David, a Welsh Microsoft Guy
Back to Blog
10 May 2017

My experience of our family e-mail account being hacked

security
personal-growth

So a chance sighting of an e-mail by my wife late Monday evening has uncovered a compromised family BT Internet mailbox. It's actually been quite an interesting (if somewhat stressful!) process to go through, I figured I'd share our experience over the last three days to hopefully help others in the future.

The e-mail in question was a DPD e-mail saying that they would be providing us a timeslot for a delivery, now I have been somewhat click happy over the last few weeks so Lucy pings me to ask what I've been ordering now! For a change it's actually nothing so I go and take a look at the e-mail - it's the family address so I don't synch it to my phone or laptop, it's only the home machine and Wife's mobile that does this.

I log into the BT Yahoo mail portal and there it is, a DPD e-mail relating to a John Lewis order, curiosity piqued I then go to the John Lewis site, which has an account that we have not used for probably 4 years or more, I guess at some old passwords then I reset the password and log into the site.

Looking at the order history my concerns were proven - there where three orders in there, two that look like they had been fulfilled and one that was cancelled. Looking at the account settings there was an address in Newcastle upon Tyne, a mobile number that matched mine, bar the final two digits and a MasterCard on the account. Now I don't own a MasterCard so at the moment I'm reasonably confident that I've not lost any money (though there is of course a possibility of identity theft that's not manifested itself yet). From what I could see this activity started 5/5/17

I immediately reset the John Lewis account password thinking it was this that had been compromised and then contacted them to report the fraudulent activity. I also call and email MasterCard to the same end.

I go back into our BT Internet login and for good measure I change the password on the account. By this point it's late and reasonably satisfied that I've done everything I need to do.

The next afternoon following a customer workshop I log back into the BT Yahoo portal and I spot that the e-mail had gone! How on earth had the mail gone?! At this point I'm now worried that the BT Yahoo account has been compromised and that the e-mail has been deleted by the parties responsible for the fraud.

So I now ring BT Yahoo, and after a very, very, very long conversation I eventually get to somebody who believed that I actually had an issue on the account - examples of responses were:

"It's a server error"

"Your account is not hacked, we have a portal that shows if you have been hacked"

"You deleted the e-mail"

And so on. However, after much perseverance I finally get to somebody that would call me the following day (today) and they suggested requesting a restore of e-mails that were deleted - I duly did this and around 5 hrs or so later I started to see evidence of the fraud/hacking in the mailbox - a number of change of detail e-mails from John Lewis, following this some orders and then finally what was hugely concerning for me as an IT Professional, a list of circa 3000 individuals, with names, addresses, telephone numbers and in some cases passwords!

At this point I'm just wanting to carte blanche block access to the account, to prevent any further distribution of this information, I get back onto BT and I spend a long, long, long time convincing another person that my account has been hacked and I wanted to block access to it. "Will it be done immediately?" I ask, "yes, yes it will" the person responds, "go for it" I say.

Keeping the support person on the chat window, I then try and login and I can still login with the old password rather than the one I changed it to - "oh…. Actually you need to wait 4 hours before the account is blocked" was the following response - really… really?! So after berating the poor support person I leave it at that, but then had a thought - what if I try and reset the password again?

At this point I see a mistake - I managed to change my BTID password, not the BT Yahoo password previously - the process forks during a number of screens and I must have gone the wrong way at one point. I change my password and I confirm that outlook will no longer connect to the account, it's just gone midnight and I'm happy in the knowledge that in circa 4 hours the account will be blocked regardless.

Fast forward to this morning - I go and test the login via webmail, and I can still login?! So another thing to add to the conversation I'll be having with the escalation engineer.

9am - the call happens as promised, but as I suspected (but hoped was not the case), the conversation essentially was, sorry it's happened, are you aware we have been hacked previously and this must be one of those accounts - I felt this was odd as a) we were not notified by BT as many were and b) not present on any of the 'check' sites for pwnd accounts. And again.. back comes the same advice.. please change the password and security question and please pass on any information that is in your mailbox to phishing.com.

I go to phising.com - no such website, queue an awkward silence and "sorry, it's actually phishing@bt.com".

Interestingly - to date, I've heard absolutely nothing from MasterCard and John Lewis on the subject.

So why am I sharing this with you all? I guess I have some learnings that may well be helpful for others:

  • Make sure you do a regular check of your deleted items and make sure there is nothing suspicious there

  • Be persistent - had I not worked in the industry I believe that I would have just accepted the responses and ultimately would have been none the wiser, so keep pushing if you think there is something wrong

  • Challenge and test what you hear - I feel there is a great deal that could have been done differently by the various organisations I spoke directly to, had I not have tested/checked information I would be back into the tortious loop of contacting somebody with no background

  • In the same vein as above - get case reference numbers, I had to push hard in some instances to get these.

  • Don't forget about accounts - in our case it was a John Lewis account that had been dormant for ages, try to keep on top of accounts that you have created

  • Change your passwords - I'll be honest here, the family one has not changed for a long time and was likely compromised as part of the BT Yahoo compromise but not identified as an account that had been compromised

  • Change the right password! - the password change process on the BT site was not straightforward, pay attention to which part of the service you are setting the password on.

  • Enable two factor authentication (you can't do this with BT Yahoo though) this ensures that nobody can access/reset your account without the second factor

  • Report it! I went to everybody I could these being:

  • I rang John Lewis, they were pretty responsive and gave me a case number

  • I e-mailed stopit@mastercard.com with the relevant details

  • I reported it on http://www.actionfraud.police.uk I struggled to find the right options so used the chat function to find out exactly which options I should use

  • I've e-mailed phishing@bt.com the content I found in my mailbox

As mentioned, I believe that this started happening 05/05/17, it's now the 10th and I feel incredibly lucky that we have spotted this as quickly as we did - kudos to my Wife who as it turns out, actually does sometimes listen to what I say ;)

And that's it - keep safe folk!

Continue exploring

Explore the topic graph

Comments