cancel
Showing results for 
Search instead for 
Did you mean: 

Account Hacked - Money Stolen

trevordaniel2
Active

Hello,

 

I would like to share my recent experience and hopefuly get some views on how it happened.

 

So, here's the story...

 

It first showed up when I could not log into the Upwork wesbite. It kept telling me that either my username or password was incorrect.

 

I then attempted to get a password reminder and it tells me that my username was not found.

 

I then attempted to log a problem but could no because i wasn't able to log in....

 

I then contacted Upwork view the "anonymous" contact system. I wrote a detail explanation and sent it off...

 

I had no confirmation of the problem being recieved or acknowledged.

 

The next day I attempted to open another "anonymous" ticket... again it was sent and I received no acknowedgement or response.

 

I then decided to tweet to @UpworkHelp... with no response for 8 hours....

 

I then decided to phone Upwork in Los Angeles from here in the UK....

 

So, this is where it all gets scary....

 

The lady i spoke to at Upwork tried to confirm my email address and said that it was incorrect.... She asked some other identification questions and was happy i was genuine...

 

So, somebody had gained access to my account and changed the email address..

 

I received NO notification from upwork saying my email had changed....

 

It was decided at this point that my account had been hacked and it was escalated to the Account Security team...

 

I was then contacted by a very helpful chap from the Account Security team and he informed me that an addition payment method had been added to my account and $909 taken.

 

I had no notification from Upwork that the additional payment method had been added.

 

I had no notification that a withdrawal had been made..

 

I have no idea how they managed to add another payment method without knowing the answer to my "secret question"....

 

I am completely confused how this has manage to happen and quite annoyed to lose $900!

 

I am also very worried that it might be possible for this to happen again!

 

How did this manage to happen without me knowing anything about it????

 

Can anyone suggest how this hacked managed to do it?

 

Trev

46 REPLIES 46
setumonroe
Community Guru
Sorry to hear all of that Trevor.

What was the solution that was offered? if any.
---- easy like Sunday morning ----

The solution was that the guy from the Account Security team helped me take back control of my account...

 

He said that as the hacker had changed my email address i would not have received any notifications...

 

They attempted to recall the payment that was made to the hacker on a "Payoneer" account and they recovered $11.29

 

Trev

This happened before and will continue to happen as long as Upwork doesn't implement two step authentication.

 

And I seriously doubt they will.

-----------
"Where darkness shines like dazzling light"   —William Ashbless

Agreed....

 

I am scared how easily it happened and at a loss to how to stop it happening again!

 

Trev

The cause was probably phishing. Maybe a Word or Excel document with macros, or a link to a look alike web page where you innocently entered your Upwork's credentials, ...

-----------
"Where darkness shines like dazzling light"   —William Ashbless

I'm not an expert but I tend to agree with this.  I have two step authentication on my Blizz account (because people want to steal my l33t account) and on my bank and credit card accounts.  

 

While good computer hygiene is important and ultimately our responsibility, 2-step authentication is just another layer of protection that can be really valuable.


@Rene K wrote:

This happened before and will continue to happen as long as Upwork doesn't implement two step authentication.

 

And I seriously doubt they will.


 

lysis10
Community Guru

I keep reading these stories that no additional payment method emails were sent out, but I think people just aren't paying attention. I added a PayPal account to my account and I got an email like 3 minutes later.


@Jennifer M wrote:

I keep reading these stories that no additional payment method emails were sent out, but I think people just aren't paying attention. I added a PayPal account to my account and I got an email like 3 minutes later.


On the email address registered with Upwork I guess.

 

You see the flaw now? 

-----------
"Where darkness shines like dazzling light"   —William Ashbless

@Rene K wrote:

On the email address registered with Upwork I guess.

 

You see the flaw now? 


 So I take it there is no confirmation of an email change? I have no idea cuz I ain't nevah been hacked.

 

That sucks if there is none. Them phishers are good.

They change the email first and then add the new payment method so that the notification goes to the new email. 

