That’s very likely where the connections came from.
If you haven’t already done so, I advise you to follow the recommendations given in articles about what to do if you’ve been pwned. Here’s a sample:
1 Like
Any breach makes for a greater likelihood of receiving spam whether email or text. As our usual addresses are often used for many sign-ups and mobile numbers are used as well, it is something we need to expect but not accept. I use disposable email addresses when possible, noting that some sites do not accept disposable addresses. It is becoming more important to submit scam messages to the appropriate authorities and the email companies a person uses. As I noted before, filtering rules can help a great deal and it is easy to set some basic ones, if ever one is unsure they can ask here on the site about some rules and how to set them up as many of us are happy to help.
Found out how it works from one of the victims. She had her email account taken over, they changed the password and used her Contacts list to send emails asking for help. Many different messages, but the most damaging asked for money - gift cards etc - with the number or photo to be sent back by reply. The scammers than got other people’s money.
She’s a bit naive when it comes to technology, so she tried to change her password on Facebook, but her email was 2FA and the scammers used the new password to take that over and contact all her friends with messages of needing money. Her husband tried to help but only succeeded in losing control of his email & FB too. The landline has been ringing relentlessly as people try to make sense of it all.
A little relieved that is wasn’t my breach that caused this. But sad that this chaos is happening to a couple who are pillars of the local community and in every fundraising, not-for-profit endeavour in town.
2 Likes
That is one unfortunate story. Yikes.
Probably a very good reason for not having email for ones multi-factor authentication.
Certainly a very good reason not to have just email address as the MFA recipient. Unfortunately, not all systems even now offer anything other than email or SMS for MFA. If they have MFA at all. 
Some things to do with every account you set up, and with all accounts you currently have:
-
Check for MFA options. If there’s an option to get the code from an authenticator app, and you have a smartphone, use that option. Although a system might specify a particular authenticator app, in practice you can normally use any authenticator app that does TOTP (Time-based One-Time Password). You won’t have to install half a dozen different authenticator apps.
-
If there’s any option to generate pre-set ‘backup codes’ or ‘recovery codes’****, use it. These are intended for emergencies when the account’s been compromised, you’ve forgotten the password, you don’t have access to the authenticator app, etc. Store these codes carefully - but not on your phone! Print it/them (without anything identifying the relevant account) and store in a filing cabinet, for example.
@zackarii - a backup/recovery code could have rescued your friend and her husband from the nasty situation they’ve been caught up in. Using a backup code, they could have changed the Facebook password safely when MFA to email had been compromised. Similarly, a backup code on the email account would have allowed changing its password and MFA settings safely.
Recovery codes for Facebook accounts:
Backup codes for Gmail accounts:
Recovery key for Apple IDs:
Many other systems have similar options.
1 Like
In the hands of the naive, MFA may add to the confusion and risk.
What I like about TOTP is that it can be completely offline i.e. if so, it cannot be attacked via technology (at your end). It can of course be attacked via so-called social engineering (and there have definitely been instances of people being tricked into revealing MFA codes).
I’m unclear on how that happened. The mere fact of knowing someone’s email username and password does not automatically get access to contacts. However there are factors to consider:
- If you store your email on the server (/internet/cloud) (IMAP as distinct from POP) then the hacker does get access to every email that you have sent and received (and retained) and hence can extract some kind of contact list, and even focus on recent and frequent contacts who are more likely to reply.
- If you use some kind of webmail interface and that interface allows you to maintain your contacts on the server (/internet/cloud) then the hacker may well get access to all your contacts, regardless of whether there is any accessible email to or from that contact.
Both of these are classic security–convenience trade-offs.
My answers are “no” and “no” - but that’s just me. 
Slight digression … where I work, they test out employees with fake scam emails i.e. it is the IT team or the IT team’s security auditor sending out emails that won’t actually compromise you but which are designed to see how many employees will get sucked in, and then allows additional training to be targeted.
So now I have to contend with the many real scam emails and the fake scam emails. 
