I want to share with you a recent story. I’ll not reveal the name of the company, because of two reasons. 1) I’m not sure if that would be legal from my part. 2) They were kind, helped, gave back what was stolen from me and I have the option now that makes me safer.
So what happened?
It was the 1st of November, 2023. We finished lunch and we started to get prepared to visit some longtime friends. It’s the time of the year when we go back to Hungary, and we always try to meet this other family. The kids love theirs, they were very excited. I was also excited, and a bit stressed. Excited to meet them and stressed because I got a strange e-mail. Clearly a spam. Some unwanted advertisement in a (to me) uncecognizable language under the Updates category of my Gmail account.
Okay, I wouldn’t have felt stressed because one escaped spam. But I started to get one or two every single minute. It was a lot. In the beginning, I tried to delete them one by one. Then it seemed useless. They were coming in and coming in. None of them was in English.
I had access to my account, I was definitely not hacked in that sense. I had no idea what was going on.
I deleted a bunch of emails every few minutes.
In the meanwhile we arrived to the friends. I showed them what was going on and I excused myself for doing this.
Then after about one and a half or two hours, the mails stopped.
I deleted most of them and I didn’t care anymore about this incident.
About a month later, I read about some changes of a loyalty program that I’m part of and where I collected lots of points over the last 10 years. It’s not evident to say the worth, but if I wanted to buy so many points, that would be about a 2000 Euros.
I logged in and saw that I only had a fraction of the points I should have had.
My first idea was that wow, that’s a big transformation. They must have changed the value of the points. But then I saw the awards and I realized that the cost of those didn’t change significantly. Okay, there is high inflation, but not that high. Then I saw that a slavic female name was added to my account as a family member and basically all my points up until then was transferred to her on 1st November.
What the hell?!
I immediately remembered what happened on that day.
First of all, I tried to remove her, but I couldn’t find any options to do so.
Then I looked into my e-mails and my deleted e-mails. Among those 300 e-mails I found two from this loyalty program. One was about having a family member added and the second was about the transfer of my points worth about 2000 Euros. I received both in less then a minute.
They flooded my e-mail with hundreds of e-mails, then they logged in with my password and did the 2 actions. They didn’t change my password, they didn’t take over my account, that was not their goal. I think they wanted to stay in incognito as long as possible.
I changed my password.
Furious anger was what I felt.
I tried to contact helpdesk on different channels. In fact, I contacted them both via chat and by phone. It took some time, I got transferred a couple of times and it was evident that they were not ignoring me, yet they couldn’t really solve the problem, they couldn’t even remove that “family member”. At the end, they told me that they cannot help me on the spot, I should send all the details to their auditing department and they will get back to me.
So I sent them every detail with some unsolicitied advice. I said again that I was furious, but not with them and not in the mail. Those agents or the audit department woulnd’t have deserved it.
In about 2 months, I got a response that they investigated my case and they found that a valid password was used. They explained to me how fraudsters usually get passwords. At the same time, they reminded me of the terms and conditions of the programme, but despite those they decided to reimbourse me on an exceptional basis. They also explained to me how I can activate two-factor authentication.
That’s nice and dandy, I got what I wanted.
But what went go wrong?
First of all, I don’t think they were simply nice. According to my wife’s small research, in such cases, companies often havae to pay much more to their members if they are taken to court. But that was certainly not my goal.
So what else?
There is very little chance that I have malware or that I click on any phising e-mails. It’s not ruled out, but it’s not very probable. On the other hand, before I contacted the helpdesk, I did find evidences of a data breach affecting this company around the same time when I got hacked.
It’s a fact that customers’ personal data was exposed around the same time. They claim that the attacked were stopped in time, even though experts were not so sure about it. Was my case a part of this? I cannot know. But I would have expected a broader action, notification even the mandatory reset of password.
What I was stunned by is that it’s possible to initiate such operations as adding a family members or transfer points to someone without any additional authentication. Even if you try to subscribe to a free newsletter, you receive an e-mail with a confirmation link. But you can transfer points of 2000 Euros without any confirmation whatsoever? Not to mention a proper multi factor authentication…
I’m happy to use multi-factor authentication and I activate it happily. I odn’t know when it was added to this program, but now it’s activated and I feel safer.
I don’t know yet if I should take legal action and if so how. I hope the auditing department can help me.
The moral of this story?
To me there are three important points:
- Use multi-factor authentication for accounts where money is involved
- If something feels an attack, it’s probably an attack. Take your time to investigate.
- Don’t just accept things, but try to get back what you lost.
Has something similar ever happened to you?
Connect deeper
If you liked this article, please
- hit on the like button,
- subscribe to my newsletter
- and let’s connect on Twitter!
