Betfair account hacking attempt

[jamesedwards]

Multiple unsuccessful attempts to hack into my Betfair account this morning. All with IPs from various different cities in the UK so perhaps someone from abroad using a VPN?

I only found out because I checked my past logins screen after Betfair forced a password change when I logged in just now.

I have two factor authentication turned on and it doesn't say whether they failed at password or 2FA level.

[Derek27]

Multiple unsuccessful attempts to hack into my Betfair account this morning. All with IPs from various different cities in the UK so perhaps someone from abroad using a VPN?

I only found out because I checked my past logins screen after Betfair asked me to change my password.

I have two factor authentication turned on and it doesn't say whether they failed at password or 2FA level.

Login with an incorrect password and then with correct password, incorrect code. Check which ones get logged.

[Dallas]

Thanks for the heads up, and glad to hear they were unsuccessful.

It would be better if BF could confirm if they failed at password or 2FA
Although you'll be changing your password anyway it's certainly worth knowing how much information they had

[ShaunWhite]

Thanks for the heads up

Ditto....and for the record no fails on mine.

It's worth dropping a quick line to BF in these situations so there's a paper trail should the worst happen.

[jamesedwards]

Good idea Derek. I've just tried logging in with correct password but incorrect 2FA and it doesn't show up as a login attempt, failed or otherwise. So it seems they only had my username, and not password.

I know it's irrational, but I'm loath to contact Betfair about it, just in case they put some sort of security hold on my account.

[jamesedwards]

Further to the above for info;

> A failed login due to incorrect password will be logged on your 'security settings' page in Betfair, but will NOT produce an email alert.
> A failed login with correct password but failed 2FA attempt will NOT be logged on your 'security settings' page, but will produce an email alert.
> A change of password will produce an email alert.

[ShaunWhite]

I know it's irrational, but I'm loath to contact Betfair about it, just in case they put some sort of security hold on my account.

IF (balance you might lose to a hacker * the risk of that %) > (the income you might lose if you're out of action * that risk %). THEN do ELSE don't.

Or something like that

[jamesedwards]

I know it's irrational, but I'm loath to contact Betfair about it, just in case they put some sort of security hold on my account.

IF (balance you might lose to a hacker * the risk of that %) > (the income you might lose if you're out of action * that risk %). THEN do ELSE don't.

Or something like that

I love people who think like this.

The Mrs just looks at me blankly, when I try to explain that the cat is going through a cost-benefit analysis equation in his head when deciding whether or not to get up for a thrown treat. One treat is not worth it, but throw another and it tips the balance in favour of getting up off his arse.

[Derek27]

I know it's irrational, but I'm loath to contact Betfair about it, just in case they put some sort of security hold on my account.

IF (balance you might lose to a hacker * the risk of that %) > (the income you might lose if you're out of action * that risk %). THEN do ELSE don't.

Or something like that

[Derek27]

Further to the above for info;

> A failed login due to incorrect password will be logged on your 'security settings' page in Betfair, but will NOT produce an email alert.
> A failed login with correct password but failed 2FA attempt will NOT be logged on your 'security settings' page, but will produce an email alert.
> A change of password will produce an email alert.

Thanks for that. I was gonna test it myself but I'll just note that information.

[ShaunWhite]

Thanks for that. I was gonna test it myself but I'll just note that information.

After your drama I worry if I click on the account security page by accident let alone try anything shady I certainly hope they notice I hit 'Back' in about 0.1secs if I accidentally click on one of the 'I'm an addict' links

[jamesedwards]

They were at it again last night It seems Betfair allows 4 failed attempts before forcing a password change.

Derek, what painful process did you have to go through to change your username?

[ilovepizza82]

Multiple unsuccessful attempts to hack into my Betfair account this morning. All with IPs from various different cities in the UK so perhaps someone from abroad using a VPN?

I only found out because I checked my past logins screen after Betfair forced a password change when I logged in just now.

I have two factor authentication turned on and it doesn't say whether they failed at password or 2FA level.

If it was attack from different UK locations then I doubt vpn or vps was used.
I tried most of them services and usually its only 2 cities but most of the time its just London and thats it.
Most likely it was distributed brute force attack.
It happens all the time. Attacks on my account usually are from legit locations like:
Brazil, Asia, Russia, UAE and that kind of countries
And i know these are not VPNs because i checked those addresses multiple times and they are legit internet providers, not data centers.


EDIT: You cant change your username.
I tried to do that as well and betfair customer service was not very helpful...basically they say you cant change it. Have a nice day

[ShaunWhite]

It happens all the time.

? I've never had one.

Are these accounts ones with an email address as the username or older ones with a more randomly selected name?

[Selmer]

They were at it again last night It seems Betfair allows 4 failed attempts before forcing a password change.

Derek, what painful process did you have to go through to change your username?

I had the same problem last month. In my case, the problem was solved after I`d changed my email. It seems that when they enter your email as your username, it shows as an unsuccessful login attempt even when your username is not your email. So, I would suggest registering a unique email that is not used anywhere else.