• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

I've just set up an Outlook email profile due to my current provider's fall in standards and I mentioned the need to change my log-in details in the Vault in this thread: https://community.norton.com/forums/cant-open-vault-can-i-get-list-all-log-ons#comment-5934241

In the end, I chose to stagger the work over a longer period - each morning I open my Outlook account & check my In Box under my old profile, which I'd imported. If there's mail there from a website that I use, I log on to that website and change both my ID and password. (With email from friends etc., I email them my new email address.)

Two days ago, there was an email in my old In Box from a major blue chip retailer - Marks & Spencer (M&S). I went to their site and was unable to log in. I opened the Log-in details in my Vault and found the attached. My ID, which was (my full name)@btinternet.com, had been changed to 1.

My password, which was a strong mixture of Upper & Lower case alpha, some numeric and an underscore, had been changed to 4

M&S Chairman's Office have now confirmed that their system has not been compromised so has my Identity Safe? I've not changed the log-on details so how could this have happened? With your help in the above thread, I got a print-out on the 26th September. The changes were there then but as I didn't work through the list I didn't spot them. There are 114 log-ins of which three have been compromised: M&S, eSpares and the Post Office Currency Exchange. I will phone the latter as soon as I've finished this.

That there are three examples satisfies me that I didn't make those changes.

I pm'd Mr Weiss but have been unable to reach him so now I have no alternative other than to suggest to everyone publicly that my Identity Safe has been compromised. Where do we go from here? 

Win10 Home v1803 build 17134.345/HP envy/EDGE (rubbish)/IE11 (RIP)11.285.17134.0/ OFFICE 365 Home Personal/Norton Security

Replies

Kudos1 Stats

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

Taffy, I have asked Norton for assistance and also notified the mods to pass on that you need help on this!

Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED


Hi Taffy, before we assume anything about the integrity of your Identity Safe profile, it's probably a good idea to get some information on what actually happened. It sounds like switching over email providers a month ago has proven to be a bit difficult, especially when having to update all your logins. But it sounds like you tackled most of the problems pretty well, despite these three logins. Additionally, if someone were to try to hack your Identity Safe profile, if that could be done, what exactly did they do to these logins? They made the login/password something nonsensical that can't be used on each site. Unless the login credentials for the sites themselves have changed, it doesn't seem like any hacking has happened. That's kinda the point, right? To gain access to your accounts, not change them to nonsense.

I have a few questions for you:
I'm guessing that, since it took about a month to cycle to these logins, you don't have much need to login to these sites often?
- Is it possible that maybe bad credentials were saved when setting these up?
- Can you confirm that you've actually used the ID Safe vault passwords for these sites previously, and it worked fine?
- Have there been any export/import of these logins previously?
- For the email you received, I have no way of confirming if this is a legitimate email or a phishing one. Could that have been the problem? Or did you go to a bookmarked website for M&S instead of clicking a link in the email?
- Are you able to retrieve the login/pw for these 3 sites? Have they changed from before?

 

Tony Weiss | Norton Forums Global Community Manager | Symantec Corporation
Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

Good morning, Mr Weiss. The switch to my new email provider has in fact gone quite smoothly - the worst part was that due to my old provider having two email addresses for me, (one hidden, following a change in their procedures) I ended up with over 3000 emails in my imported Mail folders. After posting in the Microsoft Community, I decided to sort them by 'Sender' and stripped out the dross that way.

I then posted my "Can I get a list of my Vault items" thread mentioned above. As I have 111 items, I decided against changing them all (to my new email address) in one go - too much work, too much room for mistakes. That's why I've been updating two or three each day from email in my old In Box. You're quite right that the three sites mentioned are ones I don't visit regularly.

All of these sites and the other 100 or so have worked perfectly well when I have visited them in the past. Had there been just one site affected, I would have wondered whether it was my fault, had I input the wrong info but there's no way that I input the changes to three sites. All three single number password boxes are filled in Red to signify Weak/Inadequate.

I'm not sure what you mean by "Have there been any export/import of these logins previously?" I've never needed to export/import logins - I didn't even know you could do that with the Vault - or have I misunderstood?

