It's scary how dependent I've become on technology & infrastructure. Let's both try to do a few things in 2023 to make ourselves less dependent so we can survive it all suddenly disappearing. We don't have to be a full-blown prepper but let's make sure we have the basics 🙏
The recent @LastPass hack has really opened my eyes learning a hard lesson watching someone I don't know from a country I've never been to lock me out of my money, ability to work, investments, communication in just a few moments & I felt completely powerless to do anything.
What happens when you try to buy food or medicine and get arrested for fake ID & identity theft when you're the real person? What if you can't get into your own home because your biometric lock says 'no'? We're becoming way too dependent on technology that is very vulnerable.
I think it's important that we all make sure we have physical access to enough resources 24/7 to survive breaches in this infrastructure allowing us time to recover. Also make sure you have access to physical documents like ID, SS card, birth certificate, etc. It's critical!
When you get hacked and have your identity stolen & get locked out of everything, you're only chance at getting it back is to prove that you're the true owner of everything that taken. That's harder than you think if the hack is through and involves identity theft.
This hack has been an expensive lesson but a very informative one that I hope to spin into a positive helping others avoid this type of thing or recover from it as quickly as possible if it happens to them. I got complacent thinking I was secure & realized quickly that nobody is.
So, do me a favor and make sure you always have access to some physical cash, physical offline ID documents, food, water, medication & other essentials you can't easily do without for at least a week. Also, don't place your security in the hands of others like password managers.
I trusted @GoTo @LastPass when they said their encryption couldn't be broken & their 2FA authentication would prevent anyone from accessing my data without a master password, biometrics or physical access to my smart phone. Big surprise, they lied 🤦♂️
The truth is none of these companies can make any such guarantees since nobody at the company knows every single line of code in the product or every single log & database entry created by their software directly or indirectly. All it takes is one oversight or screw up & boom 🤯
No matter how much encryption they use, if the password or something that bypasses it exists in any way shape or form it's just a matter of time before a hacker gains access to it through social engineering or exploiting flaws in code & now they have everything you put in there.
LastPass for instance has "Secure Storage" for your Social Security #, Drivers License, Credit Cards, Bank Information, etc. Basically, everything someone needs to become you or take everything away from you. Unfortunately, LastPass leaked the database so 2FA couldn't protect me!
And not only did they leak the database, but they also leaked password hashes, salts, source, personal information, source code, encryption keys, etc. And truth is they are still finding new stuff the attackers got only after they used it to hurt people like me & that sucks!
This attack could have happened to any other password manager though since it was ultimately human error that leads to the escalation of access from the attacker, and they looted everything before they even noticed they were breached. That's how it usually happens, stealthy.
LastPass honestly didn't even know they were breached until they found their own data on the Dark Web which is crazy. How many other people are running around collecting data that haven't tipped off the companies yet? Remember the solar winds attack? What about back doors? 🤔
The only thing that can improve your security is not trusting anyone else with it. Use different usernames & passwords on every site. Make sure you never keep around 2FA backup keys or TOTP pass phrases. Print them on paper & store them securely & never entrust password managers!
Also make sure that every single email account you own has 2FA configured using both an alternate email address for password recovery that isn't known publicly using different password and different 2FA auth. This ensures if it does get hacked you can get it back quickly!
The truth is you can't guarantee you won't get hacked. But you can make it so damn difficult that it's not worth the hacker's time and in the event, it is worth their time you can make it possible for you to recover the account quickly from them. Also, don't store ID info online!
I made the mistake of trusting @LastPass and put everything in their & the attackers got it all. I never so much as got a single SMS message with 2FA attempt to enter my account because they utilized leaked 2FA recovery keys stored in the leaked LastPass database. 🥷
Also, to add insult to injury they managed to lock me out of LastPass so I couldn't even get in because the 2FA backup code they used to allow them to do it silently without me being contacted. They wanted to ensure I couldn't use it to try & login while they plundered.
It was only dumb luck that I had biometrics enabled on my iPhone LastPass app and it was still trusted so I was able to login with my face. That allowed me to lock them out and spin the LastPass 2FA keys so I could start going through & changing passwords as quickly as I could.
Also, during this whole thing @LastPass was ignoring my requests to lock down the account via DM on Twitter which was very frustrating to say the least. Had I not got control of that account back I wouldn't have been able to login to anything else to recover & change creds.
I felt so powerless seeing an Elon Musk crypto scam live stream running on my YouTube channel to my 840k subscribers & I had no way to reach them. It was one of the worst feelings I've ever had. I had to frantically work to get my own channel flagged into the dirt on Twitter.
And the only reason I had Twitter access still was because I never put the 2FA backup codes in LastPass for Twitter so they couldn't bypass 2FA but they didn't attempt to try and change the password unsuccessfully. Had I lost Twitter I couldn't have reached anyone about the hack.
Ultimately, I had to use Twitter to get @TeamYouTube to notice what was going down & work with them to get my email back after 2 days & get back most of my YouTube channel in 7 days but it took literally days to get the videos set public again and deal with bugs & fallout.
If you made it this far reading this massive thread, I want your takeaway to be that you should never place convenience over security. Also, never leave your wallet next to your car keys. Spread out your security & make it difficult for a hacker to get in or stay in 🙏 #Security 
If you want extra credit, DM the person they claim will help you recover your account & mess with them while also reporting that account also 😎 If you get that boss account deleted then all the past bot tweets are invalid & they lose touch with all current victims! 👍 #ScamBait
If you end up getting a scammer to engage, please screen shot it & tag me 🙏 I want to start showing people how angry these scammers get so hopefully they will also get involved in #ScamBaiting to turn an attempt to victimize someone into entertainment for the masses 🍿 #Scammers
• • •
Missing some Tweet in this thread? You can try to
force a refresh
