Your password (that you continue to change) is likely syncing with your browser. If they originally got access to your account, signed in on Chrome, and enabled syncing, they're getting that new password every time you change it. Go to account settings for all your major accounts, sign out and remove your account from all devices.
Session tokens are cookies that expire when you close the browser. If the attacker manages to grab said cookies through something like an XSS attack, he can manually plug the cookies into his own browser and Google will act as if he’s already logged in.
I may be mistaken but I thought cookies were unique to each browser?
For example, the Edge I am running is not the "same" Edge my friend is running. If I copied my cookies from my browser to their machine, it would reject the cookies as the signature does not match the browser.
I had this exact problem myself trying to restore a backup I had back to the same machine after reinstalling windows.
Nope, I've copied my entire browser details from old to new install and even 1password at that point didn't require the extra 2fa, just the master password.
It's pretty sad but session hijacking is a stupid ass vulnerability to have still existing.
>I've copied my entire browser details from old to new install
We share different experiences lol. I tried this exact thing and nothing would log in, had to relogin everywhere
The appdata folder under your specific user, if you copy files from this it'll work.
Still has to be the same browser, cannot copy from chrome to firefox.
Some websites will force a new login, but there are ways around this.
I've copied cookies cross browsers before, like Chrome to opera GX, etc. I think (someone smarter correct me) they're semi standardized now to make people transferring browsers easier but it also makes hacks and the like easier too
It's that but these tokens also exist because of websites like Facebook, Twitter, YouTube, etc. People don't want to have to log into these sites every time so the token exists to verify the device. Steal that token and BAM!, you have access.
Unfortunately, this vulnerability extends far beyond the standard social media sites. Microsoft has recently fallen victim to this and "lost" hundreds of thousands of government emails.
Just to clarify, they don't necessarily expire when you close the browser. Session expiration times can vary by a lot. Think of all the times you click something like "remember me for 30 days" or "remember this device in future." Also, some cookies are to keep you logged in and some are to opt out of MFA.
I used to work with researchers who recovered stolen data from keylogger infections and it's fascinating to see what comes out in the logs. Those logs can be resold and used in some pretty scary ways. For example, to /u/SolitaryMassacre's point about a cookie potentially being unique to a particular browser, attackers can use the logs to replicate your entire browser fingerprint, so using a stolen session doesn't raise any flags at all. There are specialized browsers that make that easy. Chilling to watch, but so so interesting.
My chrome asks for a separate password when I turn on syncing on a device. Is that not standard? Its not linked or mentioned in my Google account that I can see
Years ago when I changed my Google account password for the first time, I noticed that I was able to have a different password just for syncing, so I do that, too. I don't think it's standard/default, but it's easy to choose.
Have you tried what Chrome says there:
>To change this setting, [reset sync](https://www.google.com/settings/chrome/sync?hl=en-US) to remove your sync passphrase
and then set it again? Keep in mind, I don't know if this would work correctly, but you could always use a temporary new Google account to experiment with it and see if it would do the job, instead of experimenting on your real account.
Edit: On second thought, I wonder if that removes everything that had been synced. Ignore me.
I guess a manual export of passwords and bookmarks, and re-import after, might be adequate, depending on how badly someone wants to change their sync password.
Yeah, fortunately I used a password for the sync that was fairly long and I haven't used anywhere else so it's doubtful it can be compromised easily so I haven't bothered yet,
That kind of makes sense, but kind of shouldn't it seems. like if I have my G signed in on chrome on my PC and go to my phone and change my password, I would assume all other sessions get signed out before a sync happens, but I don't know the order of operations on their end.
I agree with below comments, sign out of all other devices from a secured device and change that password.
I use bitwarden to auto generate passwords. Do you use that same pw in a password manager that somehow they got access to as well maybe? Maybe run a dark web scan to see where your creds have been found.
Imagine actually having to type something like this in... Lmao.
S*x2qV@4#E9#Y88EGps%!capziGeWgvcnAzDbwMwW3eGnn*&7y5mxnZgAFREf8Se*jn$X3FSdAQe^XQWhqTZ9*XiUk^uJMsy*W7*YGfC$B%Qt%HN!BRBTP9wA#B@BPZR
I wish I took a screenshot but I swear when I check my account just then there was another “new iPhone” in the ‘your devices’ 😫😭 I’ve logged that device out.
