Jump to content
Sign in to follow this  
tastywheat

What security measures should I take after social media account have been hacked?

Recommended Posts

Last week, someone hijacked my twitter account. I changed the password as soon as I could, and revoked access to all 3rd party apps. Last night my gmail was hacked. Stupidly, this is an email I've been using to conduct business, so the hacking has lost me a lot of face. I changed the password as soon as I was alerted. This morning, people were still receiving spam from the account. I've now updated the passwords for every social media site I'm a member of, but I'm wondering what led to this, and what I can do to prevent it in the future.

 

It's worth noting that my twitter and gmail accounts had different passwords. I was notified that a forum I'm a member of had their database hacked, and I think it might have used the same password as my twitter account, but I'm not sure. The only other culprit I can think of is that a recent second hand android tablet I purchased has malware on it. I've turned the wifi off, and plan to do a factory reset.

 

Can anyone shed some light on the situation, or make additional suggestions on what to do?

Edited by tastywheat

Share this post


Link to post
Share on other sites

My guess is they got your email password somehow. Then asked to reset your twitter account password.

 

Most accounts get hacked via a hacker exploiting a password database of a forum or poorly secured website. So if you have used the Gmail password anywhere else on the net this could be why. There is a known vulnerability in a version of vBulliten which came to light a month or so ago.

 

One of the easiest way to stop this is to use a password manager. One that is available on all the platforms you use. The biggest mistake people do on the net is to reuse passwords. Most websites use your email address as the username, so an attacker gets a lot of information for free.

 

Tips:

*Change all passwords - Don't forget your email account

*Start using a password manager to generate different passwords for each site

*Enable 2 factor authentication when possible

Share this post


Link to post
Share on other sites

My old password for twitter worked, and I can't think of a way they could have got it via gmail. A password manager is a good suggestion. I've updated every password of every site I can think of, with a different password for each. I remember them all now, but I'm not sure how long that memory will last.

 

I had two step authentication enabled. Whoever was using the accounts, didn't change the password, possibly because of this.

 

The thing that is still bugging me is that I'm almost certain that my gmail password was unique, and not something that could easily be broken with brute force (random letters, numbers and a symbol). What's more, how were they able to continue sending out spam after the password was changed? Is email spoofing a possible explanation? The only other thing that I can think of is that my second hand android tablet (Nexus 7), which I failed to wipe when I got it (appeared as though it already had been), has something to do with it.

Edited by tastywheat

Share this post


Link to post
Share on other sites

On the password front, how random are your randomly chosen letters and numbers? "1cqdaez3" looks random, but it's really just the first and third columns on a keyboard interleaved with the latter reversed. These types of patterns are relatively straightforward to crack with modern techniques. Diceware or its single-character-per-roll equivalent, on the other hand, are truly random and are as hard to crack as their entropy would suggest.

 

The other possibility is that your computer may be compromised by a keylogger or other malware. This is considerably less likely than your reused twitter password being exposed by the forum hack, but t would explain the gmail hack. Note that this could involve either the tablet or your main PC, and it would be worth giving both a thorough check.

 

+1 to getting a password manager. I personally use KeePass, but any of the major options are a good start. That said, KeePass can be a pain to sync across multiple platforms, though, so you may want to look at some of the other options.

Share this post


Link to post
Share on other sites

yes, email spoofing is EASILY doable. Once they know a recipient recieves email from you, not bounces it, they can go back to their server and spoof the FROM address.

 

Also, they could simply have still been logged in :P

 

A good password tip is to use a sentence without spaces, its english to us, but random to a brute force.

Simply include the name of the service in the sentence, and change the one word to match the service (to keep it unique)

such as:

HiThisIsMyAtomicPassword

HiThisIsMyYahooPassword

 

They're surprisingly hard for brute force to attack, since thats not an actual 'word'.

Share this post


Link to post
Share on other sites

Dacraw, it was a 6 letter anagram of a swahili word with a capital letter, symbol and two numerals thrown in the middle. It seemed secure to me, but maybe a little short (9 char total).

 

I asked some of the recipients to forward me the spam, all of it is coming from the email address, but doesn't have my name attached to it. i.e. it arrives from xxx@gmail.com instead of Firstname Lastname in their inbox.

 

I'm thinking now that they haven't actually compromised my gmail, but have lifted my address book from somewhere.

Share this post


Link to post
Share on other sites

all it takes is one person to forward chain mail for them to get a list of people who know people and send to and from randomly.

got the MIME header? You should be able to track the emailer and report him to his ISP.

Share this post


Link to post
Share on other sites

D'oh, I hadn't noticed that you'd replied, tastywheat.

 

I agree with Master_Scythe that it seems like your email had been spoofed rather than compromised. That said, this case does raise some important points about password strength. I should note that what I am about to say is my (non-expert) opinion only. There are many others, including some vastly more knowledgeable than I, who would disagree - so take all of this with a grain of salt.

 

One of the basic maxims of modern information security is that security through obscurity is not security. What this means is that all forms of crypotgraphy should only be considered as strong as they would be if the attacker knew exactly how they work. Similarly, the keyspace of a password is limited by the methods used to generate it, and you should assume that an attacker knows exactly how you pick your passwords. I think that this is often overstated by various crypto bloggers, but it is certainly true that modern attackers know more about how people pick passwords than you do. They may not know which word you chose to take an anagram of, but they do know both the psychology behind how people choose passwords and the statistical breakdown of passwords used in real life (including markovian models of which letter is most likely in any given place).

