Help. How did this hack happen? I'm ready to pay for a private consultation

Hi!

Recently on of my social medias was hacked. It is the first time in my life it happened in such a way that someone accessed my account, and despite my best efforts i have not been able to find who, or why and most importantly how they did it. As far as i know the password has not been leaked (i checked all public data breaches and i couldn’t find it).

I received an alert from social media that someone suspicious logged into my account and it was not me.

I have downloaded a log history from the website which was hacked (social media), including user agent, ip, all the usual information. The login ip seems not to be a vpn according to vpn detectors. And the device used does not match my devices at all. This site technical support is quite useless (as most social medias support are).

I changed the password within 30 minutes so they did not have the opportunity to do much, maybe read my conversations or download data but not sure as i could not find any evidence of any of their actions. I had no 2FA in that moment (obviously added it later), but the question is how they made it in the first place.
I already ran malware checks and it seems i have nothing. Also i never click on phishing links “type your password here” or all that basic stuff.
In fact, the password was stored in my browser, i did not type it anywhere for years.

Also, i think a cookie attack is unlikely (despite using public wifi), as if someone hijacks my session, i would not receive a suspicious login alert in the first place, right?

So i am leaning towards this person knew my password, somehow.

If i can find someone who can help me with a 1-on-1 consultation to understand how this hack happened in the first place i would be willing to share all the details (the social media website, the logs, etc). And obviously pay for the consultation.

Any helpful comments are welcome! Maybe some angle i didn’t think of?

EDIT 2 days later:

Thank you everyone for so many responses!! i am really positively surpised at this community. I was really not expecting so many responses.

By the way, i am willing to offer 1000 USDT to anyone who can exactly discover and verify how my social media was hacked.

I will try to answer most of the questions here, as most of you have made good points.

I will answer everything i can publically here, but for sensitive details, if you think you can resolve this mistery, you will need to contact me in private and i can share more specific details.

@InternetGhost

1- Regarding the password. It was almost-unique. At that time i was not using a password manager (after this happened i am already updating my whole security strategy online).

It is a very old password (several years old) but relatively strong, including letters, numbers and special characters. When i look back in time i have used this password on very few sites. But they are very few, and none of those sites had a leak online. I checked several sites (haveibeenpwned, dehashed, firefox checker, chrome checker). This specific password seems to not be leaked anywhere. And most interesting, even the few times i used this password before, was mostly with a different email address in other sites. So really, the chance of this being an online leak is very small as they would even need to cross check different email addresses most likely. But maybe i have not checked some specific source for leaks. If you have any recommendations besides the above mentioned ones, they are welcome.

2- The password was never shared as far as i know.

3- Nobody has access to my devices.

4- Reason to be targeted: i can imagine a few suspects why someone would want to access my social media account. It can be anything starting from some jealous ex boyfriend of some girl i used to date, up to some government institution. But i have no reason to connect the hack to any of them specifically. It is only my suspicions. And not knowing who it was also keeps me up at night.

5- I got a message that someone already logged into my account (not “trying”, it actually happened), and for sure it was not me. I have the IP address, device, browser. And all of this information is absolutely not matching my devices or my location.

-Blurb5778

5- Yes passwords were stored in my browser and with autofill. This means i did not even insert my password there.

6- The IP was not a VPN according to online VPN detectors (unless the hacker had access to some undetected VPN), i have a location. I am NOT in the same country as this location and i have not been there for a few months, but it is a country and city i visited before. Anyway the location is in a big popular city and quite mainstream, so it could have been anyone. However, this social network is not popular in that country. So when i cross check i see two options: a government agency trying to spy on me in the real city according to the ip OR an ex boyfriend of a girl where this social network is popular, who was using a residential VPN which was undetected. This all seems very unlikely to me in BOTH scenarios to be honest. So i am looking for a confirmation.

@alex

7- Regarding brute force: isn’t brute force very unlikely? I mean, you cannot brute force a password online, because you have only a few attempts before the site blocks you. So it means first someone needs to hack the whole website, and get the hashed passwords and THEN brute force. It seems to me according to online leaks, that there have been no leaks in this social network for the past 10 years, so i think brute force is unlikely. But correct me if i am wrong.