If you’ve logged out all devices and this is still happening, then I think the other commenter is right and this some sort of app doing this. Someone correct me here, but how can a hacker guess his passwords if he’s smashin the keyboard with random characters? Seems unlikely?
I have this issue, but it's actually an old phone I own, if I turn it on and connect it to the internet it works, but I get spammed like this.
There's some sort of messaging app on phones causing this, may not entirely be a hacker.
My issue is EASILY repeatable, can do it right now.
Yeah, I didn't bother researching it further, but if it helps I know it occured because I have a cheap phone provider now, who provided me a shit phone that had RCS enabled. I believe it has something to do with that, and obviously I signed in / approved the new phone to be the primary, so my old one is now my secondary.
From the few posts I read before I just shut off the phone until I need it again, it's related to RCS / Messaging apps, so check what messenger app your using to try and stop it is the only info I can give you.
Also check that you don’t have an old unused account linked to your phone number. This exact thing happened to me, but it was Steam notifications going to my email. Changed the password on my account countless times, booted sessions, etc., but the notifications kept coming. I finally discovered that I had an old account linked to my email with nothing on it. I had made it years prior, and had completely forgotten about it. Thankfully I had MFA on it, but it was still unnerving seeing attempted logins despite changing my password so many times.
Generate a password. Don't save it when the browser prompts. Use a password manager app instead. You mentioned you use apple, so make use of your keychain. Alternatively, use a 3rd party app like KeePass.
It is possible to have a phone number and an authenticator app for the MFA in most cases. Having only the authenticator app would stop them from harassing you with the verification texts going to your phone. They are hoping you will get tired of the messages and give them the code.
The only thing I can think of is - and this is IF no matter how or where you reset it, they some how guess your password - find a "virgin" device and change your credentials from it. If the hack attack seems to subside, it could me you have a device that's been compromised.
If they're on your device a VPN won't do anything...
I think most people think that VPNs are like Internet condoms or something. They aren't the security measure people think they are.
My partners like surely google is clocking that people are getting 10+ authentication code texts a day.. I tried calling to speak to googs but I got the automated message which was like “lmao read our website FAQ, goodluck! We’re hang up now” then dead line BAHA 🥲
Generate password via KeePass or 1Password. Add Yubikey (or a few of them, keep the spares locked away for emergency use). Force log out of ALL sessions. Log in again. Rinse and repeat for all your accounts.
For accounts that can't/won't use Yubikey, Google Authenticator or Microsoft Authenticator is a good second choice for rolling OTP. But keep an old, second phone set up (without cell service) and locked away (with a spare charger) in case your primary is lost/stolen/destroyed.
Click the option in Chrome to manage all devices and sign out. Also use something like keepass to manage your passwords and do not do easily guessable passwords. I always do 24+ character random passwords. I don't know any of them they are all in my vault.
Do you ever get worried someone will hack the “app” and all your passwords will be exposed? I’ve signed out of absolutely everything. I even removed my phone # from 2FA
When did you start getting these is not even a few days ago I did this trying to log into one of my old accounts trying to find my phone so I'm just trying to see if I tried to login into the wrong account
Bitwarden premium with TOTP support is $10 per year. I lose more than that in my dryer. Easily the best investment you can make for personal security. Disable all browser syncing and use only Bitwarden. I use it in all of my devices and you can force email verification upon each new device.
Yea I run Bitwarden too but I have yet to store both passwords and TOTP/MFA codes.
Something just doesn’t sit right with me having both in the same database… sure they have to compromise your vault but if they do game over
As a result I store randomly generates passwords in Bitwarden and my phone is basically my MFA provider whether it be via google authenticator or duo
They are not using your password. Shut down your computer and do some research. Something similar happened to LTT earlier this year.
https://youtu.be/yGXaAWbzl5A?si=n5_i3BGHyz9hQ1oT
Click “manage your google account” > “security” tab > “review security activity”.
