DEV Community

Cover image for I Was Hacked: What I’ve Learned Since
William Baptist
William Baptist

Posted on • Edited on

I Was Hacked: What I’ve Learned Since

It was Easter 2018. I was still in high school, and like many teenagers, I was a bit reckless. I signed up for a website that promised safety, unaware of its history of data breaches. Little did I know that my personal information, along with that of thousands of other users, was at risk from the moment I signed up. What followed was a startling truth about cybersecurity that many people still find hard to admit.

Fast forward to 2021, and I’m a college student who has developed a deep interest in cybersecurity. I devoured countless articles that preached about the gospel of three-factor authentication, but let’s be real: theory is nothing without practical application. Little did I know, a real-world problem was lurking around the corner, ready to test my knowledge and skills.

It all began with a notification on my phone from an old Amazon account. The message informed me that my account had been used to purchase a high-end camera and lens worth several thousand pounds. The destination? Grimsby, of all places.

Photo by [Chris Hoffman](https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.howtogeek.com%2F297098%2Fhow-to-stop-amazons-email-text-or-smartphone-app-notifications%2F&psig=AOvVaw0MsJZHv-CQIhlT_w5I-K8H&ust=1683748732313000&source=images&cd=vfe&ved=0CBAQjRxqFwoTCIju8KKD6f4CFQAAAAAdAAAAABAE)

To my surprise, I was able to log in even though it was quite clear that it had been compromised. As I delved deeper later, I discovered that there was a way to bypass the two-factor authentication system. All that was needed was an Amazon email and password, which allowed the perpetrator to order items without any hassle.

The irony of the situation hit me hard. I thought I had taken all the necessary precautions and followed the cybersecurity protocols I had learned in college. But as it turns out, all it takes is one small mistake to compromise your entire digital defensive framework.

As I reflect on this experience, I can’t help but acknowledge the emotional impact it had on me. Back in high school, I was careless, and there was far less at stake. But when I learned that my data had been breached, I felt violated and exposed. It was a wake-up call that made me realise the importance of proactive cybersecurity and motivated me to take action.

Photo by [Nils Huenerfuerst](https://unsplash.com/@nhuenerfuerst?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyTex)

I refused to be a victim again, so after (eventually) getting a refund from Amazon and resetting everything, I devised a plan:

Actively monitoring accounts

If I had known that the accounts that had access to my financial information were breached, then this entire incident could have been avoided. I started regularly checking my accounts for suspicious activity or logins from unknown devices. I checked sites like haveibeenpwned.com regularly for every email I use. I then set up alerts and notifications to keep me informed about any unauthorised access to my accounts. If any suspicious activity was detected, I could act quickly and change passwords, revoke access, or contact support. I also recognised the benefit of using active monitoring software such as SentryPC that does a lot of the steps for you without so much effort.

Account diversification

Diversifying your accounts isn’t just a practice reserved for stock portfolios. After experiencing a cybersecurity nightmare, I realised the importance of diversifying my email accounts. Rather than relying on a single account for all my financial information, I decided to create multiple accounts for different purposes. This way, if one account were to be compromised, the others would remain secure. There are different approaches to diversifying accounts, including using different usernames, passwords, and emails for each account, depending on how much security you desire.

Photo by [Joshua Woroniecki](https://www.pexels.com/photo/a-hand-holding-white-card-on-top-of-a-laptop-5031038/)

Two-step verification for every account

Relying solely on different passwords clearly wasn’t enough, even if I used a diversification system for my accounts. I decided to implement a two-step verification process for all my accounts. I chose a mobile app-based verification process that required a one-time password (OTP).

Here’s an example of how to enable two-step authentication for your Google account:

  1. Go to your Google Account settings.

  2. Go to the Security tab.

  3. Click on the 2-Step Verification section.

  4. Provide your phone number so you can receive a verification code via text message or set up an authentication app, such as Google Authenticator or Authy.

  5. Once two-step verification is set up you will be prompted to enter a verification code after entering your password. This code will be sent to your phone or generated by your authentication app depending on the app you chose.

Honeypotting

Finally, I decided to somewhat controversially set up fake accounts with enticing information to draw hackers away from my actual data.
This technique of setting up fake accounts to attract hackers is called honeypotting and is commonly used as a cybersecurity strategy to deceive attackers and protect sensitive data. I created multiple fake accounts on different platforms, using fake names and personal information that hackers would find attractive. This way, hackers would be drawn to these fake accounts instead of my real ones, providing an additional layer of protection.

For your honeypot accounts, I would recommend a variety of different types of enticing information, including:

  1. Creating a fake email account with the subject line “passwords” or “account information”.

  2. Creating a fake social media account which appeared to leak personal information (that is all fabricated).

  3. Changing an old account you’ve had on a secure website for a while to also appear to leak personal information.

Photo by [Kenny Eliason](https://unsplash.com/de/@neonbrand?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText)

I have found that intentionally wasting the time of someone who is attempting to steal your personal information can significantly enhance your online security. While I do acknowledge that making honey pots can be time-consuming and demands continuous attention to upkeep, I personally find it rewarding to study the techniques attackers use.

Through this experience, I came to understand that cybersecurity is not just a buzzword; it’s a critical aspect of our digital lives that cannot be taken lightly. It’s easy to be passive when you see yourself as a defender, but most of the time the best form of defence is attack, and the real challenge lies in implementing this mindset in our daily lives. And for me, that meant learning from my mistakes and taking the necessary steps to secure my online presence, which is what my plan hopefully shows you.

