Do you store password information in Contacts? Here's what can happen!

We are all driven a little (or a lot) crazy by Passwords for online accounts.

And I know that so many people choose to write down their passwords on paper, in Notes on their iPhone/iPad or, sometimes, as entries in their Contacts app. 😱

This may seem like a good solution, on the basis that you probably assume that only you can see the contents of your Contacts app.

An iTandCoffee client only last week found that this is not the case - and that a scammer had access to all her Contacts and the passwords she stored there (as well as all sorts of other things).

With the number of clever scams emails around, it can be very easy to be caught out by one that looks legitimate - and to sign in to an account when asked to do so.

This is exactly what this iTandCoffee Client did recently.

She received an email from a friend, sharing a OneDrive file with her - and when requested, she signed in to her Microsoft account to check out that shared document.

She didn't realise she had been caught out - that the document was a scam and that her sign-in credentials had been stolen.

It was only when some of her own contacts also received the same strange document sharing invitation - this time from her - that the scam was uncovered.

I was one of those contacts, and here is the message I received from her. Everything about it looked authentic, and I am not surprised she (and anyone else) would be caught out by this one.

I texted her straight away, sending a screenshot of the message and asking if she had sent it (fairly sure she hadn't). I warned her that I suspected she had been hacked and that the hackers may have access to her Microsoft account. To be safe, her Microsoft password needed to be changed, and her account needed to be fully secured and checked for other issues.

She changed her password as soon as she could (a few hours later), but found she subsequently stopped receiving any mail to that account - an issue she sought assistance with about 3 days after the initial hacking incident.

Here's what had happened in the time up until her password was changed. In fact, it could have continued for the 3 days, since changing the account's password may not have locked the hackers out of her account. (We'll talk about the extra step required block all signed-in sessions, apps and devices shortly.)

In the time the hackers had access, they would have been able to view all her emails in that Exchange account, and glean any valuable information that they could from these emails. This included emails that had some login credentials for some key aspects of her business.

They planted a Rule for her Exchange emails that automatically moved any received mail straight to another folder - which meant she stopped seeing her incoming mail and thought the account wasn't working properly.

By doing this, the hackers could monitor her incoming and outgoing mail for anything that they could use to defraud her or someone with whom she corresponded. They could delete any evidence of what they sent.

They may well have hoped to quietly 'camp out' in her account for a prolonged period, waiting to execute a 'man in them middle' attack if she received or tried to send an email relating to anything financial. 

The fact it was a Microsoft account also meant that they would have had access to her OneDrive/Sharepoint and any files stored there. (Luckily she didn't user either of these much in her small business, so there wasn't much content there.) 

Importantly for this client, the hackers also had access to the list of Contacts stored in her Microsoft Exchange account.

This would have allowed the hackers to steal that list of contacts, sent emails to these Contacts pretending to be her, and attempt to catch out others in the same way that they caught her out - or maybe pretend to be her and send emails trying to con money from her contacts.

And unfortunately for this client, she had also used Contacts as a place for storing passwords.

So the scammers had full access to the list of passwords that she had stored there - and could therefore gain access more than just the Microsoft Account.

You can imagine the stress this poor victim suffered as a result of this experience.

The fall-out continued in the week after the incident, as further accounts may have been compromised using information found in her Microsoft account. And her account was registered as spam email address, meaning she was blocked from sending any mail until we unblocked it.

Some lessons from this incident

1. ​If you don't yet have it, your must set up Multi-Factor Authentication for accounts like this. For the incidents like this, this may have prevented the scammers from accessing the victim's account - as the email address/password would not have been sufficient to sign in to the account. 
2. Always be suspicious of emails (and texts) that ask you to click a link - even if they are from a friend. Check with the friend first to see if they sent it. Don't click unless you have checked and are absolutely sure. Check the content of the link first. (Note. In the above case, this this not uncover any problem - as it was the file that had been shared that contained the issue, not the link itself.)
3. If you are asked to sign-in to a website, be absolutely sure the website address is valid. But rather than take the risk, visit the website and access your account from the legitimate website address without clicking the link.
4. It is a essential these days to use a Password Safe to auto-fill passwords, because such safes will not autofill if the site/sign-in request is fraudulent. This can help identify issues.
5. Never store your passwords in Contacts (or in a Word/Excel document on your computer).
6. If you ever suspect your account has been compromised, change the password immediately! Don't delay. Seek help as quickly as possible if you are not sure how to do this.
7. Especially for mail/cloud/financial accounts, also make sure to find the option to Sign out everywhere, to make sure that any authenticated session, apps and devices are signed out. For Microsoft accounts, this is found at myaccount.microsoft.com (as shown in the image below).
8. If you ever need to check who has had access to your Microsoft account, go to Review Recent Activity on the same page (see image below)​. 

As a side note, if you need proof that multi-factor authentication is essential for your online accounts, check out the screen shot I just took of the results I got from Review Recent Activity for my own account! So many attempts to hack my account!

Need help with this or any other technology issue/question?

We have focused on Microsoft 365 above in the discussion of how to secure your account. If you need help with securing any other type of account (or any other technology question/issue), make a time with iTandCoffee.