-privdom3

8- I can send you the name of the social media in private, but not here because i don’t want to put anything that can possibly identify me. But it is something similar to Facebook, just not facebook.

9- Social engineering: Very difficult. Through social engineering they can get my name, email, phone number. But not my password for sure.

Something not mentioned before that i want to clarify:

This can be a coincidence. But normally i don’t use Chrome at all. One time i had a girl who stayed at my home and she wanted to log into her own profile in the social media to check some stuff. So she logged into my browser in my computer. And since her session was already taken, i opened Chrome to use my own account and logged in there (which i normally don’t use) to have both accounts open. The hack happened 2 weeks later. So this leads me to think there might be a vulnerability in chrome (small chance but maybe). I have some extensions installed, but malware detectors say they are ok. I can also share the extensions i have installed in a private message to see if someone can verify if this can be the reason.

First, glad you got your account back under your control. Too much of a spook for Christmas to be sure.

Based on how much you know in your explanation, I’m going to assume that the password used was a strong password and not something basic. Also going to assume that it’s not a reused password from another account, though if you were somehow able to check whether those credentials were leaked, I guess it’s not that.

You mentioned saving the credentials on your browser. Is your computer the only browser that you are logged in on? Is there another computer in your home or maybe an old computer that you lost or gave away that could still have your browser profile logged in? That’s one way the attacker could have gotten it, but then I wonder why they didn’t go for something like your bank account.

Has the password ever been shared? Is it something that some could guess if they knew you?

Is there a reason that you might be targeted online rather than getting caught up in some mass data breach?

Did you get notifications before they logged in saying “hey, someone is trying to log into your account”? Were they just able to get in? Relatedly, can you check to see where that IP is geographically? Is it your home town or Timbuktu?

These are just the first questions that come to mind. There could be simpler explanations. Hopefully more people in the community can help you more.

That’s your first mistake (from reading your post). Saving a password to your browser is quite insecure, with known vulnerabilities. Doubly so if you have auto-fill enabled… never do this.

Was the IP from the public network? You should be able to do an IP lookup, and get a vague location. Also, no. Depending on the type of attack, you could still get a notification. I get them all the time, on my home network (all connections from me, and legit).

Without knowing more, I don’t think I can help much further. However, a few tips to avoid this in future.

1. Use a reputable password manager, like Bitwarden or Keepass.
2. If possible, use the password managers application, and not the addon. This will help, but is not a must.
3. TURN OFF AUTOFILL.
4. Have your browser delete browser data on exit.
5. Use a VPN on public networks. Proton is a good free option. If paying, I recommend Mullvad or IVPN.
6. Keep your browser, and operating system updated. Automatic updates are annoying, but important if you’re the type that does not check.
7. Whenever possible, use 2FA. Try to avoid SMS 2FA… but it’s better than nothing.
8. Have a password manager generate a random, unique password for every login. Never reuse details.
9. Do not rely on pwning sites, to see if your info has been leaked. They’re great, but tend to use out of date info.
10. Have the password manager clear your clipboard after a few seconds.

If you are reusing the same password multiple places, that could very likely be why you got hacked.

Or if the password wasn’t very strong, it could have been brute forced.

(optional) 11. Check SimpleLogin and/or AnonAddy and, beside unique password, create unique email as well.

Name of the social media?

Maybe through social engineering? Maybe someone close to you, like a friend or something? Do you post a lot of stuff on Facebook or other similar social media? It’s hard to tell a lot of stuff just from a few paras, sorry.

Not a great plan.

Look, it’s important that you keep a calm head. Change your password to something complicated and long or use that money you are going to pay for an useless “consultation” to buy yourself a yubikey, set it up as an authentication method, and you are good to go!

Again if the social media you are using has flawed security on the server side, nothing can help.
Sometimes you really can’t do anything and things are just not under control.

Thank you everyone for the replies!! I made an update to the original post including more details (see at the end of the post).

I am trying to reply to everyone but the forum only allows me to mention 2 users per post.
@privdom3 @Blurb5778

By the way, why is autofill a bad idea?

For many years now, there has been vulnerabilities in how autofill works. One very well known vulnerability allows malicious actors to create not visible forms. You can learn more about that here:

Look, things like this will get your head boiling (I know that from experience), just forget why it happened, what is important is that you know you have been targeted.