Top comments (19)

Collapse
 
spo0q profile image
spO0q 🐒

I thought I had taken all the necessary precautions and followed the cybersecurity protocols I had learned in college. But as it turns out, all it takes is one small mistake to compromise your entire digital defensive framework.

Happens all the time.

Very nice share. Although, I would not recommend the "teasing strategy" to everyone, especially beginners.

Sometimes, there's no need for it. You'll be attacked by some random kiddies or more advanced fuckers (sorry for my language, but I've no consideration for these guys).

Don't feed the troll, as you don't know who you're dealing with and whether the cybercriminal takes it as a game or not.

In my experience, defense in layers works with such adversaries, but it's not bulletproof. Nothing is. In any case, have a good security hygiene and do everything you can to protect what is valuable to you (threat model) while keeping things simple and a normal life.

Collapse
 
baptistsec profile image
William Baptist

Thank you for the contribution to the article I agree with your perspective. From the point of view of a researcher; it's just in my nature to bait so I can learn, but for most people, you're absolutely right that it's a step too far.

Collapse
 
spo0q profile image
spO0q 🐒

I understand your curiosity. However, even as a researcher, it's a dangerous field. Don't get me wrong. I love these topics too, but like the movie says "you see them, they see you" ^^

I've see many professionals using honeypots but with strict rules and compartmentalizing.

Collapse
 
mikec711g profile image
Michael Casile

I try (often futilly) to control my languange, but these types tend to bring out the worst in me as well.

Collapse
 
ravavyr profile image
Ravavyr

Creating fake accounts and all that is just too much freaking work.
Also, 99.9999% of hacks are due to a bot finding something stupid you did some time ago that you forgot about. You can patch it and move on, it's not a nightmare scenario.

A nightmare scenario is a hacker who stalks you, tracking any and all your info just to screw with you every chance they get.
You know how you end up there? By honeypotting them, teasing them, annoying them.

The average joe is better off just using 2-step auth, changing their passwords periodically and trying not to reuse the same passwords in multiple places.

Every time someone tempts hackers, they get hacked. That's the name of the game.

Collapse
 
jnareb profile image
Jakub Narębski

I checked sites like haveibeenpwned.com regularly for every email I use.

You can also subscribe to notification on this site (assuming that you own the email in question). This is the only way to get information about being in sensitive breaches.

Provide your phone number so you can receive a verification code via text message or set up an authentication app, such as Google Authenticator or Authy.

Even better than using SMS (not that safe because of SIM-swap attacks, and phishable, but better than nothing), or OTP (better, but still phishable), is to use U2F hardware key like FIDO.

Collapse
 
ianowira profile image
Ian Owira

I just thought about it now, but wouldn't it be much safer to just remove your card information from site like amazon, that way you if your account gets compromised you won't have to go through the headache of getting refunded.`

I also find that updating passcodes 12-6 months of the year for sensitive accounts goes a long way.

Collapse
 
rachelfazio profile image
Rachel Fazio

Wonderful article with super great tips, thank you for sharing!

Collapse
 
calcioitalia profile image
Football Italia Foro • Edited

You seem to have a lot of email accounts. What solution do you use to store their passwords?
Browsers only store them in plaintext afaik so i'm looking for a solution.
Passbolt is good in a corporate environment where you can host it on prem but i'm looking for something more suited for a home network.

Collapse
 
baptistsec profile image
William Baptist

I've honestly never used a password manager before, I tend to save passwords in files on a USB

Collapse
 
codenerd profile image
Hiro

I use Passbolt to manage my private passwords along with my teammates. However, this is not a good fit for personal use. There are some options like LastPass, KeePass, Dashlane and Bitwarden. Google these password managers and find out your best choice. 😎

Collapse
 
calcioitalia profile image
Football Italia Foro

Thanks! I'll check out those suggestions.

Collapse
 
millebi_41 profile image
Bill Miller

I'm surprised that nobody mentioned to NOT give valid information for sites that insist on it, like Birth-date. No site (other than potentially a financial/banking site) needs to know your actual birth-date, especially social media sites! I give no accurate information to any site that doesn't actually need the information. This also give a weak oracle for a spear phishing attack as you would hopefully put unique information in each site; which gives a hint to you for which one was compromised.

Collapse
 
baptistsec profile image
William Baptist

That's a really good point that I missed in the article. You don't owe any company your information.

Collapse
 
janar profile image
Janar Jürisson

I got scared this year when someone accessed my old e-mail account and turned on two-factor for LinkedIn (with their phone number). So I was not able to log in anymore. I surely had not updated that e-mail password for a while and it's probably pwned. I had that e-mail also connected to my LinkedIn account.

Luckily LinkedIn had a very good recovery process involving sending government ID documents and everything resolved within minutes.

Collapse
 
dmuth profile image
Douglas Muth

This way, hackers would be drawn to these fake accounts instead of my real ones, providing an additional layer of protection.

I don't think that's going to help--any reasonably sized attack is going to be automated. The work spent creating extra accounts and trying to make them look "enticing" will take longer than than the CPU cycles that add one more account to the list of accounts to try and phish.

The suggestion of using 2FA is an excellent one, however. I wish everyone did that.

Collapse
 
barthcyber profile image
BARTHOLOMEW SHEKARI

Awesome share. Keep it up