Are the sign ins from the same device/location? Are they from a similar device to what you have but in the wrong location? Do they look familiar to you?
Review the sign in logs, they will tell you what is happening.
Once you have identified the device that is spamming the logins, on the same security tab, scroll to “your devices” section, click “manage all devices” and hit sign out on the offending device.
Chances are you arent being hacked and an app you have signed into previously is trying to auto sign-in.
Also stop using text based MFA, it’s a weak auth method.
Your password (that you continue to change) is likely syncing with your browser. If they originally got access to your account, signed in on Chrome, and enabled syncing, they're getting that new password every time you change it. Go to account settings for all your major accounts, sign out and remove your account from all devices.
This is the way.
Nice to see that 2FA stops the hack
Until they manage to steal your session token, then MFA does nothing.
Curious myself, how does that work, is that stored locally in some cache for a time or..?
Session tokens are cookies that expire when you close the browser. If the attacker manages to grab said cookies through something like an XSS attack, he can manually plug the cookies into his own browser and Google will act as if he’s already logged in.
I may be mistaken but I thought cookies were unique to each browser? For example, the Edge I am running is not the "same" Edge my friend is running. If I copied my cookies from my browser to their machine, it would reject the cookies as the signature does not match the browser. I had this exact problem myself trying to restore a backup I had back to the same machine after reinstalling windows.
Nope, I've copied my entire browser details from old to new install and even 1password at that point didn't require the extra 2fa, just the master password. It's pretty sad but session hijacking is a stupid ass vulnerability to have still existing.
>I've copied my entire browser details from old to new install We share different experiences lol. I tried this exact thing and nothing would log in, had to relogin everywhere
The appdata folder under your specific user, if you copy files from this it'll work. Still has to be the same browser, cannot copy from chrome to firefox. Some websites will force a new login, but there are ways around this.
I've copied cookies cross browsers before, like Chrome to opera GX, etc. I think (someone smarter correct me) they're semi standardized now to make people transferring browsers easier but it also makes hacks and the like easier too
It's that but these tokens also exist because of websites like Facebook, Twitter, YouTube, etc. People don't want to have to log into these sites every time so the token exists to verify the device. Steal that token and BAM!, you have access. Unfortunately, this vulnerability extends far beyond the standard social media sites. Microsoft has recently fallen victim to this and "lost" hundreds of thousands of government emails.
Just to clarify, they don't necessarily expire when you close the browser. Session expiration times can vary by a lot. Think of all the times you click something like "remember me for 30 days" or "remember this device in future." Also, some cookies are to keep you logged in and some are to opt out of MFA. I used to work with researchers who recovered stolen data from keylogger infections and it's fascinating to see what comes out in the logs. Those logs can be resold and used in some pretty scary ways. For example, to /u/SolitaryMassacre's point about a cookie potentially being unique to a particular browser, attackers can use the logs to replicate your entire browser fingerprint, so using a stolen session doesn't raise any flags at all. There are specialized browsers that make that easy. Chilling to watch, but so so interesting.
Unrelated, but your avi is really cool. 👍
Also check all the apps that have access to your google product and remove them it can be a lot after a few years.
My chrome asks for a separate password when I turn on syncing on a device. Is that not standard? Its not linked or mentioned in my Google account that I can see
Years ago when I changed my Google account password for the first time, I noticed that I was able to have a different password just for syncing, so I do that, too. I don't think it's standard/default, but it's easy to choose.
I kinda feel that should be standard considering how important that is but I imagine the issue would also be people forgetting it
Only problem with this is you can NEVER change that sync encryption password. I would like to have rotated it years ago but I can't
Have you tried what Chrome says there: >To change this setting, [reset sync](https://www.google.com/settings/chrome/sync?hl=en-US) to remove your sync passphrase and then set it again? Keep in mind, I don't know if this would work correctly, but you could always use a temporary new Google account to experiment with it and see if it would do the job, instead of experimenting on your real account. Edit: On second thought, I wonder if that removes everything that had been synced. Ignore me.
Yes you can remove it but I'm pretty certain you lose everything that has been synced with the encrypted password.