The most probable explanation is that a service where you used this password was hacked, and your password’s hash was leaked in the dark web, which is why it wasn’t shown in haveibeenpwned yet.

A similar thing happened to me on multiple services and this is when I decided to go to the extreme and beef up my security in a way even If I was interrogated they won’t access a single account.

DISCLAIMER, this is extreme IMO, and it will take several weeks to do if you have hundreds of accounts like me.
You need to go into each account you have, change the password into a random 64 character password, remove your phone number, and setup 2FA that is using an authenticator app or a security key only.

1- Buy a security key called ONLYKEY, it’s like a Yubikey, but it allows you to protect it with a password, store 24 credentials, a self-destruct code (for your enemy if they ask) and store a Yubikey (if you have and existing one) to simulate its code creation.
Set it up, and create a Super complex master password (something like this h&#I49P2A#!QZ^s5K1rq363X@q^v8$*QOR34vGocDJC^Z) and store your master password on that key only.
2- Get Bitwarden password manager, and migrate all of your accounts onto there, and delete any credentials from your browser or any other password managers (LastPass is shit, and it was hacked multiple times before).
Use your ONLYKEY to add your master password, setup 2FA for your Bitwarden account and your other accounts.
3- Create a new email, use a service called SimpleLogin and change the email of each service you have to a new pseudo email, which you should encrypt with a PGP key, then redirect all your emails to the newly created email, that way even if you use Gmail, only you can read your emails since all the emails are encrypted, and each service will have only that pseudo email address if they are breached, your main email is secure. (SimpleLogin is also open-sourced)

If you do this, then your master password for your password manager will be 100% secure because even you won’t know it, your accounts will be secured because Bitwarden not only open-sourced, never been hacked, but also uses an advanced encryption technique (AES-CBC 256-bit with PBKDF2 SHA-256) which makes it impossible to anyone other than yourself to see your accounts credentials (zero trust model).
Bitwarden uses a method of autofill which prevents keylogging and your passwords won’t be stored in the clipboard when autofilling.

I store all of my banking details, my identities, my cards, and my 500 accounts in this technique since 2018, I check for breaches regularly (on the dark web as well) and none of my accounts were compromised ever since.

Like I said, it is a super complex procedure, it takes weeks to do, and it will force you to carry your ONLYKEY with you (or your phone with Bitwarden using biometrics on it) all the time.

If you are up for it give it a go, but you can’t half-ass it, you have to do everything, or it won’t give you the piece of mind that you want.

Thank you for your message! Super appreciated.

I am taking a similar approach to you, with some variations.

1- I did not buy a security key yet, i am currently traveling around the world and it would not arrive on time because i am constantly changing places, but i am activating 2fa everywhere, and i am keeping it in a separate app from the password manager. By the way, what is your opinion about storing 2fa inside the password manager? would you feel ok with that?

2- I read bitwarden has poor usability (i did not test it) and also they are based in california which makes their privacy policy a bit strict. For example they require you to have a credit card in their system, which reveals your identity. I used another password manager which can be paid with crypto only without credit card. But they are newer in the market. Also, does bitwarden alert you for your hundreds of aliases on a possible breach? or they alert you only on your main address? (the latter would be quite useless).

3- Regarding new email, i am moving all my infrastructure from gmail to proton. I got the premium plan. Is there any reason you would sill use gmail? Also, if you have encrypted emails on gmail i guess you cannot use the gmail app on your phone, right? Which affects usability.

Thank you!

P.S: regarding the password hash, is there any way to search by password hash instead of by password?

If you’re currently using a dedicated authenticator app and it works for me, I would continue to use that. Yes, you are technically raising an extra barrier by turning on 2FA for an account, but if someone gets into your password manager, it’s game over because they will have the password and the one-time password. By keeping the TOTP on a separate app, you’ve made it harder for the attacker.

I switched to Bitwarden after the recent LastPass news and I find it to have a great and accessible user experience. You can also make a free account without giving any credit card information. Literally just email. I think the free account would work great for what you’re looking for and gives you cloud storage. If you want to move away from cloud storage, I would recommend KeePass. Both are free and open source, so you don’t have to worry about giving identifiable information over at all.

