I got hacked

You never think it’s gonna happen to you but it does.

I was trying to log into my email today to check for, you know, emails. and noticed that it wasn’t accepting my password. I immediately went into high alert, assumed the worst, and asked for a text to be sent to my phone number so I could reset my email password. Guess what, I checked my phone and it said “No service”. This is when I went into panic mode. I called my career immediately and ask them what was going on. Turns out one hour earlier, someone in Alberta (I’m from Ontario), went to a physical store operated by my career (cause we need those), nullified my sim card and got a new one for themselves, using my original number.

I got my phone number back right away but I think the damage is done at this point. They probably managed to bypass the 2 factor, log into my email and bob’s your uncle.

I called my bank and they couldn’t do much because nothing has gone wrong on their side, so I logged into my paypal and changed the email address so the culprit would not be able to reset my paypal password and gain access there.

Here’s the kicker, my main email account is a yahoo account from 2002 that I’ve kept running. I do have a Gmail account, obviously, but that’s not where the dough is made. Right now I’m unable to reset my Yahoo! account password because “sent too many SMS for 24 hours”.

I don’t know what to do or what other steps I should take at this point. I think I’ve taken enough precautions but that’s something I didn’t think would happen. Social engineering to that degree.


Wow. I’ve heard of similar social-engineering attacks on mobile carriers before, but I always assumed they were targeted at really high-value targets. Public figures and such.

The closest experience I’ve had was years ago. I had a long-abandoned account on a crappy free web hosting site from when I was in high school. Long story short…plaintext passwords. This was before I used a password manager, so I had to re-key every one of my accounts I could remember. No evidence that anyone got in, though.

I sleep better at night with a TOTP app on my phone, and mobile-number backups turned off. Still, that’s scary stuff.

I did some investigating, logged into my career account and figured what was sent and received. Here’s what happened:

So here’s the time line:

2: When I sent the last message from my phone that day before being alerted to the situation.
1/3/4: First fraudulent activities. 1 and 3 seem to be some sort of a subscription service, it cost $0.40, I don’t know exactly what it is. 4 is the yahoo server returning a pin code to bypass the password. Five attempts.
5: Another unknown number. Not sure what to make of it.
6: My attempt at regaining access to my yahoo account, not knowing my phone number was compromised.
7: sim card restored.

You guys have any ideas?

Stating the obvious, but inform police/authorities?


I second this. No it’s not fun to have a police report made out for this sort of thing, however, it can be a life saver if there was any real compromise of your identity or financial fraud in the future.

Having some kind of “police report” would help in case you run into identity theft issues.

Additionally, there are relatively cheap and non bulky fireproof document bags (usually waterproof as well) that you could buy. They’re useful for storing your 2nd factor backup codes, luks encryption keys, backup second factors and other things you can reasonably print out, or just write down. (You know, for when your phone dies a horrible boot loop and you need to be able to access your account).

Some people store these in safety deposit boxes - some people store them in safes maybe in their second home.

IMHO, having these, and maintaining that they work at least on backup day once a year, despite that being a hassle is an important part of what some people call “adulting” these days, same as paying taxes… (but potentially more useful than paying taxes depending on the day of the week and who you ask)


Having 2FA on your online services is a must, you can put it on popular email services to secure you accounts from scum like them. There’s a simple app called “Google Authenticator” on android (not sure about apple) to store all your keys, just make sure you also store backup codes to those services on an encrypted medium that’s in a safe and secure place just in case your password locked phone is stolen.

This way there is very little these [insert profanity here]'s can do about it. SMS/Email plain authentication alone is not secure, like, at all. You have to use more secure methods to prevent social/unethical hacking to occur.

And no, rolling you face on the keyboard to create a password is not enough nowadays…

And if a service does not provide 2FA functionality, don’t use them, condemn them for it, and go elsewhere that provide it.

1 Like

Hey, sorry to hear about the ordeal, but glad you posted to help others out!

Well last year somebody called Bell and managed to get my parents’ business line deactivated even if his fake name was not in the profile. We only noticed the line has been cut because my sister try to call home and didn’t succeed.

Turns out the guy was a bit sloppy at cleaning his trail, he deleted the emails that he received during his “visit” but forgot to remove them from the trash.

Turns out he reset the password on my coinbase account that I have not used in two years, using my number to bypass the 2 factor, and tried to buy some bitcoin but the transaction didn’t go through. I never keep my crypto in an online exchange or on a computer that’s connected to the internet so I suppose my cautious approach paid off in the end.


Very interesting, maybe it was a PI doing research on you/your place of work :face_with_monocle: if you are married PI’s are usually hired by wives/husbands/parents who suspect cheaters… and when they suspect it the PI’s usually find it’s true.

It’s good to know that you recovered, but I have to ask, why does coinbase have a recovery option for phone numbers? Seems like a security risk, nowadays we use emails or backup codes as a recovery option (or done properly, security questions). Kinda out of date don’tcha think?

Having 2FA on your online services is a must […] There’s a simple app called “Google Authenticator”

There’s known malware in the wild that steals Google Authenticator-style OTP credentials.

If you’re implimenting 2FA in 2020, look at FIDO, not OTP-based options like Google Authenticator.

It’s the future, and devices that handle it are cheap.

I am sorry to hear that you have become a victim of these scum.

I wrote about it once that sim methods are becoming more common but hardly anyone listens. 2FA based on sms is not a security!


I need to come back to this tonight but just a thought. Did they go after anything else or just Coinbase? Because if it was just crypto then it sounds more like a targeted attack.


FIDO U2F is good but you have to spend $ and not always one key is enough.
The problem with OTP is how people use it, not the solution itself. Theft is taking place because people use everything on one device that is online.

Good security is uncomfortable … people don’t care about a higher level of security because they prefer convenience …

If a person uses the same pc / tablet / smartphone to login, store l / p and 2FA then the level of security is immediately lower.
OTP should be a separate security mechanism implemented on a physically separate device that should not be online and only the owner has physical access to it.

For example, I have a dedicated laptop with encrypted ssd using veracrypt and WinAuth for OTP. The laptop is always offline. Only I have physical access. When I have to log in and use 2FA it generates a code and I just look at the screen … Try taking over my 2FA! :wink: But this solution is not very comfortable and it is certainly not a mobile solution, so the average person will never use it.


Optimally, everyone will carry around a seperate, non-nfc, non-usb, non-internet connected device for their OTP, and then use their cellphone for the complex passwords. Obviously not realistic for all, but this is a very good way to reduce the possibility of accounts being comprimised. Fuck NFC badges. Fuck SMS MFA. Fuck weak passwords. Offline MFA + password complex password database FTW.

Edit: Forgot to mention; bank cards and credit cards are a form of MFA, for those unaware; the physical card is a (mostly) offline card required for a transaction, with the (not-so-complex) password in your brain.


What happens if that thing just implodes?

In short, all the actor has to do to make use of the 2 factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.