New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Phishing.
Precisely, along with others. Think about keyloggers and credential stealers. Hackers or someone doesn't necessarily need to 'break a long random generated password' when phishing and credential-stealing methods can simply provide it to them.
https://github.com/drk1wi/Modlishka
In general 2FA is still susceptible to phishing, MTIM and other attacks. And with a bad password even worse as it is essentially 1FA then. 2FA authenticators are known to have vulnerabilities and not to mention stupidity like allowing password resets or codes that are easy to guess.
So either use a password manager and make sure the password database is encrypted with a master key. Beyond that if you want more security use hardware based 2FA as it's the only kind that is actually useful.
No, you can't steal TOTP secret. You can login, but you can't steal 2FA, only one-time code, unlike with password.
I might have an idea: you fucked up. Again.
Just like in 2017, when you thought Bitbucket was a good place for your root password.
https://bitbucket.org/yokowasis/boxbilling-cwp/src/master/Manager/Cwp.php
When someone logs in he can disable 2FA and do what he wants.
It is implementation vulnerability imo, not 2FA fault. They should ask for 2FA code once again for security related operations.
Assuming the phishing site can't get the code the second time.
It is when things will go suspicious enough, but yeah some users might still not notice something unusual
Phising don't work if your password manager autofill the username and password for you.
My main concern is how easy it's to change email account. There should be a confirmation from the old email account to change it to the new email.
If it's only password change i can just easily reset it. But they change the email account. So I am locked out until Monday.
How did you guess my password?
I hate this kind of need old email to change to the new email. Storj has this requirements, and I lost my old email access because I lost the 2FA. Now I only can login but can't do anything to change to new email.
I agree that change email may need to require verification, but not from the old email
@yokowasis complex password in password manager with its auto fill is good, but it turns out it is not enough. Take this as your lesson learned. Enable 2FA everywhere. Even buy hardware security key if you feel that your resources is more important than the cost of the hardware key. If you suspect that your computer has malware for whatever reason, don't use it to access the 2FA.
Adding onto this, if you use SSH, a hardware key in my eyes is the only way.
I'd recommend making the full leap to Linux, since you're predominantly using WSL already.
Still need to execute caution, yet "Windows" puts a big target on yourself far as actually being able to execute attack vectors. Being that Windows is the dominant client OS -- it's what most exploits / attacks aim for, getting off that platform reduces the attack surface and greatly reduces the odds of anything that you get on there accidentally working.
That said, password manager (if there's a local store on the PC) is the best guess if they got into any other accounts of yours.
have you check your email associated with hetzner? They might be use email as an entrypoint. Then check your PC or mobile phone for malware posibility.
Lastly, hope hetzner does not sell our data.
How do you know your account was hacked and Hetzner didn't just delete your account?
You realize when Hetzner decides they don't want you anymore, they just delete your account and your servers without notice? That's why friends don't let friends use hetzner.
You can try to check login/password reset with konsoleH client number instead of email to confirm this. @yokowasis
Usually it's very hard to make sure a pc isn't compromised. Best is probably to reinstall freshly or boot live linux system and scan
@ailice I always wonder how cookie sessions are stolen if they don't have access to your pc and you only visit legit websites?
Stolen cookies for sure.> @Maelstrom36 said:
Stolen cookies for sure. So 2fa wouldn't have helped in this case
I share the same thought with snowman11. Be careful of browser extensions, JS bookmark. Sometimes the extension is hijacked and the new version is updated by default, it could be phishing, or maybe not.
From the look of it, were I you, I'd signout every account on all devices. I know this is a hosting forum but you may have more than just Hetzner account to worry about.
really silly question, how do you know its been hacked? .. do you have active services with them, has the account been removed/disabled ?
2FA, def a pain to always have to do it, but it's worth it.
I just regained my account with the help of support. Turned 2fa, apparently over the weekend the hacker deploy 100 cloud server, and I got a bill of 300 eur.
I feel like there should be an automatic way to recover your hacked account. Or at the very least, prevent changing account email without confirmation.
glad to hear that.
2FA is mandatory I guess
so you pay the bill?
Who is the service provider? Did you get refunded? How the hell you didnt get mail change notification? Did the hacker turned that off before changing mail? Even so, the provider should have notified, this is a security risk.
what if a provider reset the password and deployd 100 cloud server then ask to pay for it?
I did get an email notification. It says your primary email is changed. Or something along those lines.
By that time, it's already too late. It would be better if there is an email confirmation saying something like "hey, did you really want to change your email? If you don't want to, ignore this message. And change your password. If you do want, click this link for the confirmation"
if i remember it right, cookie has expired time, i don't know how hetzner manage their cookie, but should not be a very long time, so in the real world, it's very hard to hack someone in this way
and i remembered if you want change sensitive information, like password or some, you need 2FA too
In the real world it happens all the time. Even on facebook and instagram