All three emails are genuine - I always check a sender's (hidden) address before opening an email and I never click on links in emails - I always go via my 'Favourites' and have never got around to bookmarking/tabs.

I have gone into all three sites using the numeric ID and 'forgotten password?' route, and have changed my email address once in.

What doesn't make sense to me is how a hacker would benefit from this. All three sites enable me to buy clothes, spares parts or foreign currency but all three have 'go to checkout' and 'Pay' stages so they couldn't defraud me - but they possibly wouldn't know that until they accessed the sites - two of the sites (M&S and The Post Office - have their own labelled credit card accounts but those details would surely be encrypted and help elsewhere.

A friend who works in the IT Fraud team in a bank says that he's found that hackers often hack into a single site to look for opportunities and to test the consumer/retailer's firewalls. I'll continue in another reply - this is too long!

Win10 Home v1803 build 17134.345/HP envy/EDGE (rubbish)/IE11 (RIP)11.285.17134.0/ OFFICE 365 Home Personal/Norton Security
Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

I followed advice posted in my "How to get a list" thread and saved the results in my Symantec folder in My Documents - they're the 3rd & 4th folders below. I presume the system created folders 1 & 2.

One folder (named with my old but still live email address) has .dat files from the 28th March to 14th August 2014.
The second folder (also named with my old but still live email address) has .dat files from the 15th August to 26th September 2014.

The third folder (named CSV Vault 26-09-2014) is an Excel spreadsheet & the fourth folder (named CSV Vault 26-09-2014 v2) is an Open XML Converter Excel spreadsheet.

Both 3 & 4 show the single numbers in my ID & Password so we know that the changes were made before September 26th 2014.

Do the .dat files have similar info as the Excel ones? Is it possible to open the .dat files? Is it relevant?

I'm about to check from old threads in which Yank helped how to check if these Vaults are cloud or PC-based.        I think that my laptop Vault is Cloud and my XP desktop is PC but I'll find out later.

Win10 Home v1803 build 17134.345/HP envy/EDGE (rubbish)/IE11 (RIP)11.285.17134.0/ OFFICE 365 Home Personal/Norton Security
Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

An update that may or may not be relevant. Someone has suggested to me that I visit https://haveibeenXXXpwned.com - I have added the Xs as some site demand that no website addresses are posted.

It seems that I was hit in the Adobe 2013 per attached screenshot.

As I said, I've no idea if this is connected to this issue.

Win10 Home v1803 build 17134.345/HP envy/EDGE (rubbish)/IE11 (RIP)11.285.17134.0/ OFFICE 365 Home Personal/Norton Security
Kudos2 Stats

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

I have gone into all three sites using the numeric ID and 'forgotten password?' route, and have changed my email address once in.

What doesn't make sense to me is how a hacker would benefit from this.

Are you saying that the actual username and password for the accounts was changed, so that you were unable to login manually using the original credentials - that you were locked out of the accounts until you changed the passwords on the sites themselves?  Or did you simply not know the password because it was a random set of characters that you depended on Identity Safe to remember for you?

A hacker would not benefit from tampering with the login information stored in Identity Safe - in fact, that would probably be the last thing a hacker would ever do since it wouldn't actually accomplish anything useful, and would only raise your awareness of possible tampering.  If a hacker wanted to lock you out of a site they would change the password on the site itself after having logged in using the stolen credentials.  Additionally, it would be odd to limit any mischief to only three sites, none of which would be a goldmine like a bank account.  This does not sound like a compromise of your Identity Safe.  The edit pane for each of your accounts stored in Identity Safe shows the date that the information was last modified.  It would have been interesting to see if the three accounts had been changed on the same day, and perhaps you could have worked out if you had made any Identity Safe modifications on that day.

Kudos1 Stats

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

Additionally, it would be odd to limit any mischief to only three sites, none of which would be a goldmine like a bank account.  This does not sound like a compromise of your Identity Safe. 

As an outsider who does not use Identity Safe, if it's anything but a glitch it sounds like maybe someone tried 3 times to get to access codes and then gave up?

From what you say about records of edit it might also be possible to tie the date/time of those to other events that might show up in Norton History if they were detected as dangerous and blocked?

The 3 sites mentioned are, as Taffy mentioned, ones that would be likely to interest visiting hackers from what I know of the UK market. 

