Ok, I wrote ‘hacked’ because I know that the instances of an account ever being truly hacked are almost non-existent. However, somehow this person got access to my Paypal account and used it to order about $100 worth of Estee Lauder makeup. Luckily, I noticed it the same day it happened and I immediately filed a fraud report. I’m just really confused as to how they got my info.
First, I know my password at the time wasn’t the most super secure but it wasn’t like ‘password’ or ‘1234’. On top of that, they knew my login email. I scanned my computer with Malwarebytes and Avast. Both found nothing. I’ve had a bad habit of using the same-ish two passwords for almost everything but I’ve never had any indication of anything at all being accessed. And even so, I’ve never shared my password with anyone, nor accessed any accounts on a computer I didn’t know/trust. So I’m completely baffled as to how this happened. I’ve gone ahead and changed the passwords on everything else to randomly generated ones, which I absolutely hate. But I don’t have the funds to be able to afford these kinds of things.
Another strange thing, was that the shipping address they used for the order was listed in Paypal as being confirmed. Wtf? How in the world did it get confirmed? I thought they had to do that through a credit card/bank account? There are no unusual ones in my account. I know there’s a by-mail method, but that requires photo id. Any ideas on this?
On top of all this, the person had a strange Chinese sounding name. So I asked my friend who speaks Mandarin if it was a legit name. Nope. It means ‘happy laughing’. So not only was the jerk stealing money, they were mocking me in another language.
was your paypal password the same as a password used elsewhere? I had my email address and password swiped in the Great PSN Hack, and at the time it was the same as I used for my Live account, which means before too long someone logged into it and started sending spam.
First question: are you absolutely sure there really was an order placed with your PayPal account? Did you confirm that by logging directly into https://paypal.com/ (without clicking on a link)?
Second question: did your old PayPal password resemble one you’ve used on another web site or service, even a trusted one?
Yes, the only reason I found it was by logging onto Paypal to check on some money that I had coming in. I found it strange that the order went through within like 2 days of the money hitting my account. Because I rarely have money in there.
And yes, it did have the same password as a couple other sites. But I didn’t see any signs of any of them being accessed. I guess I’m just going to have to get used to having passwords like $asC5Fm3r :\
Probably not helpful in this case, but do you know if you log into Ebay & thus Paypal to make a payment, your Paypal account is unlocked even when you log out of Ebay. Unless there’s something I haven’t found, I have to manually go to Paypal, and yup, that puppy’s logged in and wide open.
Not necessary. Use a password that has 12 characters. It can even be a short sentence, like
I l0ve y0u m0m
(okay that has 13)
Whatever it is, use it only for accounts which access your funds (PP, bank - basically that’s it). For other accounts, like logging into SDMB for example, use a simpler password. That way there are only two PWs to remember.
I read a recent tech article saying 12 characters is the magic sweet spot for beating password cracking software. 13 characters is better, the longer the better, but at 12 chars you’re more than good enough.
Others here have also suggested things like adding the site name to your hard-ish to crack password. For example “BoardsDotStraightDopeDotComIl0ve y0u m0m”, “paypaldotcomIl0ve y0u m0m” etc. The annoyance there is that websites all have their own incompatible rules re length, special characters etc.
We’ve tended to use the “same” password all over the place but have been evolving away from that once we started using a password vault. Still use the original password for lower-risk stuff; I mean, who cares if someone logs into the Washington Post or something as me.
Please don’t reuse the same password in more than one place. Even if you think they’re secure. If they’re important enough to need secure passwords, they’re important enough for unique passwords.
Here’s what probably happened to the OP: s/he used similar passwords on multiple web sites. One of those web sites was compromised. The bad guys managed to obtain a list of email addresses and passwords used by all (or many) of the users registered on that site. Then they took that list and tried variations on those passwords on PayPal, Amazon, etc.
This happens all the time.
In short: if you can remember all of your passwords, it’s a bad sign. Use a password manager, or write them down somewhere safe.
Why in the world do you have more than a handful of places that need a secure password? You have bank accounts, a couple stores you frequent often enough not to remove your credit card number after you put it in, and maybe your primary email (if only because some places are stupid and send information they shouldn’t via that route).
I’m at least glad your recognized that there are places that don’t need a secure password, which is more than a lot of security people seem to be able to handle. But I still think you overestimate the number of sites that really matter. If it doesn’t have money in it, a secure password is overkill.
And let us not forget that this tactic only works because so many websites are stupid and use your email address as a username.
It is, but it’s not as bad as using the same email/password all over the town. It’s less bad if you do it at home and no one else can access your desk. But it’s still pretty bad.
Angelsoft - get Last Pass or Roboform. Use a different random address/password for everyone. Ideally, have a couple different email addresses that you use for your bank/Amazon/Apple/Cellphone etc, so that the employes of one site don’t have the email you use on other sites. They can all be set to forward to your main email so you don’t have to check everything individually.
Because many of the things you think don’t need a secure password can be used to gain access to those that do. One seemingly unimportant account might reveal your DOB. Another might have your phone number, alternate email address, Paypal address, credit card expiry date, etc. Others might work as oracles for testing security question answers, or have oAuth permissions for your FB or Twitter accounts.
Those things might seem unimportant, but in combination they can and do lead to more important accounts being compromised. I regularly deal with people who are cleaning up the mess caused by this sort of thing, and it’s not pretty.
If you think I’m supporting the idea of unimportant passwords, then you’ve misunderstood. At some point, some of your unimportant accounts will be compromised (if they haven’t already). You need to contain the damage from that to a minimum, or eventually it will bite you. Using unique, unrelated, unpredictable passwords is necessary to do that.
Re writing down passwords: if they’re on a post-it note on your monitor, that’s bad. If they’re on a piece of paper you keep somewhere secure, that’s fine. Much better than repeating similar memorable passwords.