General

Yes. Exact same places, but also Seychelles (which I've never heard of until now)

Definitely make sure you have 2FA turned on.

I forget if it was Sony or MS but recently I had an issue logging in on my phone. When using mobile web login screens the iOS autocomplete kept swapping my username anxiouz to anxious (only when I hit Submit so I couldn't catch it). So dumb, but if you've got an easy to fat-finger email address or username there's a chance something similar is happening. If there is just 1 login attempt and not enough to lock your account for a period of time, it doesn't sound super malicious...although you can fake your location. Def suspicious.

This isn't the only account that is being hacked. Apparently someone has one of my passwords and is trying to log in to every possible site trying to find my credit card information. It is a good thing I never leave credit card information in any Rewards programs.

A couple of months ago I got a notice from Taco Bell that my account had been used in Texas (I'm in Indiana). I didn't have my credit card information in the account, but I did have a few bucks on a gift card which they used to buy a drink. I wrote TB and they restored it.

A couple of days later, I got a 2 factor authorization e-mail from Popeye's with a code to enter for access when I hadn't attempted to log in.

Today I received an e-mail from Pizza Hut saying there was a successful log-in to my Hut Rewards account. I need to reset the password on that account.

Something needs to be done about improving security for online accounts. Though it's inconvenient I've stopped saving my CC info on most accounts. Between hacking attempts on individual accounts and large data breaches it's just not worth it.

@Tony Yikes, it does sound like you've got something going on. Maybe try https://haveibeenpwned.com/ to see where an email address might have been exposed. The results I get there match where I know I've had exposure.

When they say use a different password on every website you use, this is why.

Anxiouz wrote:

I saw something in the past year that said my e-mail had shown up in report on a data breach somewhere, but I didn't worry about it because I don't leave credit card or bank information in any account except Paypal. The most anyone is going to get from hacking a Rewards program is my name and my wife's, our birthdays, phone numbers, and home address. Some of the accounts have a few Rewards points, but other than getting a little free food there is no benefit to logging in as me. Except for the birthdays, address and phone numbers can be obtained fairly easily without hacking an account. I have 5 or 6 common passwords I use for Rewards programs and such, but my banking accounts all have unique passwords.

https://haveibeenpwned.com/ shows my main e-mail has appeared in 20 data breaches. The only one I recognized was Adobe. I use that e-mail address almost everywhere, so it would be a real pain to try to change it.

I was just out at Texas Roadhouse for dinner and got a text from MS saying someone is trying to access my account.

edit: Logged in and changed my password. Looks like someone from Germany is trying to get in the account every 5-10 minutes and a few failed attempts from Kansas too. They're all using Chrome though and I use Firefox 99% of the time.

Tony wrote:

... that information can be more than enough for someone to social engineer their way into convincing someone at customer support that they're you.

Phone numbers can be cloned / faked, too.

My main email address (the gmail one that still uses my old internet alias) has been found in 19 breaches and 1 paste according to that pwned site. I don't like to use 2FA unless absolutely necessary, so all I do now is make sure the password is extremely unique and impossible to crack via normal means. So, the passwords are now randomly generated and especially vulnerable sites get some that are 15 letters or longer.

Staraang wrote:

It's been done. It's MFA. And if you use something OTHER than SMS/texting for the MFA, then it is pretty darn secure.

John wrote:


I prefer using the Google Authenticator app when possible, but unless I'm mistaken MS doesn't support that (neither does Steam for some reason).

You can use Google Auth with MS except for the initial setup of tenant admin accounts. For normal folk/accounts, you can use Google Auth -- you just have to tell it a couple times that you don't want to use the MS Auth app.

You should also make sure your passwords are about 16 characters.... it's now recommended to think of a phrase you'll remember and break it into 16 characters (mixed up w/ alpha, num, symbols).

I'm starting to get phishing emails that include my wife's full name. Fortunately, I recognize them as obvious scams.

I stopped paying attention to all the failed attempts to log in around the world. I also disabled my microsoft email and put my alias on a gmail account (which also disabled any incoming emails I got, which threw every 2fa/email authentication service I have into chaos until I got it transferred over). Now, blessed silence. Haven't had my Microsoft 2fA app ping me once. :)

HybridCRoW wrote:

It really doesn't matter how complex or "strong" your password is if it has been exposed in a data breach.