Hugh
Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

@SendOfJive: When I see an email from an on-line retailer in my (imported) old email In Box, I make sure the Vault is open & go to that retailer via Favourites (I never click on any link in an email).
In all three instances, my ID was the email address and the Vault auto-populated the log-in boxes but failed to connect. I then manually input my old email address and clicked 'enter'. That failed of course so I clicked on "Forgot Password?", got an email with the new password, entered my profile (to change to my new mail address and changed the password). All three retailers confirm that my old email address and lengthy password had still been in place prior to my changes, so the changes must have been made to my Vault, surely?

At the end of my post 17-Oct 7.07 pm, I too asked why a hacker would do this to just three sites. As I said in that post, a friend who works with IT/Fraud in a major bank suggests that this is normal - hackers after credit card info would do this to just a few sites to avoid detection by me, to test the retailer's security and to check out the site looking for opportunities. If they get in, they often thenset up a monthly direct debit for a very small amount, usually less than £25.

Thanks for the info about "Date last changed" under 'Edit'. I wasn't aware of that and am now kicking myself for not looking before I changed them. But if that info is stored there, isn't it reasonable to ask if it's stored centrally by Norton too?

@huwyngr: your comments have me wonder whether hackers also steal names & addresses for ID Theft on such occasions. Date of Birth is sometimes also recorded. So if Norton has the information held centrally, and they let me have it, yes of course I'll go into Norton History - a great suggestion.

PS I see that the screen shot that I posted with my first post is "X'd".  That's because it was a .png - I can't save it in any other format so I'm stuck!

Win10 Home v1803 build 17134.345/HP envy/EDGE (rubbish)/IE11 (RIP)11.285.17134.0/ OFFICE 365 Home Personal/Norton Security
Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

Hi Taffy,

Perhaps the following post by Andmike  will assist you with posting your image:

https://community.norton.com/forums/how-post-image-forums-0

Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

PS I see that the screen shot that I posted with my first post is "X'd".  That's because it was a .png - I can't save it in any other format so I'm stuck!

Be careful that nothing you post shows any sensitive material. I was concerned about that message that referred to CSV files as if you had posted them! I'm sure you wouldn't but I asked a moderator to watch out "just in case .... "

When I referred to looking at Norton History I meant in your Norton Security Product ... NIS?

Hugh
Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

If the actual login credentials for the three sites weren't changed, but only the Identity Safe data for those sites, it really doesn't sound like the work of a hacker.  Yes, the bad guys will test if an account is valid by withdrawing or debiting a very small amount of money.  But that is not what happened here - the actual accounts and the login credentials to access them were not tampered with at all.  What did happen - alteration of information stored in Identity Safe - would not tell a hacker anything about the status of an account and there would be nothing to be gained by doing that.  I am puzzled by what may have caused the changes made in Identity Safe, but I don't think anything you have mentioned suggests that the data was compromised - corrupted maybe, but not compromised.

Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

@ yank: Thanks for the link, now saved in my Favourites. (I should have done that the last time to helped me!) I'll try to post it again with this.
When I attached one to my first post, my post succeeded but there was a note "Image for moderation" (or similar). If the screen-shot was too big, I would expect the system to reject it immediately & tell me - if the moderators rejected it (eg sensitive info) would they PM me?

@huwyngr: Thanks for your comment about the CSV file - you're right to be concerned as I was in a panic at the time. If Norton have the changes dates*** it their records and tell me, then I'll compare them with the NIS History, as you suggest. But it's not looking likely that they retain such info.

@SendOfJive: If a hacker got my info from the Adobe attack, he/she couldn't use it to get into those three on-line accounts. I agree with what you say and am puzzled too but if the info is simply corrupted then one has to ask how. Without the dates of the changes***, I'm stuck but is it likely that my laptop would have caused the corruption? I would think not.
Could this be a Norton system failure of some kind? Only Norton can say.

*** Perhaps the .dat files might supply the answer. They were system-generated and have info back to last March, per my post 17 Oct 7.22 pm. Has anyone any idea how they can be opened?

Win10 Home v1803 build 17134.345/HP envy/EDGE (rubbish)/IE11 (RIP)11.285.17134.0/ OFFICE 365 Home Personal/Norton Security
Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

try again: should it be x'd?

