month).
That is a tall read, but on skimming it, it seems like a worthy one.

Thanks,

--Ken
 
Joined
May 5, 2005
Messages
25,324
Location
SW Virginia
If you want to do a deep dive on defensive computer kung fu, have a look here.

I just finished going through that. It led me to The World's Best Password Advice:

https://www.michaelhorowitz.com/BestPasswordAdvice.php

I think that is excellent advice on managing passwords. It convinced me to give up on LastPass. I don't use it anymore anyway since I much prefer KeePassX.

So I want to get rid of LastPass. If I just drop the app in the trash does that remove it completely?
 

Latest threads

Links on this page may be to our affiliates. Sales through affiliate links may benefit this site.
Nikon Cafe is a fan site and not associated with Nikon Corporation.
Forum post reactions by Twemoji: https://github.com/twitter/twemoji
Forum GIFs powered by GIPHY: https://giphy.com/
Copyright © Amin Forums, LLC
Top Bottom