People logging into my accounts despite 2FA being enabled.
- Thread starter Xeno1234
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Status
- Oct 3, 2022
- 380
The problem is, if your attackers never disconnect from your accounts, never close their browser etc. Then they would not have to go thru 2FA. When you sign on to several gmail accounts in different tabs, you get the option to 'sign out of all accounts' . Try that.
2) A Windows RESET is not the same as a Reinstall. With a resinstall: boot from USB setup stick > custom install, you get the chance to delete all partitions and start from a blank hard drive. This eliminates things like boot sector infections, I think. Whenever I am in doubt of this, I use Parted Magic to secure erase my Nvme before proceeding with Windows Reinstall. Parted Magic is not free, but their older versions are. You can google for it. Parted Magic boots from USB stick. So you need 2 USB sticks; one for Parted Magic and one for Windows setup. Don''t shy from this expense, it appears you need it.
3) when doing a Windows Reinstall, you should be OFFLINE. Turn off your modem. Then at the 3rd last reboot, press SHIFT F10. This will produce a command prompt. Type 'OBBE\Bypassnro;' . This will cause a reboot, then you get the choice 'I don't have internet' and thus can continue without setting up a MS Account. Once you are into Windows, do all the setting up and configuration of Settings. Then install your drive image program and do a drive image backup. This Offline Configuration Complete drive image you should keep. THEN, you can go online and continue setting up installing programs that are online installs, like Chrome or your AntiMalware.
If you care to look it up, security controls include administrative, technical and physical. Point 2) and 3) are considered administrative / procedural controls. They are manual procedures that you have to follow without exception. Your security controls are not complete if you don't have all 3. All organizations with mature security stance have them.
You have gained MalwareTips level 13 - you have done enough poking around with the anti-malware layer. It is time to learn some security principles and theory. Go study for the Comptia Security+ exam.
2) A Windows RESET is not the same as a Reinstall. With a resinstall: boot from USB setup stick > custom install, you get the chance to delete all partitions and start from a blank hard drive. This eliminates things like boot sector infections, I think. Whenever I am in doubt of this, I use Parted Magic to secure erase my Nvme before proceeding with Windows Reinstall. Parted Magic is not free, but their older versions are. You can google for it. Parted Magic boots from USB stick. So you need 2 USB sticks; one for Parted Magic and one for Windows setup. Don''t shy from this expense, it appears you need it.
3) when doing a Windows Reinstall, you should be OFFLINE. Turn off your modem. Then at the 3rd last reboot, press SHIFT F10. This will produce a command prompt. Type 'OBBE\Bypassnro;' . This will cause a reboot, then you get the choice 'I don't have internet' and thus can continue without setting up a MS Account. Once you are into Windows, do all the setting up and configuration of Settings. Then install your drive image program and do a drive image backup. This Offline Configuration Complete drive image you should keep. THEN, you can go online and continue setting up installing programs that are online installs, like Chrome or your AntiMalware.
If you care to look it up, security controls include administrative, technical and physical. Point 2) and 3) are considered administrative / procedural controls. They are manual procedures that you have to follow without exception. Your security controls are not complete if you don't have all 3. All organizations with mature security stance have them.
You have gained MalwareTips level 13 - you have done enough poking around with the anti-malware layer. It is time to learn some security principles and theory. Go study for the Comptia Security+ exam.
Last edited:
- Jun 12, 2023
- 699
I’ve changed passwords and signed out of all sessions except the current one on most of not all my accounts. I’ve also wiped windows clean on my devices except for new pc but I don’t see how it can be infected as I’ve ran nothing and if I did it would have been blocked by Kaspersky default deny.
When I say wipe windows clean, I mean that I’ve done the one in settings and set it to “Wipe All Drives”, which isn’t just files it does some deeper clean. I ordered a USB though.
Last edited:
- Oct 3, 2022
- 380
Don't argue with me and present lazy work arounds. The Clean Install - deleting all partitions is the universally accepted way of doing it.
- Jun 12, 2023
- 699
Never intended to argue with you. I will do that when I get the chance, as I literally do not have a USB yet.
