I received a notification last night that someone changed my shipping address on Macys.com and when I visited the website, there was an open order for a PS5 with delivery to a NJ address.
After logging into Macy’s I got 43 emails at once to seven different services like “Excalidraw” and “Sportograf” trying to login using a magic link.
At this point was was pretty nervous so I checked my main email security. Sure enough, there have been repeated login attempts under my account going on every few minutes for weeks.
I also saw there was an attempted login to my cellphone or home internet company.
I use 2FA, authenticators, etc. Basically what else should I be doing? Is there any way to be more preventative? I really don’t wanna chuck this email but it is possible that may be the safest recourse. I do use this email for almost 300 different accounts to various things though.
8/23 update
So I received this suspicious email as a “note to self” from Microsoft in my junk folder. It says it’s from my address but additionally says it’s an “unverified server.” I am leery of it being legit but it is oddly timed.
I’ve added the opening text of the email: “Hello pervert, I’ve sent this message from your Microsoft account.
I want to inform you about a very bad situation for you.
However, you can benefit from it, if you will act wisely.
Have you heard of Pegasus? This is a spyware program that installs on computers and smartphones and allows hackers to monitor the activity of device owners. It provides access to your webcam, messengers, emails, call records, etc. It works well on Android, iOS, macOS and Windows. I guess, you already figured out where I’m getting at.”
I’ve received these emails in the past and nothing, but I figure it bears mentioning here cause I was legitimately in a less than secure situation a few days ago.
To add on, it sounds like you were phished. No shame, it happens to everyone. The best course of action when you get an email like that, DONT click the easy to press recover account button in the email. Always go directly to the site, even if the email looks legit.
From there you entered your password into, what im assuming, was a fake Macys website, where you gave the bad actors the exact info they needed to really activate it.
This sounds like EXACTLY what happened.
To add on to everyone else mentioning it, another benefit to password managers is that they auto filter themselves to the URL. So if you have a password saved for macys.com and get phished to macys-passwordreovery.com, the password manager won’t know the URL and offer no filtering. Adding the extra step of having to manually find your password entry should be a flag itself that something might be wrong.
Are you also getting a bunch of random “confirm your email address” or thank you for signing up" emails?
This sounds like it may be part of a registration bomb attack. I woke up to over 4,000 similar messages a little while back. What they were doing is hiding their actual activity by flooding my inbox. Among the thousands of emails was a notification about the new user added to my PayPal account that had been compromised. That user was trying to empty my bank account.
I caught it before any damage could be done, and the registration bomb ended shortly afterwards.
Actually that did happen at the same time now that you mention it. I managed to catch it quick though. It did happen shortly after midnight. Luckily I’m a night owl and was awake.
How did you find that one email among 4000 sign up confirmations?
It was in the first couple hundred, and I was being selective in what I read. Newsletter and verification emails could be safely ignored, while services I actually have that are attached to my bank accounts get a closer look.
I would contact support and report that address to the police. Other than that check https://haveibeenpwned.com/ and change your password to something unreasonable with >1000 characters or close to the limit of what they allow.
How are that many characters useful? Where is the benefit of 1000, let alone more than that, compared to 50?
Not much, but that’s what I do.
There are much better ways of creating strong passwords than just adding a ton of characters.
With hotmail/outlook, you can tighten up the security a bit, and stop the login attempts.
You can add an alias to you account, and then remove the permission to log in(dont actually remove it completely) from your original email. You will still recieve all the e-mails, and will work like normal, but your sign in will be different.
Likely that email or a previous email you clicked on was a phishing attack and when you logged in you gave them your password. And if you used that password anywhere else, you let them into those accounts as well. Make sure to check the links in emails are actually pointing to the expected web address and never click through warnings about SSL certificates being invalid. Better yet, never click on email links. Go into your web browser and type in the address manually. And use a password manager with unique, random passwords for every website and use a strong password and a 2FA method that requires access to a physical object or biometrics (cell phone text messages don’t count as a physical object). If you still have trouble then it could be that your 2FA method is compromised. If you’re using a cell phone, for example, it’s possible your neighborhood is the target of a stingray or similar device that mimics a cell tower. Turn off 2G if you can. But even then, that only eliminates a subset of the devices. Get a yubikey or use other, more secure, 2FA methods and be sure to disable the less secure 2FA methods, because you’re only as secure as the least secure one.
Like others have said, change your passwords, activate 2FA if available, never reuse passwords etc, etc, etc.
I have been getting repeated warnings for unsuccessful logins to my Microsoft account for some time now. I’m guessing some bad actors are just throwing whatever leaked passwords they have hoping for hits. I have 2FA turned on and a password complex enough to deter dictionary attacks, so I’m not really concerned.
I am currently using the iOS password manager. I have my qualms with it but it’s been mostly pretty solid. I was an android user for years and used a fair share of password managers, I like the iOS one the best but I know some of the new managers are much better. I don’t know any other iOS compatible password managers. I’m open to suggestions.
Also every account that uses 2FA has either an Authenticator code or email to an authentication secured email address.
bitwarden. don’t repeat passwords. setup mfa on things you haven’t already. that’s about it. new, random password for each account.
sounds like one was compromised so they’re doing a password spray on everything they can find. passwords like BD!CzuX0$Wemt2 will never be brute forced or randomly guessed, they’re usually stolen in data breaches, but if all passwords are different and not repeated, you’re doing everything you can.
“hacks” happen, you can minimize by using different passwords on each account, use bitwarden to generate and save them.
Was the password on macys randomly generated? Or do you think that could have been the same password as another website?
100%was repeated, that’s why they are spraying anything they find. most likely compromised in a breach.