My Single Point of Failure and How It Broke

I recently had a pretty massive security breach, and I wanted to talk about it. I'll be giving a TL;DR here, but if you want to read my entire experience and takeaway, you can read it here (nuyube.xyz).

Before we get into that though, I changed my name to Nuyube. I had picked Rezuru because I thought it sounded kind of cool and I didn't see anyone who had taken the name, so I committed to it. I hadn't realized that it means something. I'll leave it up to you to find that🙂

Anyway, the problem started with my main email address that I had put nearly every account under. This account was secure by itself, but when paired with my entire system became insecure because of a recovery email that hadn't been protected sufficiently. This recovery email was compromised (the guy signed me up for things like YogaPlex too😟), which meant that he had a way into my main email address. In only four or five minutes, he was in my PayPal account, and drained it. It was actually PayPal that tipped me off that something was going on. I managed to cut off his access by cutting the recovery emails, changing my password, and changing 2FA to use a different method.

The problem came when I realized that since my main email had been compromised, all of my accounts had become compromised - he had access to my entire password list from Google Chrome's password sync, too. Whether or not he actually accessed it is up in the air, but that's when the eight-hour-change-your-passwords session began. It was tiresome, but it's probably good that it happened with that specific guy - if someone had silently just recorded all of my passwords, it wouldn't have been difficult to run several attacks at once. This guy went straight for payment, and luckily didn't hit my main bank (I'd forgotten I even had a PayPal.)

Also, sidenote, if you're going to steal money from someone, don't use an address somewhere near you. That's not very smart at all. I say that because he put (presumably) his address into my account, which I can see.

The best thing I could have done in the long run was put two factor authentication on everything. Sure, it's annoying to need your phone (especially if it's dead), but it really does ramp up security a lot. So please, spend these next ten minutes securing at least your email addresses. Save yourself that headache later on, and reduce the chance of your single point of failure being broken.

I know that sometimes admins will pop into CA and read some of the posts, so I'd like to suggest adding 2FA to your login system. Google's got an authenticator system that might work well for you. Maybe SMS would be an option? I'm not sure how sending SMS works (I've never really needed to do it), but it could be worth investigating. That way, these accounts can be just that bit more secure. 

Thank you for reading.

Nuyube,

I'm sorry you had to go through all that; security breaches snowball really fast.

Quick note for those that aren't going to read the entire thing. The BEST thing you can do on Alpha Coders is to have a strong and unique password.

As far as Alpha Coders and two factor authentication goes, it's something that we could add in the future, but don't see a huge need right now. I know that might sound odd in a response to a well written experience like yours. Also a side note, 2FA through Authy or Google authenticator is MASSIVELY better than 2FA through SMS. Anyways:

Alpha Coders isn't generally a huge target, for a variety of reasons. We take measures to prevent brute forcing of passwords. So even if an attacker thought you used the same password on multiple sites, brute forcing via Alpha Coders is not going to be a viable way to go about it. There will be logins that are far more lenient behind the scenes.

We also don't feel we are a high or medium priority target. We don't store much information beyond just an email. No financials, not really much of 'value' to an attacker.

By far the most value would come from attacking Alpha Coders as a whole, rather than an individual here. Either for mass harvesting, or ransomware, so we put a lot of focus and effort there. Keep in mind we're a small team, so we do end up having to put focus in specific areas.

For a site like ours, I'm of the opinion that we do an above average job utilizing best practices (most of this happens behind the scenes). But 2FA is definitely something on our radar if it becomes prudent.

Mr. West,

It's great to see a reply from you! I understand that 2FA might not be important for Alpha Coders yet, but I just felt like it might be a good idea to do it soon rather than later. Speaking of, what's the security flaw with SMS verification? Is it something like SMS Hijacking, or how does it work? 

Looking forward to your reply!

You're spot on, it's usually SMS hijacking via social engineering. Mostly you see this with high value targets; they'll call up support and verify enough with the support tech that they get the number switched to a different phone.

If a service only offers SMS, it's really not something to be super worried about. But if a service offers 2FA through multiple means, the general recommendation is to use an authenticator app if offered.

I hadn't thought of the social engineering type attack. I had thought of some 200 IQ crazy exploit they'd use, not just getting information directly from you. I guess that's why it's such a common attack- it's not something that you'd immediately think of as suspicious. Not as much as someone going after your phone, at least.