Why do cats meow? Why do birds fly? Why do hackers break into your account? It’s their nature. Or it’s a hobby. Or they’re just jerks who really want to take advantage of vulnerabilities and security screwups for sport, profit, or a combination of both.
But when you have nothing to offer, why do they still do it? As Lifehacker reader Rachel asks for this week’s Tech 911 Q&A:
Long ago, I used to use the same password for everything, and at some point that password got hacked and exists out in the world tied to my email address. I now use safe passwords and a password manager, but there are some long forgotten sites I haven’t visited in many years where one could theoretically log in with my credentials. Over the past few years, this has happened a few times. People have logged into my account and made a purchase, and it comes to my attention when I receive the confirmation email. Of course I then change the password and cancel the order. The thing is, these people never use my credit card info. I don’t save my credit cards to websites, and even if I did in the past, the credit cards saved to those accounts would be long-expired. Why would someone go through the trouble of using a hacked account to purchase something with their own credit card?
Is a hacked account is better than creating a new one?
That’s a quirky one, Rachel, but I think there’s an easy answer. For starters, I don’t think it matters whether you have any credit card information associated with an account. Once someone has broken in, they can then use that account for all kinds of other nefarious purposes, including looking up other information about you to try and break into other accounts of yours (or reset your passwords, or possibly even social engineer some poor customer service person into letting them in).
As for making a purchase using your old accounts, that’s a bit more peculiar. You would think that an attacker would hop off and go spend their time trying to get into an account that has an active payment mechanism attached to it. That would presumably give an attacker the most bang for their buck. Unless, of course, they’re using stolen credit cards to make a purchase and your account is only helping to disguise it.
Of course, one could also argue that it would be a lot easier to make a dummy account and use a stolen credit card. I suppose it depends how many fake credentials they’d have to enter—including setting up a bogus email address, and possibly even a phone number—as well as whatever kind of checks a service has in place to detect fraudulent accounts. But that’s probably a bit more work than simply getting one’s hands on a working account, especially if an attacker has some batch tool they can use to sort out good logins from expired ones.
If these purchases are physical, I’d be even more curious where they’re going. And you should definitely report them as fraudulent. Don’t let someone who hacked into your account get free stuff.
There’s not much you can do to stop fraudulent purchases of digital goods, save for notifying the place they were purchased from in hopes that the company will cancel them for whoever bought them. That said, I assume said purchases would also be tied to your account in some way, unless the attacker is buying digital gift cards, emailing them to another address, and using them immediately.
Anyway, I’d be shocked—truly—if those breaking into your account are making purchases using their own credit card information. If so, you should feel honored; you’ve officially found the stupidest hackers on the World Wide Web.
This happened to me once, actually, when someone broke into my Chipotle account (of all things) and ordered themselves food—a pick-up order, no less. As soon as I got the receipt in my inbox for a meal that’ll be ready in an hour on a completely different coast from where I live, I promptly rang up that exact Chipotle, cancelled it, and changed my password for the app to something new, unique, and annoyingly long. It felt good knowing that some asshole with my account information was going to have to wait to reorder their burrito bowl (and pay for it using their own credit card).
I wouldn’t sweat your setup too much, except for the fact that these purchases will be tied to dormant accounts of yours. This is an unfortunate byproduct of when one goes years living a less-secure online life—like using the same or similar passwords for multiple sites, for example—only to forget all the sites and services you previously used when you finally start to level up your password game. That, or it’s just something that happens as a result of all the data breaches we’re exposed to on a fairly regular basis.
You could try to hunt down old, active accounts by typing your most commonly used passwords into your email client and see if that pulls up any “account creation” confirmation emails. You could then revisit those accounts and either close them or change the password to something unique. Other than hunting through email, I can’t recommend a good source you can use to look up old accounts; obviously, there isn’t a website where you can just type in a password and see which breached account it’s associated with. (That would be incredibly bad.)
Stay on top of this quirky situation and make sure you’re changing passwords or deleting accounts whenever you’re notified about a purchase you didn’t make. And keep on living a secure life online with strong passwords, two-factor authentication, and not saving your credit card credentials to websites. You’re doing a good job. Don’t get spooked by these ghosts from the past, annoying as they might be.
Do you have a tech question keeping you up at night? Tired of troubleshooting your Windows or Mac? Looking for advice on apps, browser extensions, or utilities to accomplish a particular task? Let us know! Tell us in the comments below or email firstname.lastname@example.org.