Two security incidents, probably unrelated
January 16, 2025 11:33 AM Subscribe
I had two security issues come up today. I don't think they're related, but maybe they are? I wonder how concerned I should be about them, and what steps I should take in response. One of them is related to a credit card. The other is my Microsoft Live account. Details below the fold.
1. Citigroup credit card
Two days ago I tried to make a purchase at a membership organization that has my CG credit card on file. I got a text message from Citigroup saying they had detected possible fraud. The message said to respond 1 if the purchase was legit or 2 if it wasn't. I immediately responded 1 and got a message back that I should retry the purchase. I did and it went through. All seemed well.
Then yesterday when I got up I had an email from Citigroup saying that they had detected fraud on my account and locked the card. They said I should call to get the issue resolved. I tried calling several times throughout the day, but every time the message on their fraud line said the hold time was "greater than 30 minutes". Crazy, right? I tried online support via chat, but was told I had to go the telephone route.
Finally this morning I called the fraud line again and just set my phone down while I started my work day. I eventually got through, spoke with the rep, and they unlocked my card.
About 30 minutes later I was about to make a purchase with that credit card, but I decided for no particular reason to log back into my CG account to make sure it was really unlocked. When I did that, I saw that someone had purchased an American Airlines ticket with the card within five minutes of the card being unlocked. I flagged that charge as fraud. The website responded by cancelling the card and making arrangements to get me a new card with a new number.
Question 1. HTF did the fraudsters know my card had been unlocked within 5 minutes? That seems like a Citigroup problem rather than a Me problem, but is there anything I should do in response?
[Relatedly, there are news reports that Citigroup had problems with their app yesterday, and that this was leading to the long hold times. Have they been compromised?]
2. Microsoft Live account
About a half hour later I got an email from "the Microsoft account team" that "Security info was added". The body of the email said that a passkey was added to the account. It was a very low-fidelity email, but it was from the correct domain. I did not click any links in the email but instead opened a browser and went directly to account.microsoft.com to view recent activity.
It turned out that the login was legitimate (it was a family member activating their copy of MS office that we have a family subscription for). The concerning part, though, was that the account activity log showed 11 failed login attempts for my account since the beginning of the month. These were mostly from Brazil, but also from Peru, Switzerland, and the Palestinian Authority.
Should I be concerned about this? Is it normally for individual Microsoft accounts to be targeted so actively? Is there anything I should do in response?
These two events coming so close together have spooked me. Do they imply that my e-mail address (which I've had for decades) has gotten onto some "you should try hacking this one" lists? (I use the same email for logging into both my Citigroup and my Microsoft account.)
I'll certainly check my passwords and 2FA on both these systems, but I'm wondering if there's some broader security audit I could and should do. I'll note that my credit files are all locked, so hopefully that will provide some protection.
TIA for any thoughts and suggestions.
1. Citigroup credit card
Two days ago I tried to make a purchase at a membership organization that has my CG credit card on file. I got a text message from Citigroup saying they had detected possible fraud. The message said to respond 1 if the purchase was legit or 2 if it wasn't. I immediately responded 1 and got a message back that I should retry the purchase. I did and it went through. All seemed well.
Then yesterday when I got up I had an email from Citigroup saying that they had detected fraud on my account and locked the card. They said I should call to get the issue resolved. I tried calling several times throughout the day, but every time the message on their fraud line said the hold time was "greater than 30 minutes". Crazy, right? I tried online support via chat, but was told I had to go the telephone route.
Finally this morning I called the fraud line again and just set my phone down while I started my work day. I eventually got through, spoke with the rep, and they unlocked my card.
About 30 minutes later I was about to make a purchase with that credit card, but I decided for no particular reason to log back into my CG account to make sure it was really unlocked. When I did that, I saw that someone had purchased an American Airlines ticket with the card within five minutes of the card being unlocked. I flagged that charge as fraud. The website responded by cancelling the card and making arrangements to get me a new card with a new number.
Question 1. HTF did the fraudsters know my card had been unlocked within 5 minutes? That seems like a Citigroup problem rather than a Me problem, but is there anything I should do in response?
