My business account was hacked last week. Here is my story.

Like so many things in life you read and hear about, our natual mentality is it happens to someone else not me, Ive taken precautions, it is extremely unlikely etc.

 

I don't get stressed or flustered easily but this was the most stressful 4 hrs of my life. In hindsight there are so many things that could have been done differently and those steps have now been implemented. This post is for others to learn from my experience and implement change or review protocols.

 

Like many brokers I run the business on Microsoft365, with email, Onedrive, Sharepoint, Teams etc. I then have a seperate personal email through Optus along with mobile phone.

 

Somehow the hackers had worked out that person@abcbroker.com.au is the same as person.surname@optusnet.com.au with the same mobile number.

 

They also somehow datamined my address, DOB and perhaps 1 or 2 other items. Think about all the places where we disclose all that senstive information.

 

Entry into MS 365 was very secure or at least I thought. Very strong long password with made up words containing, numbers, capitals, nonalphanumeric symbols, & multi authentication etc. All the stuff that keeps being drilled into you. Let me tell you, there is still weakness in all of that. The hackers attack at the weakest link.

 

The hackers managed to get in through the MyOptus app using personal email, mobile, DOB etc that they had mined (or obtained by hacking some other system). This allowed them to view my personal email and to also divert my mobile to another number.

 

This enabled them to go to Microsft365 using person@abcbroker.com.au as the login name and request password reset, with the personal email and mobile phone as the 2 requirements of the multifactor authentication for password reset. As they had control of these, it was so easy.

 

My email in MS365 gave me administrator access which basically means they can add emails and do virtually anything on the account.

 

The next hour was spent on phone with Optus getting control of my personal email, mobile phone etc to allow me to get back into MS365 and take control. I did this within 40 mins. Job done, so I had thought. (I advised Optus of situation and they put a special additional password for added protection. What a load of rubbish).

 

Undeterred the hackers found another weak link in the Optusapp and despite this additional password were