Please help, account hacked

[LittleArrow]

Maybe someone can explain this to me, I don't understand how they were able to get his account even though he had an OTP. He just got email confirmation to remove the OTP and that confirmation number was never put in. They still took it off and got his account.

[Thoosa]

Maybe someone can explain this to me, I don't understand how they were able to get his account even though he had an OTP. He just got email confirmation to remove the OTP and that confirmation number was never put in. They still took it off and got his account.

That doesn't make sense to me either, if the attackers tried to log onto the official site to reset his account, they would have been asked for a one time password which they wouldn't have had?

[Espon]

When you log into a fake website, it asks for your OTP. Once you hand over your info, the website then immediately logs into your account and removes the OTP and sticks a new one on to keep you out of your account. Yes, the OTP changes every minute, but they only need that minute if you accidentally hand that number out.

[LittleArrow]

When you log into a fake website, it asks for your OTP. Once you hand over your info, the website then immediately logs into your account and removes the OTP and sticks a new one on to keep you out of your account. Yes, the OTP changes every minute, but they only need that minute if you accidentally hand that number out.

Yes I understand that, but to remove it they need the confirmation which is only sent to the email which we got. I don't understand how they can remove it if they don't get the confirmation code to remove.

[Mosha]

Yes I understand that, but to remove it they need the confirmation which is only sent to the email which we got. I don't understand how they can remove it if they don't get the confirmation code to remove.

did he use the same password for both email and his SE account?

[DanielNegreanu_Adamantoise]

So they got his email too?

[Espon]

Yes I understand that, but to remove it they need the confirmation which is only sent to the email which we got. I don't understand how they can remove it if they don't get the confirmation code to remove.

They don't need the email. Logging into the account gives them the emergency removal code which they can then input to remove your OTP.

[Lieri]

Change the email password. It's more important especially if it's work/business related.
It could be that they managed to get into the email but marked it as unread after reading it.
For the things that were stolen the GM will probably return it and ban the hacker. They have the logs.
I don't think the hacker will destroy the house or release the plot. If anything they will see it as $.

[DanielNegreanu_Adamantoise]

I really have a hatred for the use of secret words, they are a security anti-pattern.

What road did you grow up on? Mom’s maiden name? Impossible to figure that info out! Right??

Well I’m hoping having your email secured is enough to get everything restored.

It should always be secured by the email account and/or phone number. If you can change the password on an account without those… smh.. the SE should stop whatever they are doing and fix that. And ditch “secret words” while they are at it..

[Valkyrie_Lenneth]

I really have a hatred for the use of secret words, they are a security anti-pattern.

What road did you grow up on? Mom’s maiden name? Impossible to figure that info out! Right??

Well I’m hoping having your email secured is enough to get everything restored.

It should always be secured by the email account and/or phone number. If you can change the password on an account without those… smh.. the SE should stop whatever they are doing and fix that. And ditch “secret words” while they are at it..

It's a lot harder if you haven't plastered yourself all over social media