So them. Mrs Lunge appears to have been hacked.
After a strange e-mail from her mobile phone operator saying she had requested a PAC code, followed by another from then asking to message if she still wanted to proceed, she phoned them up and it seems a request had been sent though from her e-mail address. Shortly after a rather strange repeating calendar invite has appeared in her diary.
Her mobile number is now locked whilst the network (ID Mobile) try to work out what's going on which means she can't call or text. Now, having changed her e-mail password (Hotmail) that too seems to be locked and needs unlocking with a text, which she now can't receive.
Safe to say, stress levels are high...
So, questions/thoughts.
Is there any way of getting in touch with Microsoft/Hotmail to unlock her account?
Webchat is great for simple problems, but it seems ID Mobile won't talk to anyone, particularly from a number they don't recognise. Any ideas on how to get over this hurdle?
Finally, can anyone offer any reassurance or advice that is slightly less disruptive than "get a new e-mail address and a new phone number/provider".
Obviously, this sucks now, but it is good that the mobile operator jumped on it. Less good that the accounts were compromised though.
The best advice I can give will only really apply after you have got back control of the Hotmail account and that is to change passwords (again) and then activate some sort of multi-factor authentication (Google Authenticator, MS Authenticator) on it so that there is something other than just a password protecting the account.
Is the calendar linked to her mail?
I had this a year or so ago - They managed to get access to my phone number so when they request 2FA codes for banking/websites they were able to get access to my various accounts.
Might be worth checking with the bank that you haven't been compromised
Took a while to get email back but when my network (Giffgaff) eventually gave me access to my messages this made the process much easier - Changed my passwords and downloaded an authenticator app in case this happens again.
Other than the faff of changing passwords and being without access for a few days no long term issues
They managed to get access to my phone number
this still seems to be far too easy to do. The problem providers have is almost all phone customers forget whatever security arrangements they set up when they set up their mobile account - so although your phone account is nominally protected by a password or a pin number it isn't in practice because when a scammer calls up everyone else who has called that day - all legitimate callers - also can't provide the details that they can't provide. Individually the call handler's performances are measured by customer satisfaction surveys after every call so theres a performance-pressure to just get caller's requests handled quickly, so if the scammer can just offer a little bit of personal information thats enough to get in.
Ooh sim-swop? Are you in the UK?
Also, sorry it sucks.
Fraid to say Mrs dB had to abandon her Hotmail address for similar reasons, still get people saying - "oh I sent you an email" coz her old address still pops up under her name..
I too would be checking all banks and other accounts ASAP and locking down / changing every password under the sun / activate 2FA on everything etc.
No advice from me, but I did re-do our charities Organisational Risk Register yesterday and hacking / digital fraud is the biggest risk we currently face. I personally also worry about it, and have seen my boys come close to being hacked last year, and even this month I opened an email 'from' a company I deal with (Postcode Lottery) and clicked on their 'advent calendar' - and only at the last moment realised it was a scam/phishing site. Cue a steep uptick in spam emails for me, but thankfully no data inputted....
Bank has already been checked and informed so we're OK in that regard...I hope...
I'm not entirely sure what blocking her phone number is supposed to achieve. I'd be questioning that for a start.
A PAC request shouldn't work without access to the number / her authorising it. A password reset shouldn't work without, again, her authorising it, the request should be rejected (otherwise you could go around locking accounts with gay abandon). Something isn't right here.
You're going to need to have "the talk" about complex random passwords and MFA that isn't SMS. At least twice!
There are still important things Mrs S accesses that have 6 character dictionary/simple substitution passwords. We have had "the talk" several times and provison of a secure password manager with instruction on how it works (the password manager also handles MFA for most things so only 1 password to remember to make it safe as houses). I feel your pain.
There are still important things Mrs S accesses that have 6 character dictionary/simple substitution passwords. We have had "the talk" several times and provison of a secure password manager with instruction on how it works (the password manager also handles MFA for most things so only 1 password to remember to make it safe as houses). I feel your pain.
Apple will create strong passwords, but there are plenty of businesses and organisations who require passwords that conform to their strict layout, and won’t accept any password that doesn’t, which then involves the fannying around trying to create a new, complicated password that will conform, and writing it down. PITA 🤬