Email Was Hacked Then Used to Steal over $25,000 from Online Accounts. What Else Can I Do?

Lchrisd82 on 22/09/2018 - 13:06
Last edited 22/09/2018 - 13:36 by 1 other user

Hey guys thought I would put this one through the community before I completely give up on it.

Early last year I started investing and trading into some cryptocurrencies/blockchain stuff before the all time highs as well as building a small mining rig to play around with learn more about how it all works and hopefully let it earn a little in the process.

Earlier in January/February this year while on an overseas trip in SE Asia my primary email/webhost somehow got hacked, data mined then used to break into as much financial, cryptocurrency and a few online shopping accounts using the forgotten/reset password feature on all sites.

Aside from my email they did not have any other passwords at all. They intercepted,confirmed/approved transactions and deleted incoming emails before any reached my phone which has a popup/notification when it does. Due to transaction limits they were in there about a week clearing out my accounts then managed to get into my Google account, changed the password, linked number, datamined email and apps which is the morning I woke up to find out everything that happened.

They stole just over $25,000 at the time across Coinbase, Poloniex, Bittrex, Binance, Coinjar, Nicehash, Steemit accounts which also had all my travel funds mixed in there.

As soon as they knew I found out my email was compromised they changed the passwords and locked me out of there. I'm guessing a lot of it is heavily script based and do this to hundreds to thousands because they were steps ahead every move I could make. I used Cpanel/WHM to change my email password and later found out the hackers also had access from the Webhosts own account/billing user portal which can open up Cpanel/WHM/Webmail at click. My webhost/email host is a local Aussie based.

Basically got stuck in SE Asia and had to contact parents to borrow some funds to cover the accommodation and flight back to Sydney.

Since getting back they managed to break into my Webhost/Email twice and narrow failed attempts with my Google one a few weeks apart. I was on the phone with support during one of the attacks and they were barely able to do much and took a while to block them. IP showed it came from Brisbane and Istanbul but probs a proxy/VPN .

I had filled up and put a report with ACORN which police said to do and FBI (don't think they even care). It took over a month for a response from ACORN which basically said since the hackers are based overseas they can't do anything then a line about sending money to strangers (as if I sent funds through Western Union or so). The online exchanges assisted in getting access back to my accounts gave the tone of tough luck the hackers got your money , use 2FA "please come again".

My biggest frustation with them is they needed my passport/licence and all sorts of details to open up an account and yet served it up to a silver platter for hackers without any additional verifications
- just automated online process and instant access to funds. They could have asked additional questions or called the number linked at time of signing up to verify.

My local webhost/email provider was the weakest point in terms of security and allowed access to almost everything. They won't enable 2FA as part of their security and take no accountability.

I've since changed to a much more secure email provider and separated my website from it onto a separate provider. I've tried to address most of the security flaws as I could and get over it but its been a hard year trying to get back on top of finances and also my partner getting sick and needing regular hospital stays right into December.

So without much hope and trying to move on is there anything else left I can do in getting any of it back?

Cheers

Financial

Comments

[Deactivated] on 22/09/2018 - 13:35

+17

Should have used 2FA
- SBOB on 22/09/2018 - 17:57
  
  +1
  
  This + a million…
  
  2fa on anything 'financial' that let's you is a no brainier.
  Authy to sync between devices and its very very minimal effort to use.
- chrisd82 on 22/09/2018 - 19:04
  
  2FA It makes it harder but not impossible. Its not your everyday variety of hackers.
  
  Google had their sms and phone notification thing which they managed to get past and use alternate email which was my primary and changed the number too while they were at it.
  
  Binance supposedly had 2FA with google authentication
  
  The others would send out an email for each transaction/transfer which has has an authorization link to it so they couldn't move funds without access to both the site and email account.
  
  Coinbase always sent an SMS with a verification code just like CBA's netbank and that got cleared.
  
  They seemed to know just about every vulnerability and exploit.
  - [Deactivated] on 22/09/2018 - 19:10
    
    Did you use the passwords anywhere else?
    
    They may have simply gotten your username and password from an unrelated data breach somewhere.
    