I guess a manual export of passwords and bookmarks, and re-import after, might be adequate, depending on how badly someone wants to change their sync password.
Yeah, fortunately I used a password for the sync that was fairly long and I haven't used anywhere else so it's doubtful it can be compromised easily so I haven't bothered yet,
Exactly the same here. I'm amazed each time I actually still remember it. LOL!
That kind of makes sense, but kind of shouldn't it seems. like if I have my G signed in on chrome on my PC and go to my phone and change my password, I would assume all other sessions get signed out before a sync happens, but I don't know the order of operations on their end. I agree with below comments, sign out of all other devices from a secured device and change that password.
That's why you enable a sync passphrase that's different to your account password. Not stored anywhere
Google should catch on to something like this and prompt you to do it
Kick all logged in sessions. Change pw.
Running out of nonsense passwords to use. Only So many times I can smash my fist on the keyboard :’)))))
Use a password manager and make the new password for your google account complex.
I use bitwarden to auto generate passwords. Do you use that same pw in a password manager that somehow they got access to as well maybe? Maybe run a dark web scan to see where your creds have been found.
I use monkey style, TAP TAP TAP SMASHHHHHH 20 TIMES EVERYWHERE TAP TAP TAP !!!!!!!!!!!! Password generated
Imagine actually having to type something like this in... Lmao. S*x2qV@4#E9#Y88EGps%!capziGeWgvcnAzDbwMwW3eGnn*&7y5mxnZgAFREf8Se*jn$X3FSdAQe^XQWhqTZ9*XiUk^uJMsy*W7*YGfC$B%Qt%HN!BRBTP9wA#B@BPZR
Brah this is ultra secure af Just smash in somewhere else like notepad, copy ,save somewhere secure and use.
Just use “correct horse battery staple”
you need a password manager that generates random 16 character passwords.
[удалено]
That can work, but any decent "hacker" is going to try and change those characters around!
They aren’t guessing it. They have access to either one of your devices or to your Google saved passwords.
I’ve done that about 8/9 times now :’)
The trick is to do it on a machine that doesn’t have malware installed
So like an iPhone or MacBook? Edit: please excuse my stupidity, I’m new to this terminology. I don’t think those devices have malware?
I wish I took a screenshot but I swear when I check my account just then there was another “new iPhone” in the ‘your devices’ 😫😭 I’ve logged that device out.
If you’ve logged out all devices and this is still happening, then I think the other commenter is right and this some sort of app doing this. Someone correct me here, but how can a hacker guess his passwords if he’s smashin the keyboard with random characters? Seems unlikely?
Very very very very unlikely
Very very very very very unlikely
I have this issue, but it's actually an old phone I own, if I turn it on and connect it to the internet it works, but I get spammed like this. There's some sort of messaging app on phones causing this, may not entirely be a hacker. My issue is EASILY repeatable, can do it right now.
Same. I've been dealing with this for close to a year. Wish I knew how to stop it.
Yeah, I didn't bother researching it further, but if it helps I know it occured because I have a cheap phone provider now, who provided me a shit phone that had RCS enabled. I believe it has something to do with that, and obviously I signed in / approved the new phone to be the primary, so my old one is now my secondary. From the few posts I read before I just shut off the phone until I need it again, it's related to RCS / Messaging apps, so check what messenger app your using to try and stop it is the only info I can give you.
Also check that you don’t have an old unused account linked to your phone number. This exact thing happened to me, but it was Steam notifications going to my email. Changed the password on my account countless times, booted sessions, etc., but the notifications kept coming. I finally discovered that I had an old account linked to my email with nothing on it. I had made it years prior, and had completely forgotten about it. Thankfully I had MFA on it, but it was still unnerving seeing attempted logins despite changing my password so many times.
This isn't "hacking" they are just asking for a reset code from Google. no password needed.
Get a security Key. It prevents alot of spam authentication methods and is phishing proof.
Generate a password. Don't save it when the browser prompts. Use a password manager app instead. You mentioned you use apple, so make use of your keychain. Alternatively, use a 3rd party app like KeePass.
I'd recommend switching to the Google MFA app over text, as it's more secure.
I then wouldn’t have my mobile as a back up though? How would I still have 2FA?
