Hi!

I got hacked on my Reddit (the one I’m writing form) last month. I noticed it because of weird upvotes and comments in my timeline. They were definetly made by a person (NSFW stuff and shoes, seemed cohesive human behaviour) so I looked at the session locations and saw a sessions running in the US not having my IP. Changed my pw, logged out of all sessions and turned 2FA on (which I didn’t do before). Since then I had no problem.

I knew that Linkedin had a breach before September so I changed my pw and turned on 2FA in September. About a week or so after the Reddit hack my personal Linkedin got hacked. My account was turned invisible (others couldn’t see me) as a precaution of Linkedin I suppose after the hacker changed my profile pic to an AI woman. I still don’t understand how the 2FA didn’t help in that case? But again I changed my pw, logged out of all sessions and turned in my driver’s license to Linkedin and my account got restored within 24hrs.

Two weeks later (about three weeks ago) my personal Twitter acc got hacked and reposted one bitconnect like scam post. I had 2FA turned on and recently changed my password after the Linkedin hack. I changed my pw again, logged out of all sessions and nothing weird happened since.

Today my (own) company’s Twitter acc got hacked again and the same scam posts (from the same acc) got reposted. I have 2FA turned on but my password is from May or so. Changed the pw a minute ago and logged out of all sessions.

I used different pws on all accounts.

TL;DR: Why do I keep getting hacked? What do I have to do that it stops?

I have Bitdefender Antivirus on my PC. I was logged into Linkedin only on my PC, Reddit & my personal Twitter on my iPhone and my PC, into the company’s Twitter on my phone, my partners phone, my PC and maybe her PC - so the problem has to be on my PC!

Do I have a malware infection? Bitdefender full scan says no… Should I just run malware removal tools? Pls help 🥲

PS: I used three different email adresses for all accounts which are all not pwned on https://haveibeenpwned.com/

  • rekabis@alien.topBEnglish
    1·
    1 year ago
    • Use strong passwords. Min. 16 totally random characters, ideally 32+ from the entire lower UTF-8 address space. A decent password should look something like this: óÒ$.ؽWk-!§µ/ajçVÍ«ãYïÆï¥"î1Æ·Ê>
    • Use a different password for every account you have.
    • Implement non-SMS 2FA on all accounts. SMS 2FA is easily intercepted. You want non-SMS 2FA, a code generated by an app. Password managers such as BitWarden also have 2FA generation included in their paid tier.
    • If possible, set up different eMails for different types of accounts (an eMail for all the usernames you use on eCommerce sites, for example), or if you own a domain name, a different eMail for each and every site. Plus addressing on a single eMail account that can handle it also does much the same thing.
    • Store both passwords and 2FA in a secure place, like BitWarden or 1Password. Those two are currently the highest rated password managers available. Avoid LastPass and similar options. If you want free, Bitwarden does that, but you need to then go for a separate 2FA app; OTP Auth is my favourite on iOS, with Microsoft’s Authenticator being my go-to for all my Microsoft/Hotmail/Outlook accounts.
    • Make your password for your password manager a long, easy-to-remember phrase, something that is 64+ characters long but which can be banged out by muscle memory in less than 5 seconds. This can be a favourite quote or a line from a favourite book. Use a completely different 2FA app for just that account if you’re storing all other 2FA in the password manager.
    • studiofirlefanz@alien.topOPBEnglish
      1·
      1 year ago

      Wow, does a pw really need 16+ UTF-8 characters? 🥵

      But all your tips are super valid!!! Thanks!

      I got non-SMS 2FA turned on everywhere now, use three different emails and use no pw manager!

      • rekabis@alien.topBEnglish
        1·
        1 year ago

        does a pw really need 16+ UTF-8 characters?

        Not UTF-8, specificially, but min. 16 characters, definitely. Anything less than that is considered trivially crackable. And 16 may already be obsolete - bank on 20+.

        But completely random passwords drawn from the full UTF-8 character set is what really helps with creating a complex password.

        And honestly, that is why you should be making use of a password manager - because you really don’t want to remember more than a single solitary password - the one to your password manager. All the rest should be completely randomly generated, to the max that the service/password-field can take (but anything over 64 characters is typically extreme). You use a reputable password manager like BitWarden or 1Password to do the remembering for you.

        • studiofirlefanz@alien.topOPBEnglish
          1·
          1 year ago

          But if my pw manager is hacked then all my data is lost at once? 🤔

          Maybe that’s a discussion for another threat. But if feel suspicious about pw managers (maybe that’s stupid)