Help. How did this hack happen? I'm ready to pay for a private consultation

First, glad you got your account back under your control. Too much of a spook for Christmas to be sure.

Based on how much you know in your explanation, I’m going to assume that the password used was a strong password and not something basic. Also going to assume that it’s not a reused password from another account, though if you were somehow able to check whether those credentials were leaked, I guess it’s not that.

You mentioned saving the credentials on your browser. Is your computer the only browser that you are logged in on? Is there another computer in your home or maybe an old computer that you lost or gave away that could still have your browser profile logged in? That’s one way the attacker could have gotten it, but then I wonder why they didn’t go for something like your bank account.

Has the password ever been shared? Is it something that some could guess if they knew you?

Is there a reason that you might be targeted online rather than getting caught up in some mass data breach?

Did you get notifications before they logged in saying “hey, someone is trying to log into your account”? Were they just able to get in? Relatedly, can you check to see where that IP is geographically? Is it your home town or Timbuktu?

These are just the first questions that come to mind. There could be simpler explanations. Hopefully more people in the community can help you more.

That’s your first mistake (from reading your post). Saving a password to your browser is quite insecure, with known vulnerabilities. Doubly so if you have auto-fill enabled… never do this.

Was the IP from the public network? You should be able to do an IP lookup, and get a vague location. Also, no. Depending on the type of attack, you could still get a notification. I get them all the time, on my home network (all connections from me, and legit).

Without knowing more, I don’t think I can help much further. However, a few tips to avoid this in future.

1. Use a reputable password manager, like Bitwarden or Keepass.
2. If possible, use the password managers application, and not the addon. This will help, but is not a must.
3. TURN OFF AUTOFILL.
4. Have your browser delete browser data on exit.
5. Use a VPN on public networks. Proton is a good free option. If paying, I recommend Mullvad or IVPN.
6. Keep your browser, and operating system updated. Automatic updates are annoying, but important if you’re the type that does not check.
7. Whenever possible, use 2FA. Try to avoid SMS 2FA… but it’s better than nothing.
8. Have a password manager generate a random, unique password for every login. Never reuse details.
9. Do not rely on pwning sites, to see if your info has been leaked. They’re great, but tend to use out of date info.
10. Have the password manager clear your clipboard after a few seconds.

If you are reusing the same password multiple places, that could very likely be why you got hacked.

Or if the password wasn’t very strong, it could have been brute forced.

(optional) 11. Check SimpleLogin and/or AnonAddy and, beside unique password, create unique email as well.

Name of the social media?

Maybe through social engineering? Maybe someone close to you, like a friend or something? Do you post a lot of stuff on Facebook or other similar social media? It’s hard to tell a lot of stuff just from a few paras, sorry.

Not a great plan.

Look, it’s important that you keep a calm head. Change your password to something complicated and long or use that money you are going to pay for an useless “consultation” to buy yourself a yubikey, set it up as an authentication method, and you are good to go!

Again if the social media you are using has flawed security on the server side, nothing can help.
Sometimes you really can’t do anything and things are just not under control.

Thank you everyone for the replies!! I made an update to the original post including more details (see at the end of the post).

I am trying to reply to everyone but the forum only allows me to mention 2 users per post.
@anon73850698 @Blurb5778

By the way, why is autofill a bad idea?

For many years now, there has been vulnerabilities in how autofill works. One very well known vulnerability allows malicious actors to create not visible forms. You can learn more about that here:

Look, things like this will get your head boiling (I know that from experience), just forget why it happened, what is important is that you know you have been targeted.

The most probable explanation is that a service where you used this password was hacked, and your password’s hash was leaked in the dark web, which is why it wasn’t shown in haveibeenpwned yet.

A similar thing happened to me on multiple services and this is when I decided to go to the extreme and beef up my security in a way even If I was interrogated they won’t access a single account.

DISCLAIMER, this is extreme IMO, and it will take several weeks to do if you have hundreds of accounts like me.
You need to go into each account you have, change the password into a random 64 character password, remove your phone number, and setup 2FA that is using an authenticator app or a security key only.

