I got hacked

I'm a long time 1Password user, which I sync with iCloud. I have a Dropbox database as well, which I use on the handful of Windows computers I use often.

Heard from my bank today that my identity has been hacked. We got a letter about a week ago that we were part of the data breach at Premera. I've gotten letters from Target and Home Depot over the years, but I don't believe they have the information like this they needed for this one.

They had my SSN and DOB, and my credit card (a physical copy was presented at Target in Miami). I can't figure out how the information is connected, so I'm still struggling for a real answer.

They made 14 calls over 2 days:
1. From a Florida number (bank refuses to give it to me), they called the bank with SSN and DOB, used the automated system but failed on my zip code and phone number.
2. They called the next day had the same situation.
3. 4 minutes later, they called again and spoke to a rep. They failed on spouse name and DOB, and my phone password. Somehow they let them in, and the notes say "chose caller".
4. 4 minutes later, they called in to the automated system. Failed zip and phone again, passed SSN again.
5. 2 minutes later, spoke to rep. Passed with phone password, which they didn't have the day before. I'm guessing they gave it to him during call #3.
6. later, spoke to rep. They got in, with notes saying "recent contact". I have a feeling that they told the rep they got disconnected but was just verified so they let them in.
7. later, exact same situation. got in using "recent contact"
8. an hour later, spoke to rep and got in with my member ID. They said policy does not allow the rep's to give out member ID, but when pressed, they did say that if the person was REALLY verified, they MIGHT give it out. At this point, they know my member ID, SSN, DOB, bank phone password, and credit card number.
9. 30 minutes later, someone from Georgia calls the bank. Failed to provide phone number and zip
10. 5 minutes later, still GA, passed with credit card number and DOB, but failed about my child's info. They also verified the cars we have insured with the same entity (year, make, and model), and spouse DOB - but failed with the phone password they should have already had! Except maybe...maybe this is a different hacker, who had maybe bought the info from the same source.
11. later last night, called in to the automated system and passed with SSN
12. later, talked to a rep, got in with phone password and "chose caller"
13. this morning, failed zip code, passed phone password
14. last call this afternoon, got in using "chose caller" talking to rep

I am now in the process of a security audit of my digital life. I already had two factor authentication for apple ID, but am going to start changing all my passwords, notify credit bureaus, put my other bank on notice, and I don't know what all.

I just changed my 1password master password using the Mac app. I went right to my phone and it still accepted the old password. It made me think about the security of the product. In general, I feel comfortable with it, but do have one specific question:

Is there a display somewhere that shows me all my applications that are using 1password, devices where it's installed, etc? I have this for Evernote, and "revoked all".

I will likely be crossposting some version of this to other product forums that I use regularly. Any tips for getting through this are appreciated. I'm sure there is a lot I haven't thought of yet.

Thank you,

Jason

Comments

  • The unfortunately reality is that no amount of good practices on your end will stop identity theft if the organisations that you deal with are lax with their security. Them allowing access remotely without fully authenticating you is unforgivable.

    I just changed my 1password master password using the Mac app. I went right to my phone and it still accepted the old password.

    This is a result of the "internal db + sync to external file" model they use. If you unlock the phone using the new password then the old one will no longer work.

    Is there a display somewhere that shows me all my applications that are using 1password, devices where it's installed, etc? I have this for Evernote, and "revoked all".

    No, because 1Password isn't a service. The only entity that knows where you have 1Password installed is you.

  • What do you mean, "1Password isn't a service"? Is Evernote a service? I think you're saying that 1Password isn't storing my data on their servers. I guess that makes sense, but it might make more sense to use a "service" that would help protect me from my own mistakes.

  • The trouble with storing data on their server is that it gives third parties a huge target, both for TLAs and criminals. Sure, the common recommendation to use Dropbox places a lot of user vaults in a predictable place but the code that decrypts it is completely decentralised.

    but it might make more sense to use a "service" that would help protect me from my own mistakes.

    Which mistake are you referring to? In context I assume that it is the possibility of 1Password data being left on a lost or abandoned device. The thing is, without your master password (and assuming your haven't completely disabled the autolock features) your vault is useless.

  • brentybrenty

    Team Member
    edited April 2015

    The unfortunately reality is that no amount of good practices on your end will stop identity theft if the organisations that you deal with are lax with their security.

    @RichardPayne: I couldn't have said it better myself.

    @burjoes: Just to build on what RichardPayne said, when a company has a 'goldmine' of customer information, this is a big target for hackers.

    In the case of 1Password, AgileBits has neither your 1password data nor the Master Password used to secure it. This is bad news for someone who has forgotten their Master Password or lost their data, but it is very good news for someone who may have had their 1Password vault fall into the wrong hands.

    but it might make more sense to use a "service" that would help protect me from my own mistakes.

    In fact, from your story it sounds like you may have fallen victim to some social engineering, where an attacker slowly builds up a portfolio of information on you which is then used to gain more and more, like with the bank. More often than not (as with Matt Honan's experience getting hacked), the failure is due to human error.

