How do I figure out where the hack is coming from?

Software Issues Forum
1

My Instagram account got hacked. The email address was changed and they enabled 2FA with an app. The account is deactivated now but they’ll probably activate it again soon. I can’t reset the password because Instagram sends an OTP to my email, but I never get it no matter how many email addresses I try.

Then, an hour later, my Ubisoft account got hacked, and 3 hours after that, the email address was changed too. I tried to reset it but it was too late.

I changed my email because both accounts used the same email, unlinked the recovery email, and removed all logged-in devices. Since then, there haven’t been any new issues but I’m still really worried. What else could they have access to?

I ran a Malwarebytes scan and found around 9 trojans in the System32 folder and 5 in my downloads folder, which I quarantined. I’m on Windows 11 and this is the first time I’ve been hacked. I can’t believe it.

I suspect the following:

  1. I use a password manager that syncs across my PC and Android. Both my accounts were saved there. If the hacker had access to my password manager, why would they reset my password? It would give them permanent access, but that makes me think it’s more likely my email account was compromised.

  2. My email account seems to be the main point of attack because both accounts were compromised through my email’s password reset method. But how did they get access to my email? Also, why attack these less important accounts like Instagram, which I barely use, instead of something more serious like my bank account?

  3. I suspect there could be malware, a keylogger, or rootkit on my system that gave them access to my email.

What should I change, and what precautions should I take to prevent this from happening in the future? The Instagram account wasn’t that important, but I want to delete it myself, not rely on the hacker.

Update (270125):

After all this, it seems like the hacker is on a spree. My Reddit account, linked to a third email, was hacked. Then, my Discord account, which had both app and SMS 2FA, was hacked too. I changed the password after each attack, but how did they get into Discord with 2FA enabled, even with the password? My 2FA was linked to my first Google account, which was compromised earlier, but I changed the password and logged out of all devices. I thought that would be enough, but they still had access.

I didn’t reinstall Windows or wipe my Android phone because I thought changing email passwords would be enough. But that hasn’t stopped them. I still don’t know where the backdoor is.

2

If you think you might have malware on your computer or you’re trying to remove malware, check out our malware guide for help.

Please ignore this message if the advice doesn’t apply to you.

3

Changing your BIOS settings or disk setup can cause you to lose data, so always make sure your data is backed up before making changes to your PC. For more info, see our FAQ: https://www.reddit.com/r/techsupport/comments/q2rns5/windows_11_faq_read_this_first/

If you have any questions, feel free to contact the moderators of this forum.

4

I’m guessing you never clicked on any phishing links, right?

How do they even pull this off? I had something similar happen to me, and I’m really careful with my accounts.

5

Sienna said:
I’m guessing you never clicked on any phishing links, right?

How do they even pull this off? I had something similar happen to me, and I’m really careful with my accounts.

Yeah, same here. I never click on random links because I’m aware of phishing hacks, but clearly, there’s still a lot I need to learn about staying secure.

6

The ‘backdoor’ might be your 2FA. Every time I hear about someone getting hacked, they had just enabled 2FA with their phone. Spoofing phone numbers is way too easy these days…

7

Brett said:
The ‘backdoor’ might be your 2FA. Every time I hear about someone getting hacked, they had just enabled 2FA with their phone. Spoofing phone numbers is way too easy these days…

First, I checked with my SIM provider, and they confirmed there was no SIM swap. Also, for Discord, I had both SMS and Google Authenticator 2FA enabled. My Google 2FA account was linked to my first Google account, which was compromised earlier. But after I changed the password, logged out of all devices, and disabled recovery email and SIM 2FA, they still had access to that account. How could this happen?

8

@Arizona_K
You should reinstall Windows cleanly to get rid of any potential backdoor.

It’s probably your Windows PC that’s compromised, but what about your other devices? Have you checked your Linux PC and Android devices?

9

@Aven
Yeah, that makes sense for my Windows PC. But what about my other 3 devices? I have one Linux PC and two Android 14s.