Somebody Big Has Been Hacked

...and they don't even know it, yet.

Normally, when there's a big data breach we read about it.

But I believe that either Amazon, Microsoft, or PayPal has been compromised and doesn't realize it, yet.

There's a username/password combo that I only use on those sites, and I last changed the passwords on those accounts a few months ago.

I'm also very careful about what websites I visit and never fall for phishing or other attempts to get my information. I trust no one.

I got an email from PayPal, today, about a new sign in. I closed my browser, opened it again, went to PayPal and didn't see any evidence that someone had been there-- but I changed my password and added 2 factor authentication, just in case.

I did the same for Amazon.

In my Hotmail account I checked the activity log and saw a device in my list that didn't belong to me. It's been trying to sync my email account for 3 weeks (unsuccessfully). It was definitely logged in, though.

I deleted the device and changed my password.

Since the compromised password was fairly new and I know how obsessive I am about protecting it, I have to believe that one of those 3 sites has been breached.

As a precaution, I would suggest that y'all change your passwords, there, as well-- just to be safe.

Just curious if you used PayPal to purchase the battery from AliExpress. If so, interesting that the email from PayPal came not long after, but who knows, for that would not account for the device trying to sync you email account.

No, I didn't. And the activity in my email account had been going on for several weeks.

To give you an idea of how careful I am, I've been using computers since before they had hard drives and I've never had a virus. Ever.

And I'm just add careful when it comes to usernames and passwords.

There are dedicated white hat hacking journalists that focus on these kind of breaches. It may be worthwhile reaching out to some of them.

Maybe this?

Reading through Krebs always gives me the willies. Seems Microsoft has been pushing tons of security patches for windows the past few months. They claim none exploited but it wouldn't be the first time they were wrong about that.

Maybe checking your email address(s) at "Have I Been Pawned" may help.
Example:
"ShareThis: In July 2018, the social bookmarking and sharing service ShareThis suffered a data breach. The incident exposed 41 million unique email addresses alongside names and in some cases, dates of birth and password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by dehashed.com.

Compromised data: Dates of birth, Email addresses, Names, Passwords"

https://haveibeenpwned.com/

Thanks for the website @Isamorph

Thanks, @Chelle. I hope these companies are not storing passwords in clear text. My understanding of hashed passwords is they are only vulnerable to brute force attack. Good idea to enable 2-factor authentication. I use Authy instead of SMS where supported.

Not too long ago I started a setup similar to the video down below (its a random video and not me personally). I dont trust 2FA with email or text, because of "man-in-the-middle" attacks and while authentication apps are decent, I was looking for something more secure than that. Let me know if any of yall are interested in doing the video down below and I can give my advice about it. There is a small correction when he mentions $10, its per YEAR not per month. Also sorry about that clickbait title, it is still possible to hack accounts, its just much harder and would need a more direct approach like brute-force or sniffers.

As he has warned, it is so secure that it is disastrous to lose/break the key and backup password.

You reiterate an important point, and thankfully both password managers and the YouTubers alike emphasize on the significance of this. It boils down to this: Security is only as strong as its recovery options.