[Relatedly, there are news reports that Citigroup had problems with their app yesterday, and that this was leading to the long hold times. Have they been compromised?]
2. Microsoft Live account
About a half hour later I got an email from "the Microsoft account team" that "Security info was added". The body of the email said that a passkey was added to the account. It was a very low-fidelity email, but it was from the correct domain. I did not click any links in the email but instead opened a browser and went directly to account.microsoft.com to view recent activity.
It turned out that the login was legitimate (it was a family member activating their copy of MS office that we have a family subscription for). The concerning part, though, was that the account activity log showed 11 failed login attempts for my account since the beginning of the month. These were mostly from Brazil, but also from Peru, Switzerland, and the Palestinian Authority.
Should I be concerned about this? Is it normally for individual Microsoft accounts to be targeted so actively? Is there anything I should do in response?
These two events coming so close together have spooked me. Do they imply that my e-mail address (which I've had for decades) has gotten onto some "you should try hacking this one" lists? (I use the same email for logging into both my Citigroup and my Microsoft account.)
I'll certainly check my passwords and 2FA on both these systems, but I'm wondering if there's some broader security audit I could and should do. I'll note that my credit files are all locked, so hopefully that will provide some protection.
TIA for any thoughts and suggestions.
11 failed login accounts is (in my experience) not that unusual. Unfortunately, neither is credit card fraud. I personally would not assume these two things are related -- they're just both part of living in the world. However, it's never a bad idea to consider your digital safety & security. If you haven't already, you might check out Consumer Reports' Security Planner, which will walk you through steps you can take to lock down your online presence and financial data.
posted by ourobouros at 1:11 PM on January 16 [3 favorites]
posted by ourobouros at 1:11 PM on January 16 [3 favorites]
Not related.
Microsoft was allegedly blocking 7000 bogus logins PER SECOND (as per recent Forbes article).
Not sure about your Citicard though. That org may have been compromised on their end.
posted by kschang at 1:53 PM on January 16
Microsoft was allegedly blocking 7000 bogus logins PER SECOND (as per recent Forbes article).
Not sure about your Citicard though. That org may have been compromised on their end.
posted by kschang at 1:53 PM on January 16
I use the same email for logging into both my Citigroup and my Microsoft account
As long as you're not also using the same password on both those accounts, you're probably OK.
If you are, that says to me that you're bringing a human brain to a password manager fight, which you really should stop doing. Using password management software to remember and most importantly generate a long, unique password for every service you might wish to log into is just necessary in 2025.
I use KeePassXC because it starts up faster than KeePass does. Both are open source and both use the same password file format, with all passwords kept in a single encrypted file on my own computer that it's my responsibility to back up and replicate across all my devices and keep track of which device has the authoritative copy. I would much rather take on that responsibility than entrust the foundation of my whole digital life to some your-call-is-important-to-us corporation.
posted by flabdablet at 2:06 PM on January 16 [1 favorite]
As long as you're not also using the same password on both those accounts, you're probably OK.
If you are, that says to me that you're bringing a human brain to a password manager fight, which you really should stop doing. Using password management software to remember and most importantly generate a long, unique password for every service you might wish to log into is just necessary in 2025.
I use KeePassXC because it starts up faster than KeePass does. Both are open source and both use the same password file format, with all passwords kept in a single encrypted file on my own computer that it's my responsibility to back up and replicate across all my devices and keep track of which device has the authoritative copy. I would much rather take on that responsibility than entrust the foundation of my whole digital life to some your-call-is-important-to-us corporation.
posted by flabdablet at 2:06 PM on January 16 [1 favorite]
My Blizzard.net account was part of a hack years ago and so the bastards got my Hotmail address and pw. I see dozens of failed logins a day if check the activity section in my account. It's extremely likely your MSN email was part of a recent hack and so you've been added to the list of accounts to try.
They're probably not related unless some business out there was hacked. Oh yeah, there was.
posted by fiercekitten at 5:15 PM on January 16 [1 favorite]
They're probably not related unless some business out there was hacked. Oh yeah, there was.
posted by fiercekitten at 5:15 PM on January 16 [1 favorite]
My Blizzard.net account was part of a hack years ago and so the bastards got my Hotmail address and pw.
