unhack the planet!
July 22, 2015 3:25 PM   Subscribe

An old password of mine has been compromised, and someone has been using that information in the past 30 minutes or so. What can I do?

Within the last 30 minutes someone's been hacking my shit. My password to Groupon must have been compromised because I received an email that someone ordered a bunch of Xbox 360 gold cards on it (lol). I logged in, cancelled the order, and changed my password, so that is all set. I'm trying to think of sites where I've used the same password (yes I'm an idiot) and change them.

While I was doing that, I started getting a butt-ton of emails to my gmail address that look like this and this. I'm guessing it means they're running rainbow tables on my info? but where?
I've gotten about 120 of those emails and they appear to have stopped now... I'm worried that means they got something!
Is there anything I can do right now to mitigate this? Or do I just have to wait until I get confirmation emails for stuff they order?
Bonus: is there a list of popular ecommerce sites that would be useful to me in my mass password-changing? I didn't even remember that I had a freaking groupon account, I'm sure there are other sites that I can't think of that I'm using this password on.
posted by ghostbikes to Technology (16 answers total) 15 users marked this as a favorite
Best answer: Change all your passwords. Right now. Not just the ones that were the same. All of them. From a different computer than you normally use if possible. Go to the google/facebook/etc pages that show you all your active sessions and log them all out.
posted by Jairus at 3:38 PM on July 22, 2015 [8 favorites]

Run a virus scan immediately just to be safe.
posted by erst at 3:40 PM on July 22, 2015 [2 favorites]

Best answer: Also, change your gmail password and switch gmail to 2-factor authentication, also immediately. If they get access to your email this will become an even more difficult problem to resolve.
posted by OrangeDisk at 3:43 PM on July 22, 2015 [4 favorites]

Best answer: Given that you may not be able to remember every place that the same password was used, it may help to have your credit card(s) canceled/frozen/disabled. Call the card company's fraud department and basically treat it like a stolen card. You want your card(s) to be invalid for making purchases so no further fraudulent orders can be made (until a new card with a new number is mailed to you) even if someone does access an ecommerce account where your card is stored. Don't do this if you rely on a card for something that will need to be charged before a new one gets to you, of course.

Also, the flood of email could just be an attempt to hide real emails that would give away the fraudulent activity, like the email from Groupon did. If your inbox is filled with junk, you are much less likely to notice something from Ecommerce-R-Us down on page 7. The fact that the emails stopped may just meant that they've stopped making fraudulent orders.

It certainly has nothing to do with rainbow tables, which are simply databases that are used "offline" to lookup a password hash if one is compromised. Here, they appear to have your actual password, not the hash, so rainbow tables aren't relevant anyway.
posted by whatnotever at 3:52 PM on July 22, 2015 [4 favorites]

i don't think those emails have anything to do with rainbow tables (can you explain why you think that?). someone posted here just the other day saying that they got a pile of spam when they were hacked, and the aim seemed to be to get people to give up on the email, and so not notice warning emails from banks etc.

sorry, on posting - what whatnotever said.
posted by andrewcooke at 3:57 PM on July 22, 2015

Response by poster: ok, i'm an idiot about the rainbow tables thing, forget about it. The email contents looks like encrypted gibberish chunks and I assumed they were trying to grab my new password or my gmail password (like they were thinking I had changed the Groupon one to a similar variant of the one they have) and that for some reason their attempts were sending me an email each time. I obviously have no idea what I'm talking about, so never mind. My brain just went there in a panic to try and connect "Someone's got my password" "I have changed the password" and "I am suddenly getting many hacking-attempt-looking emails"

Changing all passwords that I can possibly find. I'd appreciate help regarding finding out the accounts i don't remember I have as well. Also locked down my gmail, and am considering a credit card fraud alert.
posted by ghostbikes at 4:03 PM on July 22, 2015

Best answer: JustDelete.me has a long alphabetized directory of common web services. You can't use it to determine if you have old accounts open, but it's a list to start checking against.

Check your Gmail archives and spam folder to identify any websites you may have used a password for. Check if you can access any old email addresses you may have used. Check if you have web accounts with any domestic services you use often: banks, job networking, utilities, taxes, etc. Google any usernames you use commonly to see if you have public profiles. Change your password on ALL of these.

I strongly recommend you use a password manager to generate and store strong randomized passwords in the future.

(You already changed your MeFi password, right?)
posted by nicebookrack at 4:28 PM on July 22, 2015 [5 favorites]

Best answer: You should be able to find receipts for all your ecommerce purchases in your Gmail. "Your order" should do the trick, or your street address.
posted by acidic at 4:31 PM on July 22, 2015 [2 favorites]

Best answer: If you tend not to delete old email, a search in gmail for the phrase "welcome to" might help remind you of services you've signed up for and then forgotten about.
posted by contraption at 4:32 PM on July 22, 2015 [3 favorites]

If you allow your browser to remember your login details, there should be a settings page to manage the saved passwords for all the sites you use. Firefox, Chrome.
posted by Rhaomi at 5:50 PM on July 22, 2015

Yeah, watch the email. Change your passwords. Something like that happened to me a few years back. Buried within all the emails was an actual PayPal confirmation that I'd bought somebody in Milwaukee an iPod.
posted by synecdoche at 8:07 PM on July 22, 2015

Response by poster: so the bulk email thing is a tactic to get me to miss the order confirmation? iiiinteresting.
posted by ghostbikes at 8:34 PM on July 22, 2015

Embrace the goodness that happens when you combine KeePass and Dropbox. KeePass because it's been ported to everything and its basic mode of operation is fully local, so your password safe will continue to work even if you lose online access; Dropbox because it also works on everything and will allow the online copy of your password database to survive accidental deletion from all your local devices.

Also keep a copy of your KeePass database on a micro SD card in an Elago Nano reader attached to your car keys. That one doesn't have to be kept strenuously up to date; as long as it's got your current Dropbox password in it, you're good to go.

Use a very strong master password for your KeePass database. Easiest way to do that is to take the three strongest passwords you already remember and glue them together.

As you work through all the online services you can remember using, register their details in your KeePass database and let KeePass generate new random passwords for them.

Obviously, using password management software is a complete change in the way most people deal with passwords, and the unfamiliarity of that will indeed cause some initial pain. But the benefits - never, ever forgetting any password you've ever used online, and rendering the security of each of your online services independent of all the others - are so worth it.
posted by flabdablet at 1:49 AM on July 23, 2015 [4 favorites]

And a minor side-effect of using a password manager for everything is that you now have a convenient listing of all your online accounts.

If you need help generating a new master password, use Diceware.
posted by Bangaioh at 10:05 AM on July 23, 2015

Response by poster: In case anyone ends up in a similar situation: While checking my gmail account access I noticed I had signed up for unroll.me forever ago, granted it gmail access, and immediately forgotten about it. it had been silently keeping track of all the things I signed up for, which is very useful at the moment.
posted by ghostbikes at 10:49 AM on July 23, 2015 [1 favorite]

Response by poster: I just realized, I have a follow up question: I have the address that the person tried to deliver their stuff to (but not their name). Should I report it?
posted by ghostbikes at 3:39 PM on July 23, 2015

« Older How to back-up iPhone to iTunes then restore   |   How do I make the most of this apartment layout? Newer »
This thread is closed to new comments.