Why Are People Making Fraudulent Purchases on My Old Accounts?

Why do cats meow? Why do birds fly? Why are hackers breaking into your account? This is their nature. Or is it a hobby. Or are they just jerks who really want to take advantage of security vulnerabilities and failures for sports, profit, or both.

But when you have nothing to offer, why are they still doing it? As a Lifehacker reader, Rachel asks about Tech 911 Q&A this week:

A long time ago I used the same password for everything and at some point this password was cracked and existed in the world tied to my email address. I now use secure passwords and a password manager, but there are a few long-forgotten sites that I haven’t visited in years where you could theoretically log in with my credentials. This has happened several times over the past few years. People have logged into my account and made a purchase, and I draw attention to this when I receive a confirmation email. Of course, I then change the password and cancel the order. The point is, these people never use my credit card information. I do not save my credit cards to websites, and even if I did it before, the credit cards stored in those accounts have expired. Why would anyone want to use a compromised account to buy something with their own credit card?

Is a hacked account better than creating a new one?

This is an unusual question, Rachel, but I think there is a simple answer. For starters, I don’t think it matters if you have any credit card information associated with an account. After someone is hacked, they can then use that account for all sorts of other nefarious purposes, including looking for other information about you in order to try to hack into your other accounts (or reset your passwords, or perhaps even social engineering some poor customer. the service staff let them in).

When it comes to making purchases using old accounts, it’s a little more peculiar. You might think that an attacker would sneak away and waste their time trying to log into the account to which the active payment mechanism is linked. This would appear to give the attacker the most bang for their buck. Unless , of course, they are using stolen credit cards to make a purchase, and your account is only helping to hide it.

Of course, one could also argue that it would be much easier to create a bogus account and use a stolen credit card. I guess it depends on how many fake credentials they have to enter, including generating a fake email address and possibly even a phone number, and what checks the service uses to detect fraudulent accounts. But this is probably a little more work than just getting your hands on a work account, especially if the attacker has some sort of batch tool that he can use to sort the good logins from the expired ones.

If these purchases were physical, I would be even more curious about where they are going. And you should definitely report them as scams. Don’t let someone hacked into your account get free stuff.

There is little you can do to stop fraudulent purchases of digital goods other than notifying the place where they were purchased in the hope that the company will cancel them for those who bought them. However, my guess is that the purchases mentioned will also be tied to your account in some way, unless the attacker purchases digital gift cards, e-mails them to a different address, and uses them immediately.

Anyway, I would be shocked – in truth – if those who hacked your account were to make purchases using their own credit card details. If so, you should feel flattered; you have officially found the stupidest hackers on the world wide web.

In fact, it happened to me once when someone hacked into my Chipotle account (of all things) and ordered food for themselves – no less than pickup. As soon as I received a receipt for the food that would be ready in an hour on a completely different coast than where I live, I immediately called this exact Chipotle, canceled it and changed my app password to something new. unique and annoyingly long. It was good to know that some asshole with my account would have to wait to reorder his burrito bowl (and pay for it with his own credit card).

I wouldn’t worry too much about your setup, other than the fact that these purchases will be tied to your dormant accounts. It’s an unwanted byproduct of someone leading a less secure online life for years – for example, using the same or similar passwords for multiple sites – only to forget all the sites and services you’ve used before when you finally level up. play with your password. Is it or is it just something that happens as a result of all the data breaches that we encounter on a fairly regular basis.

You can try to find old active accounts by entering your most used passwords into your email client and see if any “account creation” confirmation emails pop up. You can then revisit these accounts and either close them or change the password to something unique. Other than email searches, I cannot recommend a good source that you can use to find old accounts; obviously there is no website where you can just enter the password and see which hacked account it is associated with. (That would be incredibly bad.)

Be aware of this strange situation and make sure you change passwords or delete accounts whenever you receive a notification about a purchase you didn’t make. And continue to lead a secure online life with strong passwords, two-factor authentication, and don’t save your credit card credentials on websites. You are doing a good job. Don’t be intimidated by these ghosts from the past, no matter how annoying they are.

More…

Leave a Reply