Anybody who has had a password successfully harvested as a result of any data breach is more than likely not using password management software either.
It is super rare for any organization to record their registered users' actual passwords either as plain text or even encrypted with some kind of secret master key; doing so would require a staggering level of administrative incompetence. Almost always, what's actually kept in the accounts database is a cryptographic hash derived from the password, from which the password itself can only be retrieved via systematic guessing and checking. Human-created passwords are notoriously easy to guess and check in this way and they're also often re-used across services. This is in stark contrast to software-generated long, random, unique passwords, which are simply not feasible to reconstruct from their hashes.
Any password that your password management software creates at random and rates as having at least 80 bits of entropy is going to resist best-practice cracking techniques for at least several centuries. Cracking a password with over 100 bits of entropy would require more time than it will take for the Sun to swallow the Earth.
I have many accounts with organizations that have had their accounts databases exfiltrated and not once have I seen any evidence that anybody else has been able to log into one of them. Seriously, get religious about using KeePassXC or something equally competent. The resulting peace of mind is really, really nice.
posted by flabdablet at 8:42 PM on January 16
Anybody who has had a password successfully harvested as a result of any data breach is more than likely not using password management software either.
It is super rare for any organization to record their registered users' actual passwords either as plain text or even encrypted with some kind of secret master key; doing so would require a staggering level of administrative incompetence. Almost always, what's actually kept in the accounts database is a cryptographic hash derived from the password, from which the password itself can only be retrieved via systematic guessing and checking. Human-created passwords are notoriously easy to guess and check in this way and they're also often re-used across services. This is in stark contrast to software-generated long, random, unique passwords, which are simply not feasible to reconstruct from their hashes.
Any password that your password management software creates at random and rates as having at least 80 bits of entropy is going to resist best-practice cracking techniques for at least several centuries. Cracking a password with over 100 bits of entropy would require more time than it will take for the Sun to swallow the Earth.
I have many accounts with organizations that have had their accounts databases exfiltrated and not once have I seen any evidence that anybody else has been able to log into one of them. Seriously, get religious about using KeePassXC or something equally competent. The resulting peace of mind is really, really nice.
posted by flabdablet at 8:42 PM on January 16
Question 1. HTF did the fraudsters know my card had been unlocked within 5 minutes? That seems like a Citigroup problem rather than a Me problem, but is there anything I should do in response?
Anecdotally, last week I missed a flight connection and bought a brand new ticket while standing in the baggage claim of an airport far from home. I used Hopper, didn't buy it right from the airline. Chase immediately flagged the transaction as suspect but the moment I pressed "1" or whatever to say it wasn't fraud, Hopper went and bought the ticket without telling me first. So some airlines and travel services must be used to this whole "it's-fraud-no-wait-its-not" cycle and keep retrying the purchase over some period of time.
posted by JoeZydeco at 5:37 AM on January 17
Anecdotally, last week I missed a flight connection and bought a brand new ticket while standing in the baggage claim of an airport far from home. I used Hopper, didn't buy it right from the airline. Chase immediately flagged the transaction as suspect but the moment I pressed "1" or whatever to say it wasn't fraud, Hopper went and bought the ticket without telling me first. So some airlines and travel services must be used to this whole "it's-fraud-no-wait-its-not" cycle and keep retrying the purchase over some period of time.
posted by JoeZydeco at 5:37 AM on January 17
Response by poster: Thanks for all the feedback. I generally follow the good practices that the answers bring up: I use strong passwords and don't reuse them. I use a password manager (Apple's in-built one). I called the phone number on my credit card to discuss the fraud. So I guess there's nothing exceptional going on with these two incidents. I'll keep an eye on things but meanwhile marking this resolved.
posted by Winnie the Proust at 6:34 AM on January 17 [1 favorite]
posted by Winnie the Proust at 6:34 AM on January 17 [1 favorite]
« Older Do you have opinions on bike racks? I want 'em! | Decent product to convert vinyl LPs to digital Newer »
You are not logged in, either login or create an account to post comments
posted by punchtothehead at 1:07 PM on January 16 [3 favorites]