 

In practical terms, though, all passwords shorter than 8 characters should be considered vulnerable. Various interviews given over the past year or so have confirmed that a modern setup (one computer, multiple current-gen GPUs) costing at most a few thousand dollars (ie high end consumer-enthusiast hardware, available from your local MSY) can brute force passwords with up to 8 characters containing digits and both lowercase and upper case letters within a viable timeframe. Beyond that extra characters increase the workload exponentially. Then they try known passwords (typically from Rockyou, LinkedIn, and various other breaches) and any variations on these. Other techniques involve wordlists cribbed from Wikipedia, Google, Project Gutenberg, etc. Basically, if you password is based on a mangling of something that would show up on a Google search, you should assume that it will be cracked sooner or later.

 

With regards to the information you've given about your password: A lot of it depends on exactly what you mean by 'anagram.' 9 Characters is long enough (for the time being), although longer is better ceteris paribus. The real question is whether your anagram is itself a recognisable word or phrase. If you've just taken the letters and (truly) randomly rearranged them, then it should be fairly strong. Traditional theory states that your keyspace is tiny because you are limited to all possible anagrams of that word (ie 6! or 720) and you are effectively only gaining a minimal amount of length from mangling, but in practice random anagrams are indistinguishable from random characters and so are unlikely to form part of a wordlist. This may well change, though.

 

If, on the other hand, your anagram is itself a word present in a dictionary (swahili or otherwise), you should assume that it is barely more secure than a 6 character English word would be. Swahili word lists may be less common, but you still shouldn't risk it.

Edited by DaCraw

Share this post


Link to post
Share on other sites

Which is why the 'sentence password' is so strong.

 

Joining Hello World into HelloWorld, will appear on the internet, for sure.

But HelloWorldILikeHamBecauseItIsRad wont appear anywhere; unless someone ate their spacebar key.

Share this post


Link to post
Share on other sites

The problem with that is that with and without spaces are some of the most common masks applied to wordlists. A sentence without spaces is no stronger than one with.

Share this post


Link to post
Share on other sites

Feel your pain tastywheat, had my hotmail account compramised and they definetley copied my password from a promotional web page or something, how hard is it to have more than three passwords, I changed mine to another password, I always think nicknames and dates are good, I know have a special password I only use for that account and its working well.

Funnily enough microsoft were not too concerned about my situation, couldn't give a stuff until I emailed those chaps in the US and they were lovely fixed in it like 30 seconds.

pump.

 

I also am being stalked to a degree by twitter. A girl I met at a conference has been sending me tweets, although I didnt tell her my name, mobile, twitter account only where I worked.

These young lasses these days can be keen.

 

I never use recognisable words, names, places etc. also spelling words wrongly is a good idea.

Edited by pumpjockey02

Share this post


Link to post
Share on other sites

you could use something like lastpass to manage your passwords - i've recently started trying it out with some stuff i don't care about too much. so far so good.

Share this post


Link to post
Share on other sites

The problem with that is that with and without spaces are some of the most common masks applied to wordlists. A sentence without spaces is no stronger than one with.

Not all password fields allow spaces though. And If you use any brute force crackes very often, you'll notice that the 'words without spaces' is usually one of the last things to try. if at all.

Its because without spaces, its all 'one long word' and the possible combinations are endless. especially if you include another language, or use a nickname etc.

Edited by Master_Scythe

Share this post


Link to post
Share on other sites

In practical terms, though, all passwords shorter than 8 characters should be considered vulnerable. Various interviews given over the past year or so have confirmed that a modern setup (one computer, multiple current-gen GPUs) costing at most a few thousand dollars (ie high end consumer-enthusiast hardware, available from your local MSY) can brute force passwords with up to 8 characters containing digits and both lowercase and upper case letters within a viable timeframe. Beyond that extra characters increase the workload exponentially. Then they try known passwords (typically from Rockyou, LinkedIn, and various other breaches) and any variations on these. Other techniques involve wordlists cribbed from Wikipedia, Google, Project Gutenberg, etc. Basically, if you password is based on a mangling of something that would show up on a Google search, you should assume that it will be cracked sooner or later.

This does however make the assumption though that the attacker has a hashed version of your password for the service in question. A long password is only really a defence against somebody cracking your password in a poorly hashed (anything that uses md5, sha1, no salt, few or a single round of hashing) database that has been breached. Using different passwords and two factor (or more) mitigates this quite effectively.

 

Your email account is really your most important account to keep secure (next to a password manager!), other services use it to send password resets etc and a hacked email account can quickly give an attacker access to other services.

 

Another protip for GMail (and many other email services) when you signup to a site append a code or the name of the site to your email account with a +, ie jon.doe+amazon.com@gmail.com. GMail will ignore everything after the + but it also makes your email login unique for every site you use and harder for an attacker to guess. This is also handy if you suddenly start getting spam heaps of extra spam as the email is unique to the site that gave your address away.

Edited by SledgY

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×