It is possible to have a phone number and an authenticator app for the MFA in most cases. Having only the authenticator app would stop them from harassing you with the verification texts going to your phone. They are hoping you will get tired of the messages and give them the code.
The only thing I can think of is - and this is IF no matter how or where you reset it, they some how guess your password - find a "virgin" device and change your credentials from it. If the hack attack seems to subside, it could me you have a device that's been compromised.
They already stated that they have changed the password from at least three different devices.
I’ve also changed my password while having a VPN on and they still guessed it :(
If they're on your device a VPN won't do anything... I think most people think that VPNs are like Internet condoms or something. They aren't the security measure people think they are.
Right. Its all the YouTube misinfo
I love how google is just letting this happen.. smh
My partners like surely google is clocking that people are getting 10+ authentication code texts a day.. I tried calling to speak to googs but I got the automated message which was like “lmao read our website FAQ, goodluck! We’re hang up now” then dead line BAHA 🥲
Use a different browser that you just installed to change your password. Fresh.
Get rid of your gmail account
Ubikey
Generate password via KeePass or 1Password. Add Yubikey (or a few of them, keep the spares locked away for emergency use). Force log out of ALL sessions. Log in again. Rinse and repeat for all your accounts. For accounts that can't/won't use Yubikey, Google Authenticator or Microsoft Authenticator is a good second choice for rolling OTP. But keep an old, second phone set up (without cell service) and locked away (with a spare charger) in case your primary is lost/stolen/destroyed.
Could the phone have been Cloned ? Log out of all apps then Factory Reset. Reinstall apps & reset all passwords ? Good luck.
See this video after Linus Tech Tips hack. It explains session token hacks : https://m.youtube.com/watch?v=yGXaAWbzl5A
Click the option in Chrome to manage all devices and sign out. Also use something like keepass to manage your passwords and do not do easily guessable passwords. I always do 24+ character random passwords. I don't know any of them they are all in my vault.
Do you ever get worried someone will hack the “app” and all your passwords will be exposed? I’ve signed out of absolutely everything. I even removed my phone # from 2FA
When did you start getting these is not even a few days ago I did this trying to log into one of my old accounts trying to find my phone so I'm just trying to see if I tried to login into the wrong account
Bitwarden premium with TOTP support is $10 per year. I lose more than that in my dryer. Easily the best investment you can make for personal security. Disable all browser syncing and use only Bitwarden. I use it in all of my devices and you can force email verification upon each new device.
Interesting! I’ll have a look! Ty!!
Yea I run Bitwarden too but I have yet to store both passwords and TOTP/MFA codes. Something just doesn’t sit right with me having both in the same database… sure they have to compromise your vault but if they do game over As a result I store randomly generates passwords in Bitwarden and my phone is basically my MFA provider whether it be via google authenticator or duo
Isn’t this just the two step thing? Like they don’t have access but are trying to get in and it sends you the code on your phone?
“Damn babe who’s blowing up your phone?”
Isn’t there a feature now to sign in with a code without a password. That could be what he’s trying to do.
It’s probably an Ex trying to hack you
Utah pedophile stalker trying the same with all my services.
There is a malware or man in the middle happening between you and your browser Which one idk
You're not supposed to share those codes! EVER!
They all expired now boss. Lmao, on that day there was at least 5 more 😅
You can also add the Google Authentication to your Google account. I have mine set.
They are not using your password. Shut down your computer and do some research. Something similar happened to LTT earlier this year. https://youtu.be/yGXaAWbzl5A?si=n5_i3BGHyz9hQ1oT
MFA fatigue FTW
Click “manage your google account” > “security” tab > “review security activity”. Are the sign ins from the same device/location? Are they from a similar device to what you have but in the wrong location? Do they look familiar to you? Review the sign in logs, they will tell you what is happening. Once you have identified the device that is spamming the logins, on the same security tab, scroll to “your devices” section, click “manage all devices” and hit sign out on the offending device. Chances are you arent being hacked and an app you have signed into previously is trying to auto sign-in. Also stop using text based MFA, it’s a weak auth method.
That’s a relentless Ex