- Oct 3, 2022
- 380
OK Let me give you an explanation. When you use a USB Windows setup stick, you are not booting using the boot settings on the HD. That skips over any possible infection of the boot up process. And two, by visually seeing that you have deleted all partitions, you don't leave anything to guesswork - you have verification. The Parted Magic secure erase gives me an additional verification. There is actually a checkbox on the secure erase dialog that initiates an additional verify stage. Hackers have had a long time to investigate and possibly tamper with the Windows Setup process. So, I do not trust it totally.
Trust is a dangerous thing in security. If you trust something, then you never look at it again. You have to second guess yourself periodically.
Trust is a dangerous thing in security. If you trust something, then you never look at it again. You have to second guess yourself periodically.
Last edited:
- Jan 8, 2011
- 22,361
Generic and vague. We need you to provide more background information, be as detailed as possible.
- Can you list all accounts & services that are affected? (Provide screenshots of proof if necessary).
- Which method of authentication is being used for these accounts? Are all 2FA codes stored using the same app? Where are your backups stored?
- Have you revoked permissions and devices of the affected accounts?
- What kind of suspicious IP addresses are you seeing for your accounts?
- Are the accounts and passwords being changed immediately after YOU access/change them? How do you know this is happening?
- Do you use any VPN service, free or paid, on-device or router?
2nd Factor Authentication is only another layer of defence, it is not bulletproof against unauthorised attackers if that layer is compromised.
- Jun 12, 2023
- 699
1: So far I’ve seen suspicious logins for Discord and Bitdefender Gravityzone.
2: At the time of the login, I believe google Authenticator was being used only for Bitdefender. My google account is not compromised.
3: For discord, yes. I do not know how to on Bitdefender.
4: I cannot check for a few days (I’ve told my parents about all this since I think it’s important for them to know and they’ve temporarily taken my computer since I’ve stressed myself out about this too much, which sucks) however it is a IP address coming from Denver, Colorado.
5: It happened February 13th. I changed Bitdefender password in the morning. Discord and Bitdefender were logged into later that evening. I’ve changed passwords to both of those accounts.
6: I have Kaspersky VPN, but it was not on at the time of these logins.
Could this possibly be someone having my Kaspersky Password Manager main password, or is it where you must be signed into My Kaspersky (as far as I can tell, no suspicious devices added to my account)?
Edit: Apparently there’s going to be some sort of safeguard they’re putting on my computer to make me not be able to look at emails or change passwords to accounts and stuff, so, I don’t really know what to do.
Last edited:
- Apr 2, 2018
- 1,721
@Xeno1234
Have you tried to provoke api key?
Steam for example let third party websites to store & use steam account api key for login. Api key will let unauthorized users to bypass 2fa security method.
Try: Reset your router to default. Clear cookies and data on all your computers. Scan the computer for virus. Make another clean email on another virus free computer or smartphone then use virus free computer or your phone to change your email.
Disconnect this account from all password stored/saved application or service.
If you use phone number to confirm your 2fa, then try google voice # or another person phone number you can access physically to confirm your 2fa and monitor if your current phone number got double sim hijacked.
Contact the support team. I believe they have a way to brute force logout your account on all devices, and give you a new 2fa code.
Do you have any backup email linked to this account? If so, disconnect all of em or make another clean one.
I doubt that you are a victim of double sim hijacked.
Have you tried to provoke api key?
Steam for example let third party websites to store & use steam account api key for login. Api key will let unauthorized users to bypass 2fa security method.
Try: Reset your router to default. Clear cookies and data on all your computers. Scan the computer for virus. Make another clean email on another virus free computer or smartphone then use virus free computer or your phone to change your email.
Disconnect this account from all password stored/saved application or service.
If you use phone number to confirm your 2fa, then try google voice # or another person phone number you can access physically to confirm your 2fa and monitor if your current phone number got double sim hijacked.
Contact the support team. I believe they have a way to brute force logout your account on all devices, and give you a new 2fa code.
Do you have any backup email linked to this account? If so, disconnect all of em or make another clean one.
I doubt that you are a victim of double sim hijacked.
Last edited:
- Oct 3, 2022
- 380
I don't understand. Are you using a Gmail account for GravityZone ? You say your Gmail account is not compromised. But you say "there's going to be" ...." make me not able to look at emails". Did the attackers make you unable to read your Gmail emails ?
