DEV Community

Cover image for I Was Hacked: What I’ve Learned Since

I Was Hacked: What I’ve Learned Since

William Baptist on May 10, 2023

It was Easter 2018. I was still in high school, and like many teenagers, I was a bit reckless. I signed up for a website that promised safety, unaw...
Collapse
 
spo0q profile image
spO0q 🐒

I thought I had taken all the necessary precautions and followed the cybersecurity protocols I had learned in college. But as it turns out, all it takes is one small mistake to compromise your entire digital defensive framework.

Happens all the time.

Very nice share. Although, I would not recommend the "teasing strategy" to everyone, especially beginners.

Sometimes, there's no need for it. You'll be attacked by some random kiddies or more advanced fuckers (sorry for my language, but I've no consideration for these guys).

Don't feed the troll, as you don't know who you're dealing with and whether the cybercriminal takes it as a game or not.

In my experience, defense in layers works with such adversaries, but it's not bulletproof. Nothing is. In any case, have a good security hygiene and do everything you can to protect what is valuable to you (threat model) while keeping things simple and a normal life.

Collapse
 
baptistsec profile image
William Baptist

Thank you for the contribution to the article I agree with your perspective. From the point of view of a researcher; it's just in my nature to bait so I can learn, but for most people, you're absolutely right that it's a step too far.

Collapse
 
spo0q profile image
spO0q 🐒

I understand your curiosity. However, even as a researcher, it's a dangerous field. Don't get me wrong. I love these topics too, but like the movie says "you see them, they see you" ^^

I've see many professionals using honeypots but with strict rules and compartmentalizing.

Collapse
 
mikec711g profile image
Michael Casile

I try (often futilly) to control my languange, but these types tend to bring out the worst in me as well.

Collapse
 
ravavyr profile image
Ravavyr

Creating fake accounts and all that is just too much freaking work.
Also, 99.9999% of hacks are due to a bot finding something stupid you did some time ago that you forgot about. You can patch it and move on, it's not a nightmare scenario.

A nightmare scenario is a hacker who stalks you, tracking any and all your info just to screw with you every chance they get.
You know how you end up there? By honeypotting them, teasing them, annoying them.

The average joe is better off just using 2-step auth, changing their passwords periodically and trying not to reuse the same passwords in multiple places.

Every time someone tempts hackers, they get hacked. That's the name of the game.

Collapse
 
jnareb profile image
Jakub Narębski

I checked sites like haveibeenpwned.com regularly for every email I use.

You can also subscribe to notification on this site (assuming that you own the email in question). This is the only way to get information about being in sensitive breaches.

Provide your phone number so you can receive a verification code via text message or set up an authentication app, such as Google Authenticator or Authy.

Even better than using SMS (not that safe because of SIM-swap attacks, and phishable, but better than nothing), or OTP (better, but still phishable), is to use U2F hardware key like FIDO.

Collapse
 
ianowira profile image
Ian Owira

I just thought about it now, but wouldn't it be much safer to just remove your card information from site like amazon, that way you if your account gets compromised you won't have to go through the headache of getting refunded.`

I also find that updating passcodes 12-6 months of the year for sensitive accounts goes a long way.

Collapse
 
rachelfazio profile image
Rachel Fazio

Wonderful article with super great tips, thank you for sharing!

Collapse
 
calcioitalia profile image
Football Italia Foro • Edited

You seem to have a lot of email accounts. What solution do you use to store their passwords?
Browsers only store them in plaintext afaik so i'm looking for a solution.
Passbolt is good in a corporate environment where you can host it on prem but i'm looking for something more suited for a home network.

Collapse
 
baptistsec profile image
William Baptist

I've honestly never used a password manager before, I tend to save passwords in files on a USB

Collapse
 
codenerd profile image
Hiro

I use Passbolt to manage my private passwords along with my teammates. However, this is not a good fit for personal use. There are some options like LastPass, KeePass, Dashlane and Bitwarden. Google these password managers and find out your best choice. 😎

Collapse
 
calcioitalia profile image
Football Italia Foro

Thanks! I'll check out those suggestions.

Collapse
 
millebi_41 profile image
Bill Miller

I'm surprised that nobody mentioned to NOT give valid information for sites that insist on it, like Birth-date. No site (other than potentially a financial/banking site) needs to know your actual birth-date, especially social media sites! I give no accurate information to any site that doesn't actually need the information. This also give a weak oracle for a spear phishing attack as you would hopefully put unique information in each site; which gives a hint to you for which one was compromised.

Collapse
 
baptistsec profile image
William Baptist

That's a really good point that I missed in the article. You don't owe any company your information.

Collapse
 
janar profile image
Janar Jürisson

I got scared this year when someone accessed my old e-mail account and turned on two-factor for LinkedIn (with their phone number). So I was not able to log in anymore. I surely had not updated that e-mail password for a while and it's probably pwned. I had that e-mail also connected to my LinkedIn account.

Luckily LinkedIn had a very good recovery process involving sending government ID documents and everything resolved within minutes.

Collapse
 
dmuth profile image
Douglas Muth

This way, hackers would be drawn to these fake accounts instead of my real ones, providing an additional layer of protection.

I don't think that's going to help--any reasonably sized attack is going to be automated. The work spent creating extra accounts and trying to make them look "enticing" will take longer than than the CPU cycles that add one more account to the list of accounts to try and phish.

The suggestion of using 2FA is an excellent one, however. I wish everyone did that.

Collapse
 
barthcyber profile image
BARTHOLOMEW SHEKARI

Awesome share. Keep it up

Collapse
 
eternal21 profile image
Eternal21

I'm not clear from the article how exactly you got hacked?

Collapse
 
justplayerde profile image
Justin K.

I agree to most parts of this article, but i wouldn't recommend using SMS 2FA if other methods are supported because of SIM swap attacks