I will test bitwarden and see if it compares well to the current manager i am using.

A few questions about bitwarden that you might know:
1- Do you receive login alerts whenever someone logs into bitwarden? This seems like such a simple feature but it’s quite important for me (especially for a password manager). I know 1password does this for every login.

2- Can you search your password by password instead of by login or website? another thing that seems silly, but i am cross checking some repeated passwords and searching by pasword instead of login in the searchbox is critical. Some password managers don’t allow this.

3- Do you get breach notifications for all your emails? (considering you have hundreds of emails), or only for 1?

Cheers and thanks for the recommendations!

So this Onlykey is like any other password manager and also a hardware key?

Why would you need a password manager and a hardware key? Unnecessary.

The same encryption lastpass used.

No. Not at all. Security isn’t a destination, its a journey.

@privdom3

ONLYKEY is a hardware key that is password protected (unlike yubikey), it can be used as a credential filler (I wouldn’t use it as a password manager since it stores 24 slots, but it is best to store your most used logins on it.)

You need a password manager to generate a random strong password for each account and store it securely, and the hardware key is used as a backup 2FA.

Lastpass is closed source, they can say whatever, you won’t know for sure, bitwarden is open sourced, audited, and complies with industry standards (not all password managers do that)

A journey for sure, but what I mean by it is that you have to follow all of those steps and not just some of them.

1- If you use bitwarden premium then you can store your 2fa keys there as well and it will display the code, this is what I do, but I also have a backup authenticator app just in case.

2- Bitwarden’s usability have become amazing over the past few years, there are a lot of features that are available for free, but If you truly want to experience the greatness you gotta go premium, it’s only 10$ a year.
As for credit card it is not mandatory, I pay with bitcoin which is an option if you want to go the secret route, and when it comes to aliases breach that is why I recommended simplelogin, which does notify you of all the breached aliases.

3- if you have proton unlimited then you will get simplelogin premium for free, it’s a great option, but I would still add a PGP key encryption for your aliases if you want to be extra careful.
And as for usability, there are apps which allows PGP implementation, so your usability remains the same.

And lastly once a password has been cracked then you don’t really need to search using a hash, just use a different password, there are paid services which provides you a list of dark web password databases, but they are very expensive, unless you are a company, you don’t really need to worry about that, just follow what I said in the beginning to a tee and you will sleep peacefully.

I do have to stress this more in regard to your password manager account getting hacked, If you use your hardware key to fill in your password, and it is above 40 random characters then there is no way for a hacker to attack your account whether it is social engineering or it being saved on a piece of paper, you eliminate the human factor and that is why most hacks truly happen, human error.

1- yes, you get a notification with any attempted login, with their location and everything.

2- How would you search by password if all of them are random and unique?! But there is a tool that will show you exposed passwords, repeated passwords, weak password, and accounts that can use 2fa, but you haven’t enabled that option (if you store 2FA keys on bitwarden)

3- with aliasing you have a main inbox, which ever alias is linked to that mailbox will receive an email that the alias been in a breach and needs to be deleted.

Thank you so much for the recommendations!

Regarding searching by password. Many of my old passwords are written by hand by me (including the one that was hacked recently), these passwords follow a pattern that i know. This is why i want to search passwords by hand to see if there are repetitions or easily guessable connections between breached passwords. Obviously in the future i will change my strategy as we already discussed, but this is to understand the hack that already happened.

Regarding breaches for aliases i didn’t understand what you mean, i think simplelogin itself does not offer breach reports, and i am not sure if bitwarden offers breach reports for all separate aliases in every login?

In that case I suggest that you enter all of your accounts into bitwarden and run their breach report tool, it will show you which passwords have been exposed.

Regarding aliases, simplelogin does provide a breached alias analysis,.
When you create new aliases, you get an option in the filter that says breached aliases, you also receive an email on your main mailbox if an alias was detected in a breach.

The use of bitwarden and simplelogin together is a must.

If you have any questions don’t hesitate to ask, even if it’s not related to your hack, I worked in an IT field, and currently in cyber security, I’ll be happy to spread the knowledge.