- Jun 12, 2023
- 699
Gravityzone has a gmail email attached to it, yes. My google account is not compromised. When I say that I will not be able to look at emails, I mean that my parents are placing safeguards on my stuff because I’ve worried about this too much, which sucks (if you don’t know, I’m only 15). I need to calm down a bit
Last edited:
- Oct 3, 2022
- 380
Worrying about something is when you have jumbled thoughts. You're jumping to this thought and then another. Write down the possible attacks. Then remedy each one by one.
You implemented default deny using Kaspersky. Have you thought of ways that it could be circumvented? Write them down.
I suggested that malware may be affecting the boot process and that your Windows reset may leave them still embedded. Write it down. And you've ordered a USB. So a remedy to this is in the works. Write it down too.
Write down other ways the attackers can know about and change your Bitdefender + Discord password. Use your security knowledge and list all the attacks you know.
Carefully writing down problem points will enable you to see and read them. Then you can think of how to remedy each one at a time. Then you won't have jumbled thoughts.
Writing down and reading them will make your head clearer.
Solutions to each point may involve several steps. Don't let that faze you. List down all the steps. Execute those steps one by one and you will have that point addressed and eliminated the possibility of that attack.
You implemented default deny using Kaspersky. Have you thought of ways that it could be circumvented? Write them down.
I suggested that malware may be affecting the boot process and that your Windows reset may leave them still embedded. Write it down. And you've ordered a USB. So a remedy to this is in the works. Write it down too.
Write down other ways the attackers can know about and change your Bitdefender + Discord password. Use your security knowledge and list all the attacks you know.
Carefully writing down problem points will enable you to see and read them. Then you can think of how to remedy each one at a time. Then you won't have jumbled thoughts.
Writing down and reading them will make your head clearer.
Solutions to each point may involve several steps. Don't let that faze you. List down all the steps. Execute those steps one by one and you will have that point addressed and eliminated the possibility of that attack.
Last edited:
- Nov 9, 2022
- 283
This @Xeno1234 seems to me the same paranoid person from months ago. If I'm wrong im sorry.
- Oct 3, 2022
- 380
@jango. Paranoia is not a problem. We are security professionals, we are Paid to be a bit paranoid. It is problem solving skills that he needs. Address each individual security problem and a bit of that paranoia is eliminated one at a time. He is smart, asks a lot of questions. Once he gets thru this attack, he will gain more experience.
Last edited:
- Nov 9, 2022
- 283
I think you missed my point, he talks almost same as an other one, that one was trolling that time.
- Jun 12, 2023
- 699
So far I’ve narrowed it down to a possible Kaspersky Password Manager breach. I’ve changed the main password and disabled syncing between devices however the main password I changed it to is one that is used for other accounts, however I’m pretty sure disabling syncing between devices still locks attackers out.
- Oct 3, 2022
- 380
If you have addressed the possibility of a Kaspersky Password Manager breach, then good. Now see if there's a way to test it out.
If you have other attack possibilities left, go establish counter measures for them.
Personally, I don't like password managers that stores passwords in the cloud. First, I do not move from pc to pc, so I don't need that access from anywhere capability. Do you need that capability? I had Kaspersky a year ago, never chose to use it.
Last edited:
- Jun 12, 2023
- 699
Chances are that isn’t an issue. Yes I play modded Minecraft but only utilizing popular, reputable modpacks.
- Jun 12, 2023
- 699
So far, nothing else has happened. Changed K main password and also changed google account passwords to be safe. How can I revoke google authenticator access from all devices? I’ve logged out all sessions on PC and Phone. I’ve only used authenticator while logged into main google account. Is it account based? I’ve also used authenticator signed out and it kept all codes but if I reinstalled the app it didn’t. Is there a way to ensure I revoke 100% access.
There are no recent suspicious devices in google. Last one I’m not sure about was logged into in December, and was signed out before I changed all passwords. All other devices say the location that I am currently in.
There are no recent suspicious devices in google. Last one I’m not sure about was logged into in December, and was signed out before I changed all passwords. All other devices say the location that I am currently in.
Last edited:
- Status
Similar threads
