i mean that as in, being able to enter my accounts without even using my password or without installing any virus in my computer. thank you!!
It somewhat depends on what kind of accounts you mean, and how you define hacking. It’s possible, but here’s the bigger explanation.
Someone who works at Facebook(just an example, could be any company) with the appropriate access could probably look up your account data without using your password or installing a virus. This could be done for legitimate support reasons, or be considered hacking if it’s done against policy.
Someone who hacks a company that you have an account with could potentially get access to the same information again without touching your password or computer. These big leaks happen all the time, they’re the ones you hear about on the news, though they usually don’t get full access to everything. They do not usually get the actual passwords for individual accounts, but could get information like name, birthday, credit card, activity, etc.
There’s also a form of hacking called a Man in the Middle attack, where someone will set up a compromised internet connection (usually wifi) that you then connect to thinking it’s fine. This system can then detect your device connecting to certain companies (again I will use facebook as an example) and will instead take the authentication piece your phone sends, and itself send the data to facebook, then get the authorization token from facebook, and send you a fake one. Then it sits in the middle and everything you do it passes on, so it looks like it’s working fine, but it can also send it’s own requests.
so do i strengthen my browser and delete the cookies every now and then??
That wouldn’t protect from any of the issues mentioned in that comment.
The first two you can do nothing to prevent.
You can usually avoid MITM attacks by using a VPN anytime you are away from a trusted internet connection.
Also by using HTTPS everywhere and not clicking through warnings about a certificate being invalid.
yes!! that option is ~enabled ~ on my browser!!
HTTPS isn’t secure against MITM attacks. That’s one of the reasons why it’s so nefarious.
Technically it is possible yes but this question is both too specific and too vague to give a proper answer i feel.
A hacker could be exploiting security vulnerabilities in the software/website or employing phishing techniques to trick you into giving access. This way they don’t need a password or virus.
Its also possible that a chunk of your account data got leaked and they have that data rather then full access.
Is there more context to this story?
yes, there is more context. the original post was talking about services i use, for example, if i used facebook and my browser didn’t delete cookies or history, can it give access to hackers to my account??
Two-factor authentication (2FA) is usually a good thing to enable in order to make it more difficult for an unauthorised person to login to your account remotely, as they will need that second authentication to be able to login.
Unless someone has access to your computer, then cookies & history don’t really matter. However, if you login to facebook, and then leave your computer open for 10mins, someone could open up facebook again and you would likely still be logged in. If that’s a scenario you’re worried about, then you could erase all your browsing session data to ensure that you’re effectively logged out everywhere.
Edit: below 2 links are also good to check if your email and/or your passwords have been leaked as part of a breach. Before using them, I would do a bit of research on the site to make sure you trust it. Always be sceptical with sensitive info!
ok thank you very much!!
History and cookies are not generally a security vulnerability. Cookies can be a vulnerability but only if the hacker gets access to your device somehow, either by stealing it or through a virus for example. You don’t really have to worry about cookies or history for security reasons, only privacy reasons.
Yeah absolutely they can if you’re using poor online security. The most common would be through reused passwords since websites have breaches all the time. This can easily be mitigated with the help of a password manager and 2fa (stick with totp, passkeys and hardware security keys). The second most likely method would be through phishing schemes, where a realistic looking message from a website/app is sent to you and you input your account credentials. AI is also making this much more difficult since realistic sounding voices of loved ones can be used to trick you into sending over your account credentials but that would be more of a targetted attack. You really just need to be aware of what you’re doing, not click on links unless you were expecting them, and double check identifying information from the sender to protect yourself from this. The last method is really a targetted attack and thats social engineering. This is where a scammer calls in to support pretending to be you, with personal information most likely from online breaches, in hopes of gaining your account credentials. You would just really need to rely on your 2fa and the training of support reps to protect you from this. Mostly common with phone carriers so make sure 2fa is enabled there.
Depends on the type of account, but here are some of the common methods of how this might happen:
- The attacker could be straight up guessing the password. (One possible way to mitigate this: the website can go “wow, 10 failed login attempts from that source. I’m going to ignore all attempts from there for 24 hours.”)
- The attacker could be using previously exposed passwords. (One possible way to mitigate this: The websites should immediately require password reset for all users when that kind of data breach happens. For users: never use same password for multiple different services, certainly never reuse a compromised password even if it’s for a different service. Also: haveibeenpwned.com)
- The attacker, currently using the same network, could hijack the session. (This was a really huge problem back in the day. In this day and age, websites should be using HTTPS, which limits this very much. Still possible if the site doesn’t use HTTPS, and through some other vectors, e.g. malware or hijacked network hardware).
Also: Malware is a really scary big problem in that they’re rarely targeting you specifically. Why do that, when they can million people at the same time and sift through that stolen data for most valuable stuff, right?
but if i type my email into haveibeenpwned.com, the owners of the website will see my email and could try to pawn it? i’m sorry, but that is a concern i have.
Email addresses are pretty much public, you give it out to people all the time. It’s no different to giving your physical address, it allows someone to link you to a location, but your house is there anyway if someone walks down the road and wants to break in.
Yes
Unless you’re talking about local accounts, remote accounts are inherently remote by definition and additional attack vectors apply.
Yes - “session hijacking”
Session jacking usually requires a virus of some sort. They need local access to the computer at a minimum.
Eh, compromising the website in some way with XSS can retrieve this information also.
Sketchy browser plugins have been a popular method recently.
That would be considered a virus.
It would be considered malware but not technically a virus.
Most people consider any sort of “thing installed or running on my computer against my knowledge doing bad stuff” to be a virus.
That’s why the OP said “installing any virus in my computer”
how can i avoid that to happen?? do i delete cookies and history every time i leave my browser?? thank you!!
Make sure you keep your software (operating system, browser etc) up to date and don’t install sketchy software.
Install a reputable add blocker on your browser as that can help.
ok thank you!! i only install open source software or software that is known to be secure.
There’s always packet sniffing but the person would have to have access to the network
I heard about a dude who can enter anyone’s Discord in minutes. this information jumped 3 times until getting to me basically. So idk how true it is.
Yeah , I am very well good in accessing accounts mostly social media accounts although there are different methods we work with in regards to access an account,it all depends on how tight the security is .
I won’t ask to teach me, caz why would you. But can I ask where do you learn these skills? Your the 3rd guy I know that exists and can do this.