1- Buy a security key called ONLYKEY, it’s like a Yubikey, but it allows you to protect it with a password, store 24 credentials, a self-destruct code (for your enemy if they ask) and store a Yubikey (if you have and existing one) to simulate its code creation.
Set it up, and create a Super complex master password (something like this h&#I49P2A#!QZ^s5K1rq363X@q^v8$*QOR34vGocDJC^Z) and store your master password on that key only.
2- Get Bitwarden password manager, and migrate all of your accounts onto there, and delete any credentials from your browser or any other password managers (LastPass is shit, and it was hacked multiple times before).
Use your ONLYKEY to add your master password, setup 2FA for your Bitwarden account and your other accounts.
3- Create a new email, use a service called SimpleLogin and change the email of each service you have to a new pseudo email, which you should encrypt with a PGP key, then redirect all your emails to the newly created email, that way even if you use Gmail, only you can read your emails since all the emails are encrypted, and each service will have only that pseudo email address if they are breached, your main email is secure. (SimpleLogin is also open-sourced)

If you do this, then your master password for your password manager will be 100% secure because even you won’t know it, your accounts will be secured because Bitwarden not only open-sourced, never been hacked, but also uses an advanced encryption technique (AES-CBC 256-bit with PBKDF2 SHA-256) which makes it impossible to anyone other than yourself to see your accounts credentials (zero trust model).
Bitwarden uses a method of autofill which prevents keylogging and your passwords won’t be stored in the clipboard when autofilling.

I store all of my banking details, my identities, my cards, and my 500 accounts in this technique since 2018, I check for breaches regularly (on the dark web as well) and none of my accounts were compromised ever since.

Like I said, it is a super complex procedure, it takes weeks to do, and it will force you to carry your ONLYKEY with you (or your phone with Bitwarden using biometrics on it) all the time.

If you are up for it give it a go, but you can’t half-ass it, you have to do everything, or it won’t give you the piece of mind that you want.

Thank you for your message! Super appreciated.

I am taking a similar approach to you, with some variations.

1- I did not buy a security key yet, i am currently traveling around the world and it would not arrive on time because i am constantly changing places, but i am activating 2fa everywhere, and i am keeping it in a separate app from the password manager. By the way, what is your opinion about storing 2fa inside the password manager? would you feel ok with that?

2- I read bitwarden has poor usability (i did not test it) and also they are based in california which makes their privacy policy a bit strict. For example they require you to have a credit card in their system, which reveals your identity. I used another password manager which can be paid with crypto only without credit card. But they are newer in the market. Also, does bitwarden alert you for your hundreds of aliases on a possible breach? or they alert you only on your main address? (the latter would be quite useless).

3- Regarding new email, i am moving all my infrastructure from gmail to proton. I got the premium plan. Is there any reason you would sill use gmail? Also, if you have encrypted emails on gmail i guess you cannot use the gmail app on your phone, right? Which affects usability.

Thank you!

P.S: regarding the password hash, is there any way to search by password hash instead of by password?

If you’re currently using a dedicated authenticator app and it works for me, I would continue to use that. Yes, you are technically raising an extra barrier by turning on 2FA for an account, but if someone gets into your password manager, it’s game over because they will have the password and the one-time password. By keeping the TOTP on a separate app, you’ve made it harder for the attacker.

I switched to Bitwarden after the recent LastPass news and I find it to have a great and accessible user experience. You can also make a free account without giving any credit card information. Literally just email. I think the free account would work great for what you’re looking for and gives you cloud storage. If you want to move away from cloud storage, I would recommend KeePass. Both are free and open source, so you don’t have to worry about giving identifiable information over at all.

I will test bitwarden and see if it compares well to the current manager i am using.

A few questions about bitwarden that you might know:
1- Do you receive login alerts whenever someone logs into bitwarden? This seems like such a simple feature but it’s quite important for me (especially for a password manager). I know 1password does this for every login.