    But again, since AgileBits doesn't have any of this information, we're not even in a position to be coaxed, cajoled, or otherwise fooled into giving out information to someone posing as you. Instead, even if you store your 1Password data in the cloud, it is encrypted before it ever leaves your computer.

    I am really sorry that you're going through this, Jason. Identity theft is everyone's nightmare scenario in the digital age I think. And I know I speak for all of us at AgileBits when I say that I hope that you are able to recover from this as quickly and painlessly as possible. I wouldn't wish this on anyone.

  • Thank you for the replies. I got busy and never came back to this, but there is an update. I may have found the source of the breach and have another major update. I recently bought a home with a home automation system. As part of all the changes, I set up port forwarding to a few services using ddns.net, just like I always have. this time, though, I also turned on port forwarding to VNC, which I use to connect from my mac to my home theater computer while at home. I have never used a password for VNC, and since I turned on port forwarding, it was accessible over the internet.

    The computer that was exposed is a Windows home theater computer with nothing but movies, pictures, etc. BUT - they got into Chrome and got my saved passwords, which allowed them access to private information. I am not sure of the exact sequence of events for the hack a month ago, but it fits the situation that they would have had credit card number, my DOB, my wife's DOB and a couple of other pieces of information.

    I reviewed the VNC logs (which I saved off) and found that people from a dozen countries "accessed" the system over the past few weeks. Interestingly, I don't see an intrusion from outside our network until May 15th, while the first hack was April 12th. So it is possible that it was not related.

    Interestingly, here is the story of how I found all this out. On Saturday morning, I found I had a couple of emails overnight from google, warning me that there was a sign in from chrome on a Windows computer, then the recovery email was changed (I later found it was changed to [email protected]) and then something from ebay about an $8 pair of shoes that I didn't buy. The shoes were shipped to a person in Florida and paid for by paypal. so i see an email from paypal about a $1500 transfer into paypal from my checking account. That takes 2-3 days, so it didn't finish - they must have paid for it using their own paypal account, which I'm now trying to track down. I also saw they changed my recovery phone number to +92 345 6293665, a number in Pakistan.

    By the time I noticed that, I already had an email from "Ethical Jacob" who said he found my computer was unprotected, and that I should "change my passwords, such as cpanels, email, ebay, paypal" and that if I found the information useful, I could donate $10 - $50. He had both my two main email addresses and pointed me to a blogspot site - netprotector.blogspot.com.

    I spent the long weekend going much further than my previous efforts at security. I turned on 2FA for everything I could, and changed dozens of sites to a complicated password generated by 1password. Oh, they also uninstalled 1password and dropbox from the computer. Because of that, I'm unable to tell for sure if they got into the 1password database, as I may have turned off the feature that auto-locks after a period of time (but left it on to auto lock after a reboot). I honestly never considered someone taking remote contol of my computer.

  • Thank you for the replies. I got busy and never came back to this, but there is an update. I may have found the source of the breach and have another major update. I recently bought a home with a home automation system. As part of all the changes, I set up port forwarding to a few services using ddns.net, just like I always have. this time, though, I also turned on port forwarding to VNC, which I use to connect from my mac to my home theater computer while at home. I have never used a password for VNC, and since I turned on port forwarding, it was accessible over the internet.

    The computer that was exposed is a Windows home theater computer with nothing but movies, pictures, etc. BUT - they got into Chrome and got my saved passwords, which allowed them access to private information. I am not sure of the exact sequence of events for the hack a month ago, but it fits the situation that they would have had credit card number, my DOB, my wife's DOB and a couple of other pieces of information.

    I reviewed the VNC logs (which I saved off) and found that people from a dozen countries "accessed" the system over the past few weeks. Interestingly, I don't see an intrusion from outside our network until May 15th, while the first hack was April 12th. So it is possible that it was not related.

    Interestingly, here is the story of how I found all this out. On Saturday morning, I found I had a couple of emails overnight from google, warning me that there was a sign in from chrome on a Windows computer, then the recovery email was changed (I later found it was changed to [email protected]) and then something from ebay about an $8 pair of shoes that I didn't buy. The shoes were shipped to a person in Florida and paid for by paypal. so i see an email from paypal about a $1500 transfer into paypal from my checking account. That takes 2-3 days, so it didn't finish - they must have paid for it using their own paypal account, which I'm now trying to track down. I also saw they changed my recovery phone number to +92 345 6293665, a number in Pakistan.

    By the time I noticed that, I already had an email from "Ethical Jacob" who said he found my computer was unprotected, and that I should "change my passwords, such as cpanels, email, ebay, paypal" and that if I found the information useful, I could donate $10 - $50. He had both my two main email addresses and pointed me to a blogspot site - netprotector.blogspot.com.

    I spent the long weekend going much further than my previous efforts at security. I turned on 2FA for everything I could, and changed dozens of sites to a complicated password generated by 1password. Oh, they also uninstalled 1password and dropbox from the computer. Because of that, I'm unable to tell for sure if they got into the 1password database, as I may have turned off the feature that auto-locks after a period of time (but left it on to auto lock after a reboot). I honestly never considered someone taking remote contol of my computer.

This discussion has been closed.