A lesson on account security. (Read if you use SquareUp aka Square)
19TL:DR If you have a Square account, I encourage you to change your password and add 2-step verification ASAP.
I have a Square account that I use very infrequently. On Saturday night 11/14/15 @ 10:04pm MST I received the following e-mail:
Hello Bogie,
Your email address has been updated. Use your new email address to log in to Square.
Old email: [redacted]
New email: estherbcostawgqj@yahoo.com
Visit the Square Support Center for more information on updating your account settings.
Thanks,
The Square Team squareup.com
Naturally, that new email is not mine, so I immediatly assumed it was a phisihing scam and was going to ignore it. Just in case, though, I decided I'd verify that it was legitimate and attemped to log into my account using my normal account information. Didn't work. Tried the "recover password" option and "Email is not associated to an account".
So, I peaked at the URLs in the email and verified that this was a legitimate e-mail and not a phishing scam, I went into figuring out what happened. Loading the app on my phone, I saw that my e-mail address had in fact been changed: 
Oh crap...
I also found that one detail on the account was changed. A phone number was added and it is not mine: 
Shit...
So I can confirm that someone has accessed my account. An account tied to both my checking account and primary credit card.
Fuck fuck fuck fuck
I then attempted to log in using this new e-mail and my original password, which I was successfully able to do.
phew!
I immediately changed the e-mail address to another one of my accounts and changed the password. I also enabled 2 step verification and changed the phone number to my cell.
Knowing that whoever changed the e-mail originally would receive the "Email has changed" notice, I decided I needed to just delete this account as it has already been compromised. So, after verifying that there was no additional activity on the account (I hope) I went through and deactivated the account.
Why am I posting this? Well, I'm pretty secure about my online information and passwords. This is also the first time I've had an account compromised. This leads me to two potential outcomes as to how my account was compromised in the first place. First is that someone identified that I had a Square account and brute forced my password. Second is that Square was compromised and someone gained access to a list of usernames/passwords.
I have been in contact with Square to help try to identify how this happened in hopes to help prevent it from happening to anyone else.
Long story short, I strongly encourage anyone who has a Square account to change their passwords and enable 2-step verification ASAP.
- 11 comments, 15 replies
- Comment
@bogie Bummer, I'm sorry that happened... I do thank you for reminding me to do that... :)
I had a similar (less important) account hacked... But it still bugs me... I had a "trial" wow account... and when they opened it up to "free for the 1st 15 levels" someone hacked my Blizzard.net account... I saw the e-mails warning me I was going to be banned but figured they were phishing emails, and I never acted upon them... Well... Good thing I wasn't banned just the account, I let them know later on that it wasn't me, and I figured it was phishing. They said the account must stay banned... Blah blah blah...
tl;dr
I still have a Blizzard account just not my domain's account.
I'm glad you posted about this here, too. We all need a good reminder to check out account security often.
The part that intrigues me is that the password remained the same. Maybe an insecure API that allows updating of profile info without being logged in (or logged in as any user)? Brute force usually ends up locking an account, unless an API is more tolerant. (like hacking yahoo accounts by hammering the POP3 server).
Personally, I use a wildcard account on my email domain and use the domain name as the email address (meh.com@mydomain.com). I can track who sells or loses my email and just blacklist a compromised email address when spam happens (like paypal, via ebay seller).
@anachostic A brute force attack typically won't use the login function of the target host. Instead, it'll work on a list of stolen encrypted passwords to try to find the plain text. THEN the attacker logs in to the compromised account and does the bad deeds.
@anachostic Yeah. After about an hour of not knowing what to do, I figured I'd give the login a chance just to see. I was surprised that I got access. my assumption is that they were hoping for a more widely used account/funds. Though, honestly, I don't know what you can gain from getting access to the account other than the last 4 digits of a CC.
Curses Foiled again
Other helpful tips:
Don't reuse passwords. Otherwise a breach from one site can lead to you getting hacked on other sites that would normally be secure.
Related to that- password managers are a great idea.
Keep your computer/mobile device secure & up-to-date- the best passwords and website security can't help you if your computer or device is compromised.
Finally, if you're worried, want extra security, or for any other reason, make sure your primary email account is well-secured- if you need to reset a password or make an account change, things will be going there, and given the amount of stuff in there, an attack on your primary email or recovery address(es) would work just as well to get access to an account.
@dashcloud - Are some password managers better than others? I always suspected it was a bad idea to give anyone access to all of your passwords, but I can see now that it makes sense to use a manager. Not sure where to start.
@KDemo Yes, but sometimes it means they're better because they offer you more features like syncing across devices, and mobile versions.
