No announcement yet.

Microsoft PC hacked with just victims phone number


  • Microsoft PC hacked with just victims phone number

    Traditional media can sometimes put out good PSAs.


    The victim here had a laptop with a Microsoft sign in (using his hotmail to sign in) and the hacker only used his phone number to access his PC.


    In Canada you can request your mobile number to be ported to another carrier, so let's say if you want to take your business elsewhere you can easily take your device with it's phone number to another carrier if your current carrier does something you don't like.


    In this case it proved to be a vulnerability:


    [His number had been]


    It had been fraudulently "ported" — transferred from his Rogers account to a Bell prepaid customer. The fraudster then seems to have used a password retrieval process involving text message verification to gain access to Baran-Chong's Microsoft account, tied to his computer's operating system and a cloud-based file backup service.

    (Rogers and Bell are Canadian mobile phone providers)


    Because the victim used a Microsoft Account to sign in with his computer, and used cloud services to store all his information the hacker was able to gain access to his personal data and attempt to extort him with images he had with intimate partners:



    the fraudster threatened to take the attack a step further: send two bitcoins (about $25,000 at the time) "or I'm dropping your sex tapes to all of your coworkers, investors and relatives.

    He used cloud services:


    Baran-Chong had several years' worth of photos and videos saved in his cloud account. Among them were clips of him engaging in sex acts with women. (He says the sex was consensual and the women involved have been told of the breach.)


    If he used something like remote desktop or other remote service like teamviewer, or the hacker could figure out where he was, there is also the possibility that the hacker could have had remote access to his internal network. Since the hacker had his computer password, they could have easily connected directly to his computer if they were able to figure out which IP address the victim was using, which is not all that difficult.


    See the full story here:


    Do not:

    - Use you phone or email address as the sole form of 2 factor authentication

    - Use a Microsoft Account to login to your PC, use a 'local account' (it also makes it easier for Microsoft to track you and exposes your data to being hacked)

    - Use cloud accounts to store sensitive information or media.

    - Use weak passwords



    - Use a third party authentication app like Authy or other compatible service

    - Use a U2F usb key to authenticate your service in addition to a strong password.



      Posting comments is disabled.



    Article Tags


    Latest Articles