X
Tap here to go to the mobile version of the site.

Support Forum

Captured a Firefox Hacking Incident in History

Posted

My Amazon and PayPal accounts were recently hacked, apparently using Firefox Password Manager. I've since changed the passwords for the accounts in question and also enabled a password for Firefox. Attached is a redacted version of the hacking session. I have a few questions.

1) If someone's accessed my decrypted Firefox password file, should I assume every saved password has been compromised?

2)How do I get a list of all these sites if I do need to change the passwords on all or many of them?

3) Is there any way to tell if this attack was launched from inside my apartment or remotely? I think I know the DNS ip of my home system at the time.

Your help is much appreciated.

My Amazon and PayPal accounts were recently hacked, apparently using Firefox Password Manager. I've since changed the passwords for the accounts in question and also enabled a password for Firefox. Attached is a redacted version of the hacking session. I have a few questions. 1) If someone's accessed my decrypted Firefox password file, should I assume every saved password has been compromised? 2)How do I get a list of all these sites if I do need to change the passwords on all or many of them? 3) Is there any way to tell if this attack was launched from inside my apartment or remotely? I think I know the DNS ip of my home system at the time. Your help is much appreciated.
Attached screenshots

Chosen solution

sbjohn said

1) If someone's accessed my decrypted Firefox password file, should I assume every saved password has been compromised?

Yes. I don't see how the answer to that exact question could be anything else.

2)How do I get a list of all these sites if I do need to change the passwords on all or many of them?

(A) You can view them using the Saved Logins dialog on the Options page.

(B) You also can view the raw file contents:

Open your current Firefox settings (AKA Firefox profile) folder using either

  • "3-bar" menu button > "?" Help > Troubleshooting Information
  • (menu bar) Help > Troubleshooting Information
  • type or paste about:support in the address bar and press Enter

In the first table on the page, on the Profile Folder row, click the "Open Folder" button. This should launch a new window listing various files and folders in Windows Explorer.

Resize the Windows Explorer window so you can see the Troubleshooting Information page behind it. Then drag and drop the logins.json file onto the content area of the tab.

After a few moments, Firefox should display a structured view of the data, with entries for each saved login. The site names are visible, but usernames may be encrypted.

(C) If you need to export a readable list of usernames and passwords, see: https://support.mozilla.org/questions/1242014#answer-1176683

3) Is there any way to tell if this attack was launched from inside my apartment or remotely? I think I know the DNS ip of my home system at the time.

There's no way for me to tell. In your history, the timestamps are very close together, which suggests to me that it wasn't done completely by hand. Scripts to send keystrokes to the active window could be installed either locally or remotely through a variety of methods. I think you could get more informed speculation on a security forum where they may have seen this sequence of events before.

Read this answer in context 1

Additional System Details

Application

  • Firefox 63.0.3
  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
  • Support URL: https://support.mozilla.org/1/firefox/63.0.3/WINNT/en-US/

Extensions

  • RoboForm Password Manager 8.3.7.1 (rf-firefox@siber.com)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: NVIDIA GeForce GT 720
  • adapterDescription2:
  • adapterDeviceID: 0x1286
  • adapterDeviceID2:
  • adapterDrivers: C:\WINDOWS\System32\DriverStore\FileRepository\nv_desktop_ref4wu.inf_amd64_d666a2459eba14a6\nvldumdx.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_desktop_ref4wu.inf_amd64_d666a2459eba14a6\nvldumdx.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_desktop_ref4wu.inf_amd64_d666a2459eba14a6\nvldumdx.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_desktop_ref4wu.inf_amd64_d666a2459eba14a6\nvldumdx.dll C:\WINDOWS\System32\DriverStore\FileRepository\nv_desktop_ref4wu.inf_amd64_d666a2459eba14a6\nvldumd.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_desktop_ref4wu.inf_amd64_d666a2459eba14a6\nvldumd.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_desktop_ref4wu.inf_amd64_d666a2459eba14a6\nvldumd.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nv_desktop_ref4wu.inf_amd64_d666a2459eba14a6\nvldumd.dll
  • adapterDrivers2:
  • adapterRAM: 1024
  • adapterRAM2:
  • adapterSubsysID: 108710de
  • adapterSubsysID2:
  • adapterVendorID: 0x10de
  • adapterVendorID2:
  • contentUsesTiling: False
  • crashGuards: []
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 10.0.17763.1
  • driverDate: 9-5-2018
  • driverDate2:
  • driverVersion: 24.21.13.9924
  • driverVersion2:
  • featureLog: {u'fallbacks': [], u'features': [{u'status': u'available', u'description': u'Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'HW_COMPOSITING'}, {u'status': u'available', u'description': u'Direct3D11 Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D11_COMPOSITING'}, {u'status': u'available', u'description': u'Direct2D', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'DIRECT2D'}, {u'status': u'available', u'description': u'Direct3D11 hardware ANGLE', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D11_HW_ANGLE'}, {u'status': u'available', u'description': u'GPU Process', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'GPU_PROCESS'}, {u'status': u'opt-in', u'description': u'WebRender', u'log': [{u'status': u'opt-in', u'message': u'WebRender is an opt-in feature', u'type': u'default'}], u'name': u'WEBRENDER'}, {u'status': u'available', u'description': u'WebRender qualified', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'WEBRENDER_QUALIFIED'}, {u'status': u'available', u'description': u'Off Main Thread Painting', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'OMTP'}, {u'status': u'available', u'description': u'Advanced Layers', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'ADVANCED_LAYERS'}]}
  • info: {u'AzureContentBackend (UI Process)': u'skia', u'AzureCanvasBackend (UI Process)': u'skia', u'ApzWheelInput': 1, u'ApzDragInput': 1, u'ApzKeyboardInput': 1, u'AzureFallbackCanvasBackend (UI Process)': u'cairo', u'ApzAutoscrollInput': 1, u'AzureCanvasAccelerated': 0, u'AzureCanvasBackend': u'direct2d 1.1', u'AzureContentBackend': u'direct2d 1.1'}
  • isGPU2Active: False
  • numAcceleratedWindows: 2
  • numTotalWindows: 2
  • offMainThreadPaintEnabled: True