2- Can you search your password by password instead of by login or website? another thing that seems silly, but i am cross checking some repeated passwords and searching by pasword instead of login in the searchbox is critical. Some password managers don’t allow this.

3- Do you get breach notifications for all your emails? (considering you have hundreds of emails), or only for 1?

Cheers and thanks for the recommendations!

So this Onlykey is like any other password manager and also a hardware key?

Why would you need a password manager and a hardware key? Unnecessary.

The same encryption lastpass used.

No. Not at all. Security isn’t a destination, its a journey.

@anon73850698

ONLYKEY is a hardware key that is password protected (unlike yubikey), it can be used as a credential filler (I wouldn’t use it as a password manager since it stores 24 slots, but it is best to store your most used logins on it.)

You need a password manager to generate a random strong password for each account and store it securely, and the hardware key is used as a backup 2FA.

Lastpass is closed source, they can say whatever, you won’t know for sure, bitwarden is open sourced, audited, and complies with industry standards (not all password managers do that)

A journey for sure, but what I mean by it is that you have to follow all of those steps and not just some of them.

1- If you use bitwarden premium then you can store your 2fa keys there as well and it will display the code, this is what I do, but I also have a backup authenticator app just in case.

2- Bitwarden’s usability have become amazing over the past few years, there are a lot of features that are available for free, but If you truly want to experience the greatness you gotta go premium, it’s only 10$ a year.
As for credit card it is not mandatory, I pay with bitcoin which is an option if you want to go the secret route, and when it comes to aliases breach that is why I recommended simplelogin, which does notify you of all the breached aliases.

3- if you have proton unlimited then you will get simplelogin premium for free, it’s a great option, but I would still add a PGP key encryption for your aliases if you want to be extra careful.
And as for usability, there are apps which allows PGP implementation, so your usability remains the same.

And lastly once a password has been cracked then you don’t really need to search using a hash, just use a different password, there are paid services which provides you a list of dark web password databases, but they are very expensive, unless you are a company, you don’t really need to worry about that, just follow what I said in the beginning to a tee and you will sleep peacefully.

I do have to stress this more in regard to your password manager account getting hacked, If you use your hardware key to fill in your password, and it is above 40 random characters then there is no way for a hacker to attack your account whether it is social engineering or it being saved on a piece of paper, you eliminate the human factor and that is why most hacks truly happen, human error.

1- yes, you get a notification with any attempted login, with their location and everything.

2- How would you search by password if all of them are random and unique?! But there is a tool that will show you exposed passwords, repeated passwords, weak password, and accounts that can use 2fa, but you haven’t enabled that option (if you store 2FA keys on bitwarden)

3- with aliasing you have a main inbox, which ever alias is linked to that mailbox will receive an email that the alias been in a breach and needs to be deleted.

Thank you so much for the recommendations!

Regarding searching by password. Many of my old passwords are written by hand by me (including the one that was hacked recently), these passwords follow a pattern that i know. This is why i want to search passwords by hand to see if there are repetitions or easily guessable connections between breached passwords. Obviously in the future i will change my strategy as we already discussed, but this is to understand the hack that already happened.

Regarding breaches for aliases i didn’t understand what you mean, i think simplelogin itself does not offer breach reports, and i am not sure if bitwarden offers breach reports for all separate aliases in every login?

In that case I suggest that you enter all of your accounts into bitwarden and run their breach report tool, it will show you which passwords have been exposed.

Regarding aliases, simplelogin does provide a breached alias analysis,.
When you create new aliases, you get an option in the filter that says breached aliases, you also receive an email on your main mailbox if an alias was detected in a breach.

The use of bitwarden and simplelogin together is a must.

If you have any questions don’t hesitate to ask, even if it’s not related to your hack, I worked in an IT field, and currently in cyber security, I’ll be happy to spread the knowledge.

Thank you!
I searched inside simple login and i cannot find that breach alert anywhere, do you have a screenshot?