    May even have nothing to do with SE Asia, a mere coincidence
    - chrisd82 on 22/09/2018 - 19:29
      
      One of the guys asked me to check the https://haveibeenpwned.com/ site
      My email came up twice
      Anti Public Combo List (unverified): In December 2016 - Compromised data: Email addresses, Passwords
      Onliner Spambot (spam list): In August 2017 -Compromised data: Email addresses, Passwords
      
      I haven't changed the email password past those dates so that was a possibility
      
      My home desktop was completely switched off and unplugged from the wall before I left for the trip.
      
      Too many possible ways in identified and the hosts email backup system managed to delete the emails the hackers deleted and couldn't get much out of the sites logs either to help isolate the exact way of entry.
      
      Once they got in though they were able to get in repeatedly and through a total of 3 password changes.
    - [Deactivated] on 22/09/2018 - 19:34
      
      +2
      
      @chrisd82:
      
      HIBP doesn't have all the breaches, only the known ones, and out of those where Troy has the data.
      
      It probably only covers a very small percentage of breaches.
n3xia on 22/09/2018 - 14:12

+1

Yeah sorry, I can't help but thanks for the heads up and reminder to check my own accounts for these weaknesses.
dylo on 22/09/2018 - 14:23

That sucks OP :(
Dont Care on 22/09/2018 - 14:23 Comment score below threshold.
- [Deactivated] on 22/09/2018 - 14:59
  
  @.@
- bradenpd on 22/09/2018 - 20:28
  
  wut
zoombie on 22/09/2018 - 14:50

+1

Sorry but I don't think you can do anything. Think of those coin exchange that was supposedly hacked. There were millions in coins and those guys never got it back. BTW: I'm guessing you used a free wifi spot in Asia, login to your email, they recorded those info.
- mbck on 22/09/2018 - 14:58
  
  Just double checking, having a vpn on free wifi would prevent this right?
  
  Or orbot
  - zoombie on 22/09/2018 - 15:08
    
    Sorry but I'm not an expert in networking technology so I can't say definitively if it does or doesn't.
  - [Deactivated] on 22/09/2018 - 19:06
    
    It wouldn't hurt.
- chrisd82 on 22/09/2018 - 19:07
  
  I tried using a blockchain explorer to follow one of the addresses funds got moved to. It paints an extremely disturbing picture and got lost when it got on an addresss that had about 1.8Billion USD pass through it. Could be their address or one of the exchanges but these guys are stealing far into the millions.
- Boshait on 23/09/2018 - 10:23
  
  That would imply SSL is broken. Is it?
  
  Most cases I hear like this are due to people using internet cafes.
  - realfancyman on 03/11/2018 - 19:27
    
    If VPN was on, a person on the internet cafe network couldn't see any of your traffic assuming the VPN is setup correctly.
mbck on 22/09/2018 - 14:58

Take care OP.
elgrande on 22/09/2018 - 14:58

Ouch.
ihbh on 22/09/2018 - 15:52

+1

Op, of the amount you lost, how much was profit and how much was capital?
- [Deactivated] on 22/09/2018 - 19:06
  
  Probably got in at the peak
- chrisd82 on 22/09/2018 - 19:54
  
  I started buying bit by bit from about April last year and probably held over 30 types of coins across 7 sites/echanges. Its hard to guess exactly how much without going through all my past transactions but my guess maybe $10K AUD. At the all time high the value was over $50K AUD then there was a few weeks of crashes which put at just over $25K. I stopped keeping track but maybe anywhere $12-16K value today with all the lows this year which is still more then what I bought most of them for last year.
gottacatchemall on 22/09/2018 - 16:30

+1

F
Diji1 on 22/09/2018 - 17:32

+1

It's a terrible story.

You didn't have money stolen though.

