Last week, I had my Outlook, LinkedIn, and Netflix accounts hacked, and it was the first time I had experienced such a thing. Since this can happen to anyone, I want to share some lessons learned from the experience.
What Happened
It was a typical working day, and I received an email telling me that someone had changed my LinkedIn password successfully from Normandie, France. It took me a couple of tries to change my password, and then I was kicked out – the hacker changed my email associated with the account.
Soon after, I began to get calls and emails from former colleagues, asking if I intended to send them something via LinkedIn and that I may have been hacked. After only 5 minutes, the hacker had already sent a malicious link to my contacts; customers, old colleagues, Microsoft contacts – the lot!
I reported the incident to LinkedIn, who got in touch within 24 hours, asking me to prove my identity to give me my account back. Once I did this, I logged back in and changed my password.
Damage done
I looked over my messages and saw that the hacker had contacted over 50 connections with this message:
Most of those who answered clicked the link, and I responded to as many people as possible, stating the link was malicious. However, I noticed the hacker/bot was having conversations with my connections to convince them I was the one sending the message – scary stuff!
The first lesson in this blog is two-factor authentication. I didn’t have it turned on for any applications I use, so I turned it on immediately. I also checked my live sessions in my settings on LinkedIn and signed out of them all.
Just when I thought it was all over…
The weekend is here, and I’m enjoying Netflix in the living room when the following message appears on the screen: You have been logged out. My phone alerts me that a new device logged in to my Netflix account, and I immediately think, “oh no, not again.” The Netflix app on my phone allows me to log in, but it is all in Spanish. Shortly after that, my account was blocked, and a new email was associated with it. I feel all too familiar with this. I immediately contacted Netflix support, and they managed to get me back in and recommended I change my password and turn on two-factor authentication to prevent this from happening again.
It was quickly apparent that my Outlook account had been compromised, and I researched what to do. I found that hackers may re-route emails with “.,” rule so I wouldn’t receive an email with “Reset your password here.” Then I checked my rules, and lo and behold; there was a rule called “.”. So I deleted it and added two-factor authentication again to my Outlook.
Realising my mistake
To be completely honest, I always used easy-to-remember passwords and did not have two-factor turned on for any of my applications. Some colleagues that work in security have given me some recommendations, so this doesn’t happen again, and I thought it would be helpful to pass those on:
- Always turn on two-factor authentication
- Use spacebars in passwords
- Use a different password for each application
- To be extra vigilant – use a separate email for each application
My hope is that sharing this experience provides you with caution, and after you read this, you will turn on two-factor authentication for every application you use.
2 thoughts on “Lessons Learned After Being Hacked”
I’ve been there too – I ended up using a password manager after that to help generate and achieve unique passwords for every app. And I use MFA/2FA as much as I can.
Password managers are a really helpful tool (I use bitwarden). As well as generating strong, unique passwords and handling multi-factor authentication they can identify password reuse and weak passwords that you can go through and change.