I received a notification last night that someone changed my shipping address on Macys.com and when I visited the website, there was an open order for a PS5 with delivery to a NJ address.
After logging into Macy’s I got 43 emails at once to seven different services like “Excalidraw” and “Sportograf” trying to login using a magic link.
At this point was was pretty nervous so I checked my main email security. Sure enough, there have been repeated login attempts under my account going on every few minutes for weeks.
I also saw there was an attempted login to my cellphone or home internet company.
I use 2FA, authenticators, etc. Basically what else should I be doing? Is there any way to be more preventative? I really don’t wanna chuck this email but it is possible that may be the safest recourse. I do use this email for almost 300 different accounts to various things though.
It goes without saying that you should change your passwords immediately. Do you use the same password for multiple things? If so, stop that.
And use a password manager like Bitwarden
Bitwarden and Bitwarden Authenticator are the GOATs.
To add on, it sounds like you were phished. No shame, it happens to everyone. The best course of action when you get an email like that, DONT click the easy to press recover account button in the email. Always go directly to the site, even if the email looks legit.
From there you entered your password into, what im assuming, was a fake Macys website, where you gave the bad actors the exact info they needed to really activate it.
This sounds like EXACTLY what happened.
To add on to everyone else mentioning it, another benefit to password managers is that they auto filter themselves to the URL. So if you have a password saved for macys.com and get phished to macys-passwordreovery.com, the password manager won’t know the URL and offer no filtering. Adding the extra step of having to manually find your password entry should be a flag itself that something might be wrong.
Firstly, probably remove the address from the OP. Don’t want any Lemmy vigilantes getting involved and making a mess of things.
If you have 2fa enabled, you should be good. Even if they do guess your password, they shouldn’t* be able to log in to your account. Although might still be worth making sure you have a nice strong password anyway. Also, if you have recovery phone numbers or email addresses attached to your email account, make sure they’re secured as well.
* Assuming that your webmail provider is doing everything correctly, which isn’t always a given if they’re a small one.
I’m okay with the attacker’s IP being public domain
You’re assuming that the attacker is using their own IP rather than a compromised system owned by someone else.
Likewise, they might be using someone else’s address with the intent to steal a package from their porch or something.
It’d be rather silly for a theif to use their own details.
These losers train each other to try to remote desktop into victims’ machines.
OP probably also needs to secure their mobile account, since the attacker could redirect recovery or MFA SMSs to their own number.
Check if your email service has an option to log off from all devices first. This will close any active sessions and prevent anyone that might be already logged in to do anything without logging in again.
Then change your password.
If you have 2FA, try to use something like an authenticator app instead of a cell phone number to receive an SMS message. Sim cards can be cloned. Authenticator apps can’t.
It’s worth noting that the option to log out all devices sometimes doesn’t happen immediately. Microsoft’s 365, for example, isn’t immediate for all devices. If a massive player doesn’t behave the way a user might expect, that’s indicative of how chaotic the landscape can be. Good luck!
I would contact support and report that address to the police. Other than that check https://haveibeenpwned.com/ and change your password to something unreasonable with >1000 characters or close to the limit of what they allow.
How are that many characters useful? Where is the benefit of 1000, let alone more than that, compared to 50?
Not much, but that’s what I do.
There are much better ways of creating strong passwords than just adding a ton of characters.
May not apply here but
Note sometimes fraudsters use email bombing when they place orders on an account of yours. They want you to miss the order confirmation/shipping/pickup notifications.
Imagine if they put their brainpower to real jobs
Password managers such as Bitwarden have password generators that you can use to make on the fly secure passwords (example: gnb*a&2$d9Uzej). You should ideally make the max length that the individual sites supports. Use that for every important account, especially your main email address, especially the one you use for your phone if you are on Android.
Add to this: make sure that your Bitwarden password–or passphrase–is also strong enough to resist attacks. Especially if the email account linked to it is the one that they’re trying to break into.
Like others have said, change your passwords, activate 2FA if available, never reuse passwords etc, etc, etc.
I have been getting repeated warnings for unsuccessful logins to my Microsoft account for some time now. I’m guessing some bad actors are just throwing whatever leaked passwords they have hoping for hits. I have 2FA turned on and a password complex enough to deter dictionary attacks, so I’m not really concerned.
I’ve had the same Microsoft ones for years now. At least once a week there’ll be a block of 10 - 20 of those emails. Guess they still haven’t succeeded!
Whats a dictionary attack? I’ve never heard that term before
Basically, guessing lots of passwords from a list (dictionary): https://en.wikipedia.org/wiki/Dictionary_attack
Well I feel dumb, lol it seems obvious now that you said it
Don’t feel dumb, asking questions and reading is how we learn.
First, same advice as everyone else. Change your passwords. Password managers are great. I like keepass.
Regarding the email, this looks like a Hotmail/Microsoft/Outlook account. Their security page sucks ass. It lists every time someone unsuccessfully tries to log in. “Unsuccessfully” as in they tried your email with an incorrect password. Of course hackers are going to try to break into your account. You really only need to worry about successful logins that aren’t you.
After logging into Macy’s I got 43 emails at once to seven different services like “Excalidraw” and “Sportograf” trying to login using a magic link.
If you never use this kind of signin method, I’d make a rule to automatically delete those emails with the magic link so that you don’t accidentally use them.
Other than that, a secure password and 2FA are your best defenses.
Are you also getting a bunch of random “confirm your email address” or thank you for signing up" emails?
This sounds like it may be part of a registration bomb attack. I woke up to over 4,000 similar messages a little while back. What they were doing is hiding their actual activity by flooding my inbox. Among the thousands of emails was a notification about the new user added to my PayPal account that had been compromised. That user was trying to empty my bank account.
I caught it before any damage could be done, and the registration bomb ended shortly afterwards.
How did you find that one email among 4000 sign up confirmations?