"Fairness is giving all people the treatment they earn and deserve. It doesn't mean treating everyone alike-Coach John Wooden"
vladag
Community Manager
Community Manager

Hi Trevor,

 

I'm sorry you're account was compromised and understand your frustration. I see our team helped you regain access to your account and blocked the account as soon as you alerted them.

 

Regarding your tickets, I see you received a reply on the first ticket you submitted on Monday regarding the problem with accessing your account, 2.5 hours after submitting the request. Unfortunately you didn't follow up on our agent's message.

 

Our agent followed up on your second ticket and took action within an hour after the ticket was created, and responded on your ticket an hour afterwards.

 

Please check the security notification our team sent you on September 9. and follow up on your ticket if you have any questions.

Untitled
Anonymous User
Not applicable
This widget could not be displayed.
 
Anonymous User
Not applicable
This widget could not be displayed.

@Vladimir G wrote:

Hi Trevor,

 

I'm sorry you're account was compromised and understand your frustration. I see our team helped you regain access to your account and blocked the account as soon as you alerted them.

 

Regarding your tickets, I see you received a reply on the first ticket you submitted on Monday regarding the problem with accessing your account, 2.5 hours after submitting the request. Unfortunately you didn't follow up on our agent's message.

 

Our agent followed up on your second ticket and took action within an hour after the ticket was created, and responded on your ticket an hour afterwards.

 

Please check the security notification our team sent you on September 9. and follow up on your ticket if you have any questions.


May I add something? I never get an email when I open a ticket with CS and CS responds to me. All communication with CS happens in my account and no email is sent to my external email address. So, when he was not able to log into his account, he could not see the message CS sent to him. Or alternatively, the email was sent to the person who stole the money.

Hi Margarete,

 

The request wasn't submitted from the account and the user should have received the message on the email address they entered in the form. 

Untitled
atifaimran
Community Leader

What is the solution to this issue.

suzedablooze
Ace Contributor

I am part of a design team that works on consumer identity systems. Some of the fundamentals of such systems, to avoid phishing and the like include:

 

1. Second factor  - although unless implemented correctly this can also be hacked. 

2. Well built and timely communication with clients, such as alerting them to password changes, or even email changes, using an SMS text, for example. Of course SMS texts cost the host company money to send...

3. Robust account recovery systems which, again use out of band methodologies to recover credentials and alert users to credential recovery attempts, even giving the user the IP address used to attempt recover / changes to account credentials

4. Using other risk based authenticaion measures, which are user led, for example, setting of geographic location for access

 

It seems Upwork are lax in some of the above requirements. And when there is money, sometimes large amounts at stake, it isn't really very good. 

Fear of this is why I remove money from my account when its there.

g_holstein
Community Leader

Wouldn't it be easy to implement sending an email confirmation of change of email address with an option to reject this change to the old email too as a standard procedure?

This way the hacked user would have an early clue that he has been hacked and a means to prevent further damage and alert the upwork security team. 


@Gerald H wrote:

Wouldn't it be easy to implement sending an email confirmation of change of email address with an option to reject this change to the old email too as a standard procedure?

This way the hacked user would have an early clue that he has been hacked and a means to prevent further damage and alert the upwork security team. 


While it may sound like a good idea, it won't prevent this to happen. You'll just be informed early that your money was stolen.

 

The only sound decision is to implement the support of a solution like Google Authenticatior. This has the advantage that nobody can log into your account even if they have your password.

-----------
"Where darkness shines like dazzling light"   —William Ashbless

@Rene K wrote:

@Gerald H wrote:

Wouldn't it be easy to implement sending an email confirmation of change of email address with an option to reject this change to the old email too as a standard procedure?

This way the hacked user would have an early clue that he has been hacked and a means to prevent further damage and alert the upwork security team. 


While it may sound like a good idea, it won't prevent this to happen. You'll just be informed early that your money was stolen.

 

The only sound decision is to implement the support of a solution like Google Authenticatior. This has the advantage that nobody can log into your account even if they have your password.


I'm a tech idiot, so apologies if this is a stupid question. How do these hackers obtain passwords and email addresses, even with Upwork's current system? 

TOP SOLUTION AUTHORS
TOP KUDOED MEMBERS