Two different websites sent me emails in the past two days containing 6-digit Authentication Codes. Both messages implied that I had requested these codes. One (Amex) specifically told me to enter the code in the same window from which it was requested. I had not attempted logging in to either site so I am concerned that someone has been able to get my ID and Password to those two sites (and likely other sites). I was on the phone with Amex for nearly 2 hours and talked to 3 people before a manager suggested replacing my current card, which I agreed to do. Of course I changed the passwords for the online accounts.
Both sites had complex 16-character Bitwarden-generated passwords that no algorithm could ever guess. I use a Master Password for Bitwarden. I’d prefer to switch to Passkeys but the discussions about Passkeys are so technical and confusing that I’m not comfortable making the change. For example Firefox may or may not (?) be PRF-compliant, according to various Community items I’m reading. I need to use Firefox because of issues I’m having with Adobe PDF in Brave. But if Firefox isn’t PRF-compliant, then I can’t switch to Passkeys and I’m stuck with the Master Password for Brave, Android, and Firefox, right?
All input is welcome. I’m very frustrated and now am worried that I may be staring at a major security issue.
Well, you can change your Amex password first. Do you already have 2FA enabled on it? If not, then turn it on.
AFAIK Amex doesn’t support Passkeys.
Also I’d recommend calling them (call the number on the back of your card, not any number that showed up in either of those emails). See what they can determine, at least to confirm that those emails are bogus.
As I said, I spent nearly two hours with Amex on the phone, and I changed the password first thing. I also set up 2FA on my account.
The second website was Hertz and I simply called and deleted the ID entirely since I never rent from them.
But my concern is, for someone to get to the step of getting the 2FA code, they must have entered my ID and password correctly. How could that have happened?
But if Firefox isn’t PRF-compliant, then I can’t switch to Passkeys and I’m stuck with the Master Password for Brave, Android, and Firefox, right?
Yes, if the client doesn’t support PRF, that would be true. I think the expectation is that eventually, all the clients will support it.
Questions for you to help figuring out what happened:
For BW master password, do you use randomly generated passphrase with at least 4 words?
For BW, what kinds of 2FA do you use? Do you use the “remember me” option for this?
For desktop, what do you use? Windows, Linux, MacOS?
For Mobile, I assume Android?
Here are some thoughts/ideas:
If you use randomly generated passwords for the two accounts you mentioned, then these aren’t credential stuffing attacks. The passwords/session tokens are most likely leaked. Is it account-specific (although there are at least two), or is it widespread?
For other valuable accounts that have better loggings (like email accounts), do you see logins from unknown locations?
Hudson rock has email search for email accounts that might have fallen for Infostealers
If you use Windows, I would recommend at least a Window defender safe-mode off-line scan. I would personally use MalwareByte to also scan in safe-mode.
I would use security check feature on the valuable on-line accounts that offer them.