Very well-written, thanks for sharing. Stories like this are important!
> I went on looking for one of those browser extensions that made it easier to read. [...] I had to find the perfect one, with the cleanest user interface, the best features, the most convenient, across all cases and needs.
Examining the supply chain of those extensions and whether they were open-source and reputable should have been part of the evaluation process!
Also surely there is no reason to install any "dark reader" extension aside from the canonical Dark Reader...? https://github.com/darkreader/darkreader I thought this one was very well-known. I still wouldn't recommend _using_ it, you remain at risk of upstream's supply chain being compromised, but it's at least not malicious by default.
Firefox has dark mode built into its reader view feature which works on most websites, I'd imagine Chrome can do something similar. I greatly prefer and recommend this over installing an extension.
Had a close call:
Apparently it's possible to bypass 2FA and do a password reset of a Google account without email access, if the account owner doesn't abort it within 30 days. I confirmed that it works by "pwning myself" afterwards. So keep an eye on your old Gmail inbox if it matters.
Great article on reminding the risks of browser extensions. They literally have access to everything within the browser window, from usernames and passwords to bank account details.
Funnily I always tempted by extensions that offer dark more for webpages but never dared to install one.
I do use extensions, but only if they are from well known, respected organisations.
The author was lucky that it was only few compromised social media accounts. It could easily be an empty bank account or stolen identity instead.
Sadly the blogpost fails to mention which browser extension was the macilious one that compromised his session tokens.
While quite technical users (a la. this community and devs in general) would be able to inspect the source code of browser extensions to do an audit, most of us don't have time for this, and we just have to rely on the browser add-on number of downloads & reviews as a poor indicator.
It would be really useful to know how this particular extension was rated
It is an humbling experience the moment when you accept that getting hacked is something that can happen to anyone, including the best of us. No one is too good not to be hacked.
> open their password manager which also might need you to authenticate, type in their master password, search for the name of the said website, copy the password, paste it in
This is one way to guarantee you'll eventually fall for a phishing attack. Are we really running URL-unaware password managers in the year 2026?
What was the Chrome extension?
In the moment, it doesn't feel off, that's the most disconcerting aspect. It's the things that don't seem so critical or important that get you as well. Registration on a random site, and for a temporary reason was what got me once. In this case the browser extension seemed almost like an afterthought at the time for the author.
I got hacked late last year. It sucked. Do not recommend.
I'm not going to blog about it, but will at least share how I messed up. Maybe it'll help someone else.
I was phished through Discord. A CEO that I was friends with was phished prior to me and I let my guard down when someone I put on a pedestal reached out to me. The hacker asked me to review a video game prototype they'd been tinkering with in their spare time (the CEO worked in the video game industry) and they came to me because they knew I'd give them "honest feedback." The game's website looked legit enough with AI generated screenshots and boilerplate text.
They also messaged me right around dinner. I had like ten minutes of downtime when the message came in and I immediately shifted to, "Yeah I can bang this request out real quick for a person important to me before dinner arrives." rather than keeping my guard up.
Additionally, I have (or had) two Google accounts. My primary email address is much older and wasn't very business-professional. Over 15 years ago I created a secondary email, that was just my name at gmail, configured it to forward all emails to my first account, and then never logged in to that account again. Naturally, that meant that my primary account had 2FA, but my secondary account did not.
I signed up for Discord using my secondary Google account. So, when I got phished, the hacker assumed that was my primary account and compromised it first.
The way they compromised the account was very quick and efficient. They immediately set parental controls on the account, listed an email address they controlled as the parent, and then changed the accounts age to under 13. Those actions 100% lock an account because all account recovery options must be approved by the parent for children under 13.
Surprisingly, I did get a security notification saying that a suspicion session had been started on my primary email account even through 2FA. I (thankfully) managed to kick the hacker out before they were able to do the same to me. I'm not sure how they got access to the second account.
Laughably, the hacker tried to extort me for only $400 and, when they didn't get it, they pivoted to sending threatening texts then moved on to trying to phish others for quick cash.
Thankfully, I didn't lose much. I lost access to my Discord account and to my Google account, but all my Google data was replicated. I lost a full nights sleep resetting all my passwords everywhere. And I still feel a bit violated and think I always will.
It was really interesting being motivated to interface with the security processes of several hundred companies. Shout out to Kraken and Etsy for having the best security procedures.
Anyway. Just wanted to highlight a scenario which happened. I'm in engineering leadership. I've worked on a computer every day for over 20 years. I use KeePass to store my passwords and generally have fine security hygiene. I do my KnowBe4 training modules, lol.
> At this point, I am the old lady who is driving to a Target to buy gift cards and give them to Jared, who is the Amazon Customer Support specialist with a suspiciously heavy Indian accent, waiting on the phone.