Have you investigated suing the host?
- chrisd82 on 22/09/2018 - 19:44
  
  Cryptocurrency now I guess is seen as an asset and subject to capital gains tax and what not when your sell.
  I consider it money as I can transfer it from any of the exchanges to my local Aussie based exchange, sell/trade it for AUD then transfer it to my bank account which takes anywhere from 1-3 days then if I choose to can withdraw it as hard cash in my hands. ATO will probably get some record of the transaction which they will tax me on. So I consider that money stolen just not in AUD.
Randxyz123 on 22/09/2018 - 19:06

Name and shame the host. However please tell me you were NOT using your email on unsecured networks in southeast Asia????
- [Deactivated] on 22/09/2018 - 19:07
  
  How is it the hosts fault?
- chrisd82 on 22/09/2018 - 19:19
  
  Using internet on my phone or laptop connected to phone and to their carrier (Smart/Globe). I had both sim cards because depending on which island I was on one has a better signal. Never used any mobile hotspot or hotel/resort wifi because I didn't trust them for this reason and still managed to happen and couldn't figure out how. Email app on phone saves the password as well as thunderbird on laptop. I've never once had to manually type them in so a keylogger or so in the system shouldn't have had a way to grab it.
  
  Not sure if name and shame is the way to go but I think I originally found them here on Ozbargain about a decade ago under a different name/owner to what it is now. Security wise I managed to call support and get password/email linked changed without them asking me any security/verification questions - one of the scenarios on security audit was the whole social engineering bit or automatic password recovery.
  - Macgyver on 22/09/2018 - 19:30
    
    Aren't log ins and dealings with these sites encrypted by HTTPs? Can hackers still find your information by using a unsecured network?
    - chrisd82 on 22/09/2018 - 20:07
      
      Not sure how they compromised and they definitely didn't know what I had until they got into the email address and mined through it all for any useful details.
      When they got into Google account aside from email they also managed to go through cloud based apps like Google Keep where I store my bank account number/BSB and also an active key for both mine and my partners Steemit account which I forgot to remove. They were able to find it, identify what it is and use it to gain access to and steal any liquid funds.
- chrisd82 on 22/09/2018 - 20:33
  
  Just another vulnerability identified before on webhosts even if email is separate but uses the domain, If hackers get in either of the web portal, WHM or Cpanel they can change the emails DNS settings to point to one of their own servers to take control of the address and again try to use the forget/reset password on a list of common sites to see if there's an account there.
  
  That was one of my major worries that led to me having to completely change webhosts after failed attempts trying to get them to enable 2FA in their systems.
  - [Deactivated] on 23/09/2018 - 00:59
    
    It is not a vulnerability, it is how things work…
TheBilly on 22/09/2018 - 20:41

Email Was Hacked Then Used to Steal over $25,000 from Online Accounts. What Else Can I Do?

Just keep on thieving … You picked the path, stick with it.
plowry1977 on 23/09/2018 - 08:23

+1

Once into Google, it's scary how easy it is to get your passwords via:
passwords.google.com
parad0x on 23/09/2018 - 08:33

Ouch man, that really sucks… Because crypto is involved, I don't think anybody is likely to touch the issue. If they took out bank loans and the like, the bank would be on your side, but as you've already experienced from the crypto exchanges, they don't give a shit.

2FA as others have said, and never store currency on exchanges… They're not banks, not secure, and can go Mt Gox on you any day. All your crypto should have been stored offline in cold wallets. Those 2 mistakes cost you a lot. You're not the only person I've heard have this happen to, except in the other 2 cases, they had very little on the exchanges.

Don't trust exchanges with your fortunes, and raise the level of your security to a much higher standard. If you're on HIBP, I'd go for a new email address for instance.
Strahany on 23/09/2018 - 16:15

+1

I know that this is coming too late for you, OP, but always use some form of Cold Storage for Cryptocurrencies and NEVER leave them on the exchange. The "owner" of any given cryptocurrency is whoever has possession of the private key for the wallet; in the case of exchanges, they own the private key so technically own your funds. Cold Storage on a piece of paper is free, whereas you only need ~$150 for a more sophisticated solution like a Trezor encrypted dongle.
- parad0x on 25/09/2018 - 02:38
  
  Personally i'd avoid any digital storage devices, especially the Trezor which has security vulnerabilities.
  
  Paper wallet, or mnemonic phrases (for those that accept it) are the safest option. If you want to do it properly, get some waterproof, fire retardant paper, and store in a fireproof safe
dreamscene on 03/11/2018 - 20:24

+1

PROTONMAIL

Email Was Hacked Then Used to Steal over $25,000 from Online Accounts. What Else Can I Do?

Comments

New Forum Topics