I read Cody Brown’s blog post about getting hacked on Thursday of last week. I feel very badly for Cody and plan to send him some BTC once I get access back to my account. His post helped me avoid his fate.
I woke up Friday morning (central european summer time) and saw a bunch of emails in my inbox suggesting that suspicious activities were happening in my personal gmail account, my mobile phone account, and my two factor service.
I immediately thought “that’s the same attack pattern that Cody wrote about” and I was able to get to Coinbase and have them lock down my account immediately. The good news is nothing appears to have been taken from my Coinbase account although I don’t currently have access to it right now and thankfully nobody else does either.
Without getting into the specifics, I would like to tell everyone five things I learned from this awful experience:
- Call your cell phone provider and put a “do not port under any circumstances” hold on your phone number. I did this about six months ago and I think it may have saved me. It is way too easy to port a phone number and once a hacker has your number, they have access to two factor codes coming via SMS.
- Put two factor on everything you can. I did not have it on my old and dormant gmail account which is partially why it was vulnerable. Obviously I have it on there now.
- Check your password recovery settings on all of your accounts (even old and dormant email accounts) and make sure they are secure accounts (locked down phone numbers (#1) and secure email accounts (#2)). Once a hacker has access to one of your old email accounts, they can impersonate you digitally.
- Use Google Authenticator for two factor on your phone. I have used SMS and Authy in the past and my research yesterday suggests that Google’s Authenticator is the most secure of the two factor options out there right now.
- I keep almost all of my Bitcoin in Coinbase’s vault service which requires 48 hours and multiple approvals to make a withdrawal. If the hacker had gotten into my Coinbase account, they would have been able to take my Ethereum and a small amount of Bitcoin, but not most of it. I believe Coinbase should evolve their vault offering to handle all of the crypto assets they support, or possibly make the two day withdrawal/multi-sig feature available to all of their wallet offerings.
I am still a bit shaken up from the experience and a fair bit more paranoid from it. Which is a good thing I’m sure.
I hope my sharing this with all of you helps you make your online life a bit more secure because there are a lot of bad people out there working hard to hack into your accounts and do bad things.