Win10 Home v1803 build 17134.345/HP envy/EDGE (rubbish)/IE11 (RIP)11.285.17134.0/ OFFICE 365 Home Personal/Norton Security
Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

Hi Taffy,

*** Just for grins, select one of the .dat files and open it using Notepad or WordPad.  Can you read it?  Of course not - it is encrypted - so that would not be any assistance.

You also have to remember we are on a new forum and I'm not sure anyone knows all they need to know about how this forum works, how the images are moderated, what responses will be received if they are too large or what not.  I certainly do not know the answer for this forum.  Also the link I provided in the past was for the old forum, quite different from what we have now.

Normally I would say the X as you see it means that you did something the forum software does not like - thus no image.

Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

 If Norton have the changes dates*** it their records and tell me, then I'll compare them with the NIS History

Not being an IDSafe user I had thought that that information would be available to the user?

I'll leave you with those who do know about it. 

Hugh
Kudos1 Stats

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

Taffy's situation prompted me to take a closer look at my own online IDVault entries and I noticed that if you click on any entry to display its details, in the upper-right corner of the details display you'll see a "Modified on:" with a date & time...

This (to my mind) presents an interesting question about what this actually represents? - If it's intended to represent the last time the entry was changed (by me), or when it was added (by me), then it is most-definitely incorrect.  I checked several of my vault entries and every one I checked has the same (very recent) date with a slightly different (withing a minute or so) time stamp. The date they all seem to have coincides with the last time I added a new device to my subscription's device count - meaning I had allowed that device's NIS2014 subscription to expire and subsequently had reinstalled (via the management website) the current NIS2014 back onto it, then re-synced it with my online vault.

So is this actually a misnamed date/time indicator for the last "full sync" operation performed by an account authorized device, or what?

BTW: I decided to check the Norton Identity Safe website and found that if you edit one of same vault entries it also shows the same "Modified on:" date & time stamp that the IDSafe applet shows...

Anyone happen to have some further thoughts on this?

Kind regards,

John

Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

Very interesting John.  I never looked at it before and am on my iPad now, which does show that entry, but I can't comment other than to say, I never tried to figure it out before.  I can say there is an entry from this AM that say's modified at 9.XX this AM?

Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

G'Day Yank,

Here's hoping Tony or another Norton Emp posts back with some insight about it... 

Cheers!

John

Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

I've just found another one - an on-line retailer called Jacamo. Again, no financial info stored there. My email address had been change from "firstname.surname@" to just the last three letters of my surname. My password had been changed from the usual lengthy mix of alpha/numeric to the number 1.

This change was showing on my 26th September spreadsheet but I missed it. I've checked them all again and there are no more dodgy ones.

Out of interest, I see that there are several images shown above as still in Moderation. I'm beginning to think that I'm the common link to all of these problems, Perhaps due to the Chernobyl fall-out on the high moors where I live. 

Only joking of course. I see that Chinese Hackers have hacked into a Chinese Cloud-based database. That and my unsolved problem is beginning to make me think that I should go out and purchase an old-fashioned A5 notebook in which to keep my Log-in IDs and passwords. I'm not joking on this one.

Win10 Home v1803 build 17134.345/HP envy/EDGE (rubbish)/IE11 (RIP)11.285.17134.0/ OFFICE 365 Home Personal/Norton Security
Kudos0

Re: I THINK MY IDENTITY SAFE HAS BEEN COMPROMISED

Two days ago, I received an email at my old address from Argos, a retailer. I logged into their site, changed my email address and password and everything seemed fine. I was prompted by the Vault "do you want to save these new details" to which I clicked Yes.

I've had another email from them today, again to my old email address. The Vault wouldn't sign me in - when I checked there, my password was twelve of these *. (Sorry - I don't know the plural of asterisk.)

I've just changed it to a proper password.

Clearly this is an issue within the Identity Safe/Vault - not the retailers. One more problem.

Win10 Home v1803 build 17134.345/HP envy/EDGE (rubbish)/IE11 (RIP)11.285.17134.0/ OFFICE 365 Home Personal/Norton Security

This thread is closed from further comment. Please visit the forum to start a new thread.