Is someone trying to steal my identity?

atprice

Earlier this week I had a notification from Gumtree thanking me for my advert that I placed to sell a motorhome. I don't own a motorhome and I didn't place the advert. I contacted Gumtree who said that it looks like somebody had fraudulently accessed my account and placed the advert. They were adamant that I must have given somebody the password or account details from phishing via text or email. I know for a fact that I haven't given those details out to anybody and when I suggested that maybe the information had come from them, either directly or indirectly, I was very quickly shot down.

Then today I went to log into my email and there was a note on there that said I'd already tried three times to unsuccessfully access it and that I would have to try again in 15 minutes. I contacted the email provider Yahoo and asked them how many times someone has tried to access my account today but they said they couldn't tell me. They did however unlock my account so that I could get back in.

Gumtree have suspended my account which is absolutely fine and I've also change my password on both my email and Gumtree just in case. To me it sounds like somebody is trying their luck trying to get into various accounts but does anyone else have any experience of this?

forgotmyname

Sounds like your gumtree password was too easy and they probably tried the same password on various email accounts and maybe even your banking to see if you use the same password elsewhere.

Make your passwords stronger and add 2 factor if possible.

[Deleted User]

Quite simply, change all your password and don’t mke any of them the same of similar

Nasqueron

Better, stronger password and don't write it down

atprice

I thought my password was a good one tbh. Have changed any that may have been the same or similar so hopefully that will be the end end of it. Thanks all.

kuratowski

Check "have I been pwned" (google this phrase)

atprice

I'm actually signed up for notifications but haven't had anything. Found 3 other sites they've tried to get into

Nasqueron

atprice wrote: »

I thought my password was a good one tbh. Have changed any that may have been the same or similar so hopefully that will be the end end of it. Thanks all.

https://howsecureismypassword.net/


Notice the difference between something as simple as adding a capital and a number or punctuation or making it longer


e.g. say your password is banana


It can be cracked instantly


Banana19 takes 2 hours
Banana19! takes 4 weeks


Even bananabanana takes 4 weeks
BananaBanana takes 300 years!

forgotmyname

You need better password software or a better PC, BananaBanana took
3m 12s

Nasqueron

forgotmyname wrote: »

You need better password software or a better PC, BananaBanana took
3m 12s

Just based on the site I linked above.



Longer the password the longer it takes to brute force it but hey, it's still better than password and not something people are going to guess, would require dedicated attempts which would lock out any half decent page


https://www.my1login.com/resources/password-strength-test/ says a password I tested is 13 years, the one I tested before says 41 trillion years

PRAISETHESUN

@OP, doesn't sound like they are trying to steal your identity per se, just access your accounts with hacked user credentials. As you've already mentioned, they have tried using the same username/password combination on a number of sites with a bit of success, which is why you should avoid having the same password for everything no matter how good you think your password is. That said, if any of your accounts have personal information attached (eg. names, date of births, card/bank account numbers or billing addresses) then you need to be careful if these get compromised as this information could be used to fraudulently to effectively steal your identity - I'd probably just keep a closer eye on your credit reports and bank accounts just in case someone tries to open an account in your name without your knowledge - unlikely to happen, but not impossible.

I'd be changing your passwords for everything, and have something unique for every site. Even if you have to keep the same root password and append them with something memorable for each site (eg. Str0ngpassword_MSE, STr0ngpassword_facebook, etc) that's still better than having everything the same such that everything is compromised when one password is exposed.

EDIT: also consider activating two factor authentication (2FA) where possible as this significantly limits the ability for someone to hack your account without your knowledge - it works on the principle of having 2 out of 3 of "something you know" (password), "something you have" (eg. phone, security dongle) and "something you are" (eg. fingerprint, iris print, etc). It's a pain in the butt at first, but it's well worth the effort.