Captured a Firefox Hacking Incident in History
My Amazon and PayPal accounts were recently hacked, apparently using Firefox Password Manager. I've since changed the passwords for the accounts in question and also enabled a password for Firefox. Attached is a redacted version of the hacking session. I have a few questions.
1) If someone's accessed my decrypted Firefox password file, should I assume every saved password has been compromised?
2)How do I get a list of all these sites if I do need to change the passwords on all or many of them?
3) Is there any way to tell if this attack was launched from inside my apartment or remotely? I think I know the DNS ip of my home system at the time.
Your help is much appreciated.
Chosen solution
sbjohn said
1) If someone's accessed my decrypted Firefox password file, should I assume every saved password has been compromised?
Yes. I don't see how the answer to that exact question could be anything else.
2)How do I get a list of all these sites if I do need to change the passwords on all or many of them?
(A) You can view them using the Saved Logins dialog on the Options page.
(B) You also can view the raw file contents:
Open your current Firefox settings (AKA Firefox profile) folder using either
- "3-bar" menu button > "?" Help > Troubleshooting Information
- (menu bar) Help > Troubleshooting Information
- type or paste about:support in the address bar and press Enter
In the first table on the page, on the Profile Folder row, click the "Open Folder" button. This should launch a new window listing various files and folders in Windows Explorer.
Resize the Windows Explorer window so you can see the Troubleshooting Information page behind it. Then drag and drop the logins.json file onto the content area of the tab.
After a few moments, Firefox should display a structured view of the data, with entries for each saved login. The site names are visible, but usernames may be encrypted.
(C) If you need to export a readable list of usernames and passwords, see: https://support.mozilla.org/questions/1242014#answer-1176683
3) Is there any way to tell if this attack was launched from inside my apartment or remotely? I think I know the DNS ip of my home system at the time.
There's no way for me to tell. In your history, the timestamps are very close together, which suggests to me that it wasn't done completely by hand. Scripts to send keystrokes to the active window could be installed either locally or remotely through a variety of methods. I think you could get more informed speculation on a security forum where they may have seen this sequence of events before.
Read this answer in context 👍 1All Replies (4)
The only way someone to gain access to your password manager in firefox is through malware infections where you clicked on malware infected software or sites to get infections. firefox by itself didn't do this problem. What you asking is something you should be asking a computer shop to look at. Firefox is a browser by itself and if a installed addon caused this then this also isn't a firefox problem as well.
Chosen Solution
sbjohn said
1) If someone's accessed my decrypted Firefox password file, should I assume every saved password has been compromised?
Yes. I don't see how the answer to that exact question could be anything else.
2)How do I get a list of all these sites if I do need to change the passwords on all or many of them?
(A) You can view them using the Saved Logins dialog on the Options page.
(B) You also can view the raw file contents:
Open your current Firefox settings (AKA Firefox profile) folder using either
- "3-bar" menu button > "?" Help > Troubleshooting Information
- (menu bar) Help > Troubleshooting Information
- type or paste about:support in the address bar and press Enter
In the first table on the page, on the Profile Folder row, click the "Open Folder" button. This should launch a new window listing various files and folders in Windows Explorer.
Resize the Windows Explorer window so you can see the Troubleshooting Information page behind it. Then drag and drop the logins.json file onto the content area of the tab.
After a few moments, Firefox should display a structured view of the data, with entries for each saved login. The site names are visible, but usernames may be encrypted.
(C) If you need to export a readable list of usernames and passwords, see: https://support.mozilla.org/questions/1242014#answer-1176683
3) Is there any way to tell if this attack was launched from inside my apartment or remotely? I think I know the DNS ip of my home system at the time.
There's no way for me to tell. In your history, the timestamps are very close together, which suggests to me that it wasn't done completely by hand. Scripts to send keystrokes to the active window could be installed either locally or remotely through a variety of methods. I think you could get more informed speculation on a security forum where they may have seen this sequence of events before.
I don't know whether you've ruled out a persistent infection on your system. Please try one of the forums listed in this article: Troubleshoot Firefox issues caused by malware.
The System Details list shows you have RoboForm.
- RoboForm Password Manager 8.3.7.1
When RoboForm is enabled then this would normally disable the Firefox Password Manager (only one PW manager can be active).
Were you using RoboForm already when this happened?
Were you using a master password in Firefox as without a MP you would only need access to logins.json and key4.db or key3.db ?