If the passwords aren't stored on your computer, or you decide to use one of the syncing features, you're making a value judgment that the company or group you chose can do security better than you can (also, the actual password itself should never be saved on their servers- just a representation of it).
On the password manager side:
1Password
LastPass
are both strong recommendations.
If you only have one computer, and don't need anything for mobile (or have nothing in common between mobile & desktop), you could use the builtin password manager for your browser of choice.
If you're worried about someone with physical access to your computer/device getting to your passwords, every password manager offers the ability to have a master password that you use to protect the rest of them (it won't stop a dedicated attacker, but that's a fairly unlikely scenario for most people).
@dashcloud - I have a desktop and old iPad, so I will try one of the managers you mentioned. Having been burglarized, I would always want that master password. Thanks so much for the info!
@dashcloud I started using LastPass. Still have some concerns when using 3rd party devices (Friends/family PC as an example).
@Bogie Use Private Mode/Incognito on the browser, and have two-factor authentication setup on those accounts- although if you're not sure you can trust a computer, better to not use it.
@Bogie Manage which devices can see which passwords by using the Identities feature and saving the password or PINs for mobile/tablets.
It is some work to setup - LastPass doesn’t make it easy to find or use. They’d rather sell more separate accounts and you pay to “share” between them. But it works great for the “family computer”, the kids’ phones, and tablets around the house. And we use Yubico 2-factor on top of that.
The big problem with LastPass is that it is truly a master password that protects everything. So there is no extra layers for sensitive passwords (email, bank, etc) vs random website accounts. Just enter your master password again. Well, if the bad guys already hacked/know it, typing it in again isn’t going to stop them, or on a new computer you don’t know about. And if you make it a strong password, typing it in over and over makes you want to use something easier to type (and thus crack) - which is my main reason for using LastPass 2-factor (which is not free, btw).
There is also am interesting alternative, BitWarden, that also lets you host your own password Vault.
As a CISSP, I have a vested interest in using security everyday, and the impact from account takeovers is my #1 threat, since every website wants you to have an account and so much of our financial lives are online - bank accounts, 401k, healthcare, and all the web stores we “store our credit cards” with to make them easy targets to defraud.
In the end, we all have to pay for that fraud, just like the Republicans are looking at our Earned Benefits (Social Security & Medicare) to pay for the trillion-dollar tax cut rip-off for the 1% (over $500K/yr).
This seems an appropriate moment to link to this awesome password-related cartoon:
https://xkcd.com/936/
Many've you have already seen it: the illustrated suggestion that a random 4-word phrase will be more memorable and less susceptible to brute-force attacks. "correct-battery-horse-staple" is a better password by both measures than "Tr0ub4dor&3"
@dashcloud is right: Don't reuse passwords. Use a manager. Secure it with a password and a thumbprint if your device supports both, and consider a longer password that's easier on you and harder on the bad guys.
And check out the cartoon above. Tee hee....
@2palms This is better than most people's password schemes, but is a known technique and easier to crack than one would think (that's not to say that it's strictly easy, however). Best method still seems to be truly randomized characters and a password manager.
I was surprised to see I didn't have 2-factor on already. Thanks, I turned it on now.
Here: https://squareup.com/dashboard/account
Also, @Bogie & @dave have mentioned 2-factor for Square. But really, most of your important accounts probably offer 2-factor auth. Turn it on. On all of them. ASAP.
Gmail does. Paypal does. Your bank probably does. I guess Amazon used that money to buy Woot instead, because they do not for whatever reason. Enable it wherever you can.
@brhfl It totally bugs me that Amazon doesn't. Especially since they're a common target by hackers. Facebook and Apple do, as well, to add to that list.
@brhfl @dave
They must be reading the meh forums.
http://www.theverge.com/2015/11/18/9753888/amazon-two-factor-authentication-2fa
@Ignorant Oh, shit! Thanks for the heads-up.
@Ignorant Look at what we did! Good jobs guys @dave @brhfl!
@Ignorant @Bogie @brhfl Ha! That's awesome, I've got it on now.
I had something like this happen with my ATT cell phone account. I also put 2 step verification in place as a result.
@AnnaB I got a good tip to add a separate verbal passcode to AT&T, because people can otherwise call in and get your number forwarded to their number, which basically ruins all 2-factor security.
2FA All The Things!
https://twofactorauth.org/
Or at least as many as you can for now.
Thanks for sharing! Ive had my square account for years now and its been dormant for years as well. This morning I got an email notification that my account was logged into from India. I immediately logged in and changed my pass and enabled 2f authentication. So as some have said, im convinced square was comprimised and accts were exposed. What im most upset about is square hasnt shared this information to its customers. Totally irresponsible.