Hacked in some way- what was point of entry/what do I need to do?
March 20, 2023 5:18 PM
I decided to make a LinkedIn account today to try and find an old friend from high school that I've been trying to get back in touch with for over a decade. When I signed up, a window popped up saying "we've sent a confirmation email to XXXX@rambler.ru". Was pretty instantly locked out of the new account. How do I figure out what all I need to do to fix this?
I signed up using my university email- which I use for many things, and is administered by google mail. I used 1password to generate a password for LinkedIn.
So the signup was me putting in my .edu address, using a brand new password generated by 1password. I then got the window saying "confirmation code sent to XXXX@rambler.ru".
I refreshed that page, and was logged in (obviously the scammer instantly logged in). I didn't do anything- add any information or anything- and closed the window. I tried logging in with the email and password I had used, but they had been disabled already.
I don't really care about having a LI account, but I care about it being misused. I also care about how this person inserted themselves into this process and got my information to redirect to them.
I have a long pass phrase on my .edu account that is used nowhere else. To change it I need my student ID number- which I have no recollection of. Nothing seems amiss on that account so far. It's not clear to me that it needs the pass phrase changed- but I may be misunderstanding how this happened in the first place, and what is actually compromised.
I've sent a hacked account report to LinkedIn. I hadn't filled out anything- no photo, no contact info, just the general location and my general job. I resist putting information into forms generally. I didn't "connect" with anyone either.
I'm just trying to figure out what I need to do to prevent this in the future and what I need to do to head off any issues with my security now. I use 1password for many things- mostly, but not always, with their generated passwords. There are some, uh, legacy crap passwords for unimportant things.
I signed up using my university email- which I use for many things, and is administered by google mail. I used 1password to generate a password for LinkedIn.
So the signup was me putting in my .edu address, using a brand new password generated by 1password. I then got the window saying "confirmation code sent to XXXX@rambler.ru".
I refreshed that page, and was logged in (obviously the scammer instantly logged in). I didn't do anything- add any information or anything- and closed the window. I tried logging in with the email and password I had used, but they had been disabled already.
I don't really care about having a LI account, but I care about it being misused. I also care about how this person inserted themselves into this process and got my information to redirect to them.
I have a long pass phrase on my .edu account that is used nowhere else. To change it I need my student ID number- which I have no recollection of. Nothing seems amiss on that account so far. It's not clear to me that it needs the pass phrase changed- but I may be misunderstanding how this happened in the first place, and what is actually compromised.
I've sent a hacked account report to LinkedIn. I hadn't filled out anything- no photo, no contact info, just the general location and my general job. I resist putting information into forms generally. I didn't "connect" with anyone either.
I'm just trying to figure out what I need to do to prevent this in the future and what I need to do to head off any issues with my security now. I use 1password for many things- mostly, but not always, with their generated passwords. There are some, uh, legacy crap passwords for unimportant things.
I have seen exactly the situation btfreek is talking about - I just set up a new computer for work and found out how many not-quite-linkedins there are, and they're all in the top and sponsored results on google.
You might just go to google and put in "linkedin" and see if any of the result links show as already read. Otherwise I would suggest a) checking the browser you were using for any extensions you didn't put there yourself b) run your antivirus c) going to real linkedin and creating a real account with a different autogenerated password.
posted by Lyn Never at 5:35 PM on March 20, 2023
You might just go to google and put in "linkedin" and see if any of the result links show as already read. Otherwise I would suggest a) checking the browser you were using for any extensions you didn't put there yourself b) run your antivirus c) going to real linkedin and creating a real account with a different autogenerated password.
posted by Lyn Never at 5:35 PM on March 20, 2023
Are you 100% certain you signed up from www.linkedin.com (ie typed the URL directly into the address bar), or did you google “linkedin” and select one of the top search results?
Yes, I typed it in. And LinkedIn got back to me and asked if I'd like to close the "duplicate" account, so it must have been the real site.
posted by oneirodynia at 5:42 PM on March 20, 2023
Yes, I typed it in. And LinkedIn got back to me and asked if I'd like to close the "duplicate" account, so it must have been the real site.
posted by oneirodynia at 5:42 PM on March 20, 2023
I only see the real LinkedIn in my google search I did just now. Although this exact thing btfreek mentions happened me when I was trying to put my phone number on the "do not call" registry - the first google result was a fake registry, which turned out to be the "please call me as much as possible" registry. Grr.
posted by bluesky78987 at 5:44 PM on March 20, 2023
posted by bluesky78987 at 5:44 PM on March 20, 2023
Agree that this sounds like a virus. Hopefully you already have an antivirus, so run a virus scan.
posted by wondermouse at 6:48 PM on March 20, 2023
posted by wondermouse at 6:48 PM on March 20, 2023
Check what browser extensions you have installed. It's possible you have a malicious browser extension that is sniffing your login info.
posted by panic at 8:00 PM on March 20, 2023
posted by panic at 8:00 PM on March 20, 2023
Where were you accessing the internet through?
I assume it's still a thing that people create spoof public WiFi networks in cafe's and other popular hotspot locations, that have the same name as the real one, so they can monitor all the traffic through it and copy keystrokes, etc (which I think https is supposed to help reduce).
So another potential hack route, as it sounds like you've been taking some good precautions with unique passwords and such elsewhere.
posted by many-things at 1:23 AM on March 21, 2023
I assume it's still a thing that people create spoof public WiFi networks in cafe's and other popular hotspot locations, that have the same name as the real one, so they can monitor all the traffic through it and copy keystrokes, etc (which I think https is supposed to help reduce).
So another potential hack route, as it sounds like you've been taking some good precautions with unique passwords and such elsewhere.
posted by many-things at 1:23 AM on March 21, 2023
What some viruses do (if you're on Windows) is to put a domain redirect in the hosts file, which lives here on Windows 10:
If you see linkedin in there that's a smoking gun especially if it's redirecting to some nasty unknown site.
To be clear: it's not a file you should change (I do so I can use shortened paths to my local network machines) but I think you should check it, just as one possibility. When you typed linkedin.com that doesn't mean your hosts file didn't reroute based on a virus hook in that file.
posted by forthright at 9:32 AM on March 21, 2023
C:\Windows\System32\drivers\etcIf you open it in Notepad or Notepad++ you should mainly see something like:
# localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost(really a whole lot more than that, but the # in the first column is a comment, so lots of lines are there just for documentation).
If you see linkedin in there that's a smoking gun especially if it's redirecting to some nasty unknown site.
To be clear: it's not a file you should change (I do so I can use shortened paths to my local network machines) but I think you should check it, just as one possibility. When you typed linkedin.com that doesn't mean your hosts file didn't reroute based on a virus hook in that file.
posted by forthright at 9:32 AM on March 21, 2023
« Older Technological solutions to emotional problems | YANAL, but how do I get this woman out of my house... Newer »
This thread is closed to new comments.
posted by btfreek at 5:27 PM on March 20, 2023