Total Takeover

Total Takeover: Hacker Gains Full Control of Personal Account

inArticles, Bits & Bytes Newsletter, Cyber Security, IT Support

Co-Authored By: Andrew King & Chad O’Sullivan

Reading Time: 9 minutes

Ever since the beginning of COVID businesses have worked tirelessly to upgrade their Cyber Security tools, but for many people this has not translated into our personal lives. The truth is its easier to live without security controls, they can be hard to setup, tedious to work around and not always easily facilitated by 3rd party services, and so the question arises – why should we go out of our way to secure our personal accounts?

During a recent conversation with one of our clients – whose identity has been withheld for privacy – we uncovered a sobering answer to that question. This client experienced the nightmare of having their bank account compromised, their mobile number hijacked, and numerous other personal accounts taken over by cyber attackers, all due to a single account compromise. What unfolded should serve as a stark warning to anyone who thinks, “It could never happen to me.”

The Attack Begins

To set the scene, our client called the helpdesk after finding an email left in their inbox with their email password as the title. This email described that a group of attackers had found their personal email account’s password, accessed their emails, copied and deleted everything, and now demanded $500 in Bitcoin to restore the emails and not leak them to the world.
As our first recovery measure, we attempted to recover the user’s email. Luckily, they were registered with Microsoft, which requires two different forms of verification before updating backup information. We were able to reset the user’s password and restore access to their emails.

Now that we were in, we could assess the damage. Immediately, we found the inbox and deleted items were empty. However, the recovery tab of deleted items allowed us to restore all the emails deleted by the attacker.

At this point, you—like us—might think all is well and the job’s done. Unfortunately, after restoring the emails, we found the real damage.

The Real Impact

Once restored, we identified that the attackers had control of the inbox for seven days before sending the ransom letter. We assessed all emails from that period and found countless password reset and one-time PIN codes. Every possible account set up using that email had been accessed.

Worse, there was a request to have their mobile number transferred to a new provider and their bank details changed. Both companies requested identity documents to confirm the request—and the attackers were able to satisfy this using a photo of the user’s passport stored in an old email.

The Fallout

Overall, the attackers:
  • Accessed third-party accounts such as Amazon, Facebook, and a home loan account.
  • Accessed the users bank account and made thousands of dollars worth of transactions.
  • Successfully initiated a transfer of the users mobile number to their own provider.
  • Sent hundreds of spam emails from the user’s account, resulting in the email being blacklisted on anti-spam lists.
To add insult to injury, this all happened while the user was overseas. The sobering reality they faced was having no access to any third-party accounts, no email, and—had they contacted us a day later—no mobile number, all while outside of the United States.

Lessons Learnt

This event was a huge wake-up call not only for this user but for myself and the team at ItVisions. Even though we work with attacks and compromises daily, there’s a mental bias separating work and personal that leads most individuals to put things like their personal email account into the back of their mind and forget about it.

Events like this serve to not only break that bias but also teach us lessons on what to do better. So, I’d like all readers to review the below list of questions based on our lessons learned and take the time to do a self-assessment of their personal security:

  1. Is my password complex?

    • Between password cracking algorithms, leaks, and educated guesses, it’s no longer safe to use simple passwords. In this instance, the user’s password was a name, date, and special character.
    • Our recommendation: use a passphrase—multiple words joined with a randomly chosen special character.
    • For more information, follow the US Government’s guide:
      👉 https://www.cyber.gov.au/protect-yourself/securing-your-accounts/passphrases/creating-strong-passphrases
    • Also, use different passwords for each service. If you struggle to manage them, invest in a secure password manager like Bitwarden, LastPass, or any other vendor of your choice.

  2. Do I use strong Multifactor Authentication (MFA)?

    • In this case, MFA was not enabled for the user’s email, removing a critical barrier from the attacker’s path.
    • Most third-party services allow email to be your primary MFA type, which means once your email is compromised, so is everything else.
    • Our recommendation: use an Authenticator App on your phone for everything. This means if they don’t have your phone, they can’t access your accounts—and if they do, they’ll still need your PIN, fingerprint, or face.

  3. What data is kept in this service?

    • As mentioned above, the user’s bank and mobile service were manipulated using an old passport photo stored in their emails.
    • Best practice: delete any unneeded sensitive data and prepare for the worst.


These checks aren’t exhaustive, but they’re a huge leap forward in personal security and help break that bias. Start with your email account, then check your services in order of priority—financial, messaging, social media, and so on.

Final Thought

We understand that security is not your job. If you ever need advice or support, the ItVisions team is always available.

Take Control Before Someone Else Does

Don’t wait for a breach to realise your personal security matters.
If you haven’t already, take 10 minutes today to:
  • Review your email security
  • Enable strong MFA across all accounts
  • Delete old sensitive data you no longer need
Your digital life is worth protecting—and it starts with one step.

Need help?
Reach out to the ItVisions team for personalised advice or support. We’re here to help you stay safe, wherever you are.
Get in Touch

Ready to gain control of the IT in your company?

GET STARTED WITH US TODAY!

Ask our IT Service Specialists how we can help you gain control over your technology and achieve measurable and successful results.

Contact us

AU 1300 699 077 NZ 0800 699 077

ISO27001 Certified. Great Place To Work Certified.

Our Services​

Modern Workplace
Managed IT
Mining & Resources
System Monitoring
Cloud Solutions
Network Solutions
Technology Consulting

Contact Us

How Mining CIOs Can Secure OT and IT TogethertechnologyPatient DataProtecting Patient Data with ISO27001 and ACSC Alignment