A few days ago, an old shopping account of mine was “hacked”. Or at least, an attacker managed to change its password. Now, I am wondering what was the purpose of this happening and whether there is anything I should be especially wary of.
I noticed the attack exclusively because I found the password reset e-mails in my e-mail inbox, and I could effortlessly retake it by using the same password reset feature, as the shopping account’s e-mail address was not changed. Also, the shopping account did not contain any payment data and no orders were issued, and no other account linked to the same e-mail address seems to have been compromised (in the sense of any password changes).
Is that a typical attack pattern, or what exactly happened there?
More detailed description:
I have an old shopping account A that I have not been using for several years, linked to an e-mail address B (that I do use, albeit as a secondary address).
Symptoms of the incident: Shortly before Christmas, I noticed that I had received several messages on B from the shopping site at around 3 AM the previous night:
- An automated mail with a link to reset my shopping password.
- An automated mail confirming the change of the shopping password.
- A welcome mail to Kindle (which does not seem to confirm any order or anything, though).
This told me that likely, an attacker had at least managed to access both my accounts A (shopping) and B (E-Mail).
Immediate reaction and checks: I noticed these e-mails at around 10 AM the following day and took the following steps:
- I attempted to log in to A with the password I had stored in KeePass and, sure enough, it was not valid anymore.
- I changed the password of A by using the same password reset feature the attacker had been using some hours before.
- I requested the deletion of A, as it was an old account (and the only reason it was still around was that back when I discontinued using it and set up a new shopping account linked to a different e-mail address was that I could not find an easy way to delete A permanently).
- I changed the password of B.
- I checked A for any traces the attacker may have left, or anything that could have been useful to them:
- Orders (none).
- Memberships (none).
- Devices (none).
- Stored payment information (none).
- Stored addresses (one old address of mine, no new address added).
- Additional e-mail addresses or phone numbers (none).
- While I did not check that part, I had never written any reviews from this account, and accordingly had never set up a reviewer identity or whatever settings I think were necessary when I started writing product reviews with my current account.
- I also checked B for anything suspicious:
- Sent mails (none).
- Newly set up forward addresses (none).
- Alternative e-mail addresses or phone numbers (none).
- I checked the Pwned Passwords list at HIBP with my old passwords for A and B, but none of them were part of any data breach known to the site.
- I notified both the shopping company and the e-mail host of B for the sake of good practice, although
- The shopping company has not responded at all and
- the host of B could not provide any help and stated they do not keep track of recent logins since data retention had been cancelled in Germany (where they and I are located).
Lastly, I ran some malware scans (beside the protection that is usually running) of my system and examined running processes etc., but found nothing out of the ordinary.
Assessing what happened: Now, I’m wondering what happened here:
- By changing the password without deleting the notification mails by the shopping company, the attacker basically alerted me to their intrusion.
- By keeping the e-mail on account A the same, they allowed me to effortlessly reclaim the account.
- They did nothing with either of the accounts, as far as I can see.
- Nothing happened to any of the dozens of other accounts linked to e-mail address B, as far as I can tell (I received no further notifications, and I could still log in everywhere).
Hypotheses: My (possibly far off, and in part mutually exclusive) hypotheses:
- I became the target of an incompetent attacker who failed to cover up their traces and to properly hijack the shopping account by changing the e-mail address (but then, what’d they actually attempt to do even with the hijacked account?).
- There is some password-spying malware on my system that was somehow recently installed out of the blue and that current malware scanners do not detect (but then, why is all that someone could get hold of the access to one out of several e-mail accounts, and all they use it for is to access a single account of mine, and even an obsolete one at that?).
- Alternatively, my password to B was somehow contained in a data breach that has not been analyzed by hibp yet.
- The attacker was an automated script that specifically intrudes shopping accounts to harvest/abuse them, but all they could get from mine was an old postal address.
- The attacker just prepares the hijacking of accounts by resetting their passwords, then compiles a list of the modified access data that will then be sold to the actual “wrongdoers”. I just happened to notice before step 2 was executed and thus could still intervene.
- The attacker did not actually manage to access B. There is a security flaw in the shopping site’s password reset function that allows to reset the password without receiving the mail with the link (but surely, such a loophole would be quickly noticed by many (attackers/victims) at a time, wouldn’t it?).
- I have been targetted by a “white-hat hacker”, who somehow found out my password and wanted to me to know that someone can change my shopping password without making the account unretrievable to me.
Notes: As a last remark, all of my passwords are randomly generated chains of upper and lower case letters, numbers, and symbols of around 60 characters of length, no double use of passwords anywhere.