Need advice on K9's security

Sorry, I have a story first… Two days ago my Facebook account was hacked into. They changed my name and pic, friended someone (I assume to scrape my data) and then posted something that triggered the algorithms to suspend the account.

I am a tech person and very security cautious. All my PWs are different from one site/app to the next, and I use long PWs with lower/upper/numbers/symbols. I knew there was no way they brute forced their way into this account.

Right before bedtime I got a notice from FB saying a password reset was requested and here’s the code to do it. I did not do this and immediately thought something was up. I deleted the email from my phone, logged into FB on my PC and changed my PW just to be safe and then went to bed. The next day I found that didn’t matter and they got in anyway.

Because I am so cautious with all of this stuff, I figured it wasn’t on FB’s end. I then thought it had to do with my email. I contacted my site’s hosting provider and told them what happened and asked for them to check if any other IP address other than my own accessed the email that night. Yep, someone did, and at all the times I was receiving FB messages about password resets and other stuff while I slept. (so if I had changed my email’s PW at that very beginning of this, all of this would have been prevented, sigh.)

The host also ran a security check and found that there were zero failed login attempts and no security flags were raised on the server end. They believe this came from my phone, meaning an app scraped my email login info off my phone. I use K9 on my phone.

I ran deep malware and antivirus scans and everything came up clean. I am on android and always try to be careful with downloading apps that may be suspicious. I also never download 3rd party apps, only through the Google Play store. I am aware I may have already uninstalled this app within the last couple weeks not realizing what was going on.

So with that said, how would they have been able to access my email credentials on my phone? I have it set in K9 that anytime I want to make any server/pw changes in my accounts it asks for a master password to do it. If it’s a sniffer program, they could have grabbed them when I logged into K9 any number of times during the day, but I assumed all of that was encrypted between the two points?

Any advice on how I can tackle this and prevent this from happening in the future is appreciated. I’m not blaming K9 by the way, I’m just looking for the root cause of how they had access to my email login info on my phone. Thanks for the help!

E

What do you mean by that? K-9 Mail doesn’t support setting a “master password”. Are you sure you’re using an official K-9 Mail build and not some fork?

I always assumed I was using the official one. Been using this for about 10 years now I think. Looking at the app’s settings it says:
Ver 6.4
Authors The K-9 Dog Walkers

I just went through the steps again to be sure… If I click on the “eyeball” icon to see the *** password in the server settings, it asks:

“Verify your identity - unlock to view your password. Enter your current PIN”

And that’s the same pin I use to log into my phone. Maybe it’s a phone thing then? I’m on a Galaxy s21.

I see. Having to authenticate before unmasking the password is a fairly new feature; and not something you can disable. But that’s only relevant if someone physically gets hold of your device and tries to read the password by opening the app and going to the server settings screen.

Android sandboxes apps from each other. So even if you installed some malware, it would have to use an exploit (or your help if you run a rooted device) to be able to access K-9 Mail’s data, including the stored mail server passwords.

K-9 Mail supports connecting to incoming/outgoing mail servers without using transport encryption. However, never automatically. You’d have to manually set “Security” to “None”.
K-9 Mail also allows using untrusted server certificates. However, you’ll have to manually accept it once and then the app will refuse to connect once the certificate changes.
It seems unlikely that you were the victim of a successful man in the middle attack.

Hmmm, well then this is really confusing on how they got in then if they wouldn’t have access to K9’s info. My security for the account is set to SSL/TLS. I never received any notice on PC or on my phone that my mail server’s certificate changed or needed to be updated either.

Do you have any ideas on how I can further pursue this, even if it’s not a K9 specific thing? My hosting company swears up and down that there were no security flags raised on the mail server or other odd behavior. As far as they can see, the hacker waltz right in without an issue.

Because I never use the same PW for everything, it’s unlikely they scraped it off another site I was on. This is really mind boggling how they got in, but I do know they got in through my mail server.

Sorry this happened to you. How long of a password? If words from a dictionary, I’d hope they are at least 16 characters. And unique from all other sites - no reuse/sharing.

It’s pretty hard to get on a mobile device. If your Android isn’t up to date, there may be known exploits that criminals use. You might have a keylogger on your computer and/or browser. You may want to review the apps on your phone. If this is some criminal activity or nation/state, likely they are hiding.

I didn’t hear you say if you used TOTP as a second form of authentication. I’d recommend reading up on this technology and setting it up wherever you can - FB, Gmail, and hopefully your email provider. I also recommend printing out images of the QR codes or the string of characters and keep those in a safe place - backups!

You can even set up 2fa for this forum site!

2fa.directory is a nice collaborative site of other sites that support TOTP

I use a passphrase mixed with numbers, upper/lower case and symbols. If I remember the original PW affected was probably 10-12 characters. It was unique, I never use the same PW from one site to the next, and in this case, this was nothing like any of the ones I use for sites because it was for my email address specifically.

In regards to TOTP, no I don’t use it but will definitely be looking into it. How would you set that up with K9 exactly? Also if I’m using it on K9, would I also have to set it up at home on my PC, where I use a different program?

The more I’m diving into finding the source weak spot that allowed this, the more I’m leaning towards this being a drive by data scraping off of public wifi. I’ve been in and out of various places around town the last couple weeks and I do remember on one occasion I did log into public wifi. I didn’t check my email at that time, but K9 is set to auto retrieve every couple mins so I assume that would be how they got the password.

I’ve spent 3 days now trying to find the source and running scans and other security measures, including recruiting a friend who works in IT security, and so far we’re not finding anything at home on my PC. If it was a drive by scraping that I mentioned above, then that may be my best case scenario because it would lessen the chances of identity theft or them getting into my site and was just some jerk looking to screw with people for fun.

Your use of TLS on your email account should render your public WiFi interception theory impossible.

@linkp Sorry I just now saw this message from you. For some reason I didn’t get an email notification on it.

If it’s not wifi interception, what else could it be then? They only seemed to have targeted my FB account, didn’t go into bank accounts or other sensitive places, etc. I’ve practically torn my phone and PC down to the ground trying to find how they got in and nothing is coming up in either case.

What do you use to store and recall these passwords for your various sites you visit? And anything different used in the past?

@OldieAB I use a pass phrase that has 2-3 extra variables that change out based on the site I’m on. This way I can remember them all in my head without having to write them down or store them anywhere else. So by doing this every site has a unique password. (even my wife doesn’t know my passwords, lol)

Are these passwords predictable if one is discovered?

Arbor Tree site, password might be : lem0nalo3arb

Then Facebook might be : lem0nalo3fac

? If your pattern is similar, this can probably be predicted if one of these passwords gets discovered. If two are discovered in different data losses, and the data between each is joined, it’s a dead ringer for potential prediction.

I’m assuming and making some guesses here, obviously. But the above is a potential scenario.

Have you checked here?

https://haveibeenpwned.com/

@tchara Yeah that was one of the first places I checked after it happened, actually, and none of my emails (especially the one targeted) are on there, so that’s good.

This is why I’m leaning into my phone being data scraped off a public wifi because it’s the only thing that makes sense. I’ve gone through all the scenarios and had a friend who is an IT security person walk me through some stuff as well. Also a couple days after my FB was hijacked, they tried to break into my website as well, but thankfully I have enough security precautions on there where they gave up after a week. (I can assume this was them by watching Wordfence as I knew where my normal “background noise” level was and how it took a huge spike for a week then went away.)

@OldieAB Not predictable, but as I stated earlier, my hosting provider told me they waltzed right into my mail server. No breaking in by guessing, they had the login credentials in hand and didn’t raise any alarm bells on the server.