It happens to all of us. I always tend to make sure any extension has the sources available (unless requested by work/client), but nowadays with open source supply chain attack, it's just another breakable wall. Even on linux, some long time ago, I caught a trojan (luckily to the extent of my knowledge, it didn't affect anything besides running a crypto mining on my m3 laptop)., disguised as systemd, that was spreading through kodi extensions.
This is why having 2 browsers is part of good security practice - keep one for important work and the other for regular browsing.
> TikTok deemed I should not have access to my account ever again, and X (formerly Twitter) is delaying a response to my appeal to the suspension, but I have not much hope; I reckon it's gone for good. I may have lost all the personal contacts and content from there, but on the bright side, that has taught and made me see some other things, besides the importance of being a little smarter to not blindly install extensions like my life depended on it.
Well, losing access to both TikTok and X could be considered a bright side as well. But more seriously, isn't it tragic that you can't just blindly assume any piece of OSS isn't malware, anymore?
The first time I got "hacked" was around 1995.
Someone I trusted at the time sent me a modified Legend of The Red Dragon bbs door game expansion/mod that del C:\
Learned a lot that day.
> but on a universal level, we're missing a cohesive master plan, in which a user, a human, need not undertake endless and repeated manual fend-off of the devil
This is a very good way of stating the problem in terms anyone can relate to.
> I had one brow raised, a little suspicious, but not very much to initiate a full-scale defense
This on the other hand seems overly superficial. You get your eMarketplace account hacked, then your Twitter account, and you're just "a little suspicious"? My eyebrows would raise all the way to the back of my head after this. Not sure I'd know where to start but I'd be very concerned.
> A few days later, the same thing happened with my TikTok and Reddit accounts. I repeated the previous steps now that I had gotten used to them. This time I raised two of my brows with a little more suspicion. Still not quite there, though.
I mean... This is an incredibly high threshold for getting concerned. The kind that lowers the bar to getting hacked.
Hmm. Maybe I need to install a second browser for sensitive stuff. Or maybe stick that in a vm somehow
Anyone else seeing the blog post briefly before flicking to a 404 page? Safari on iOS 15 here.
even installing ublock origin gives me the heebie jeebies when chrome asks me if I want to give the extension access to my full browser data. uBO is the only extension I trust.
i hacked my computer
my younger brother called me once, which was unusual, so i immediately answered. he was crying, which was new to me as well, and told me that our mom's laptop he had been using to game on was hacked, and that he was now being extorted live in a discord call.
asked him to shutdown the laptop immediately and add me to the call, to which he replied, "they sent me our postal code and told me if i told anyone or turned the laptop off, they're going to send someone to hurt me."
that's when i realized why he was panicking so much, to me who was 10 years older that was an obvious scare-tactic, he was a young, naive teenager so he was legitimately scared for his life.
was able to calm him down, he added me to the call, and turned the laptop off. i was surprised that the hackers in question were 3-4 french teenagers, incredibly rude and aggressive. they didn't care that they weren't able to ruffle my feathers, they just constantly asked for bitcoins, said they'd hurt our mom etc.
when i refused and just didn't engage they started posting our mom's tax returns and other files from her laptop, that's when i realized that they did indeed exfiltrate data.
immediately packed my bags and took the next train to meet mom and brother. we spent the afternoon rotating e-banking passwords etc.
while doing this, the hackers did try to login to her paypal and they actually got into my netflix account.
turned the wifi off at home to boot the laptop back up, wanted to try to retrace their steps. i did find out what kind of stealer they used and was able to sleaze my way into a secret discord server they used to organize, but it was temporary and they had already left. so i just wiped the laptop and reinstalled windows.
apparently these guys had promised my brother to optimize his PC so that Fortnite would run better, he let them connect via AnyConnect or TeamViewer, don't exactly remember. they did some legit debloating stuff etc., but also let a stealer run in the background. apparently these guys had spent some weeks in the discord server my brother was in to establish trust.
to this day i haven't felt as much rage again. seeing my young brother in such a distressed state, realizing that all of my mom's data, childhood pictures etc. were stolen made me angry to a point i've never felt, i legitimately wanted to find out who these guys were and hurt them as much as i could. of course we all calmed down again and realized there's nothing we could do other than rotate PWs and observe logins.
police said there's nothing they could do (didn't expect it anyways, but worth a try), discord ignored me when i reported the hacker's accounts. typing this out again makes me angry again, interestingly enough. it's been two years, almost forgot that this ever happened.
Not all too long ago I had someone port out my VOIP number. They had it for a few hours. This was after I had spent extensive effort attempting to secure my digital life. VOIP was SIM-swap resistant sure, but I totally missed that port out requests default to failing open.
Thankfully the VOIP operator alerted me and pulled the number back. Then I set a port out code.
Who knows how many other holes I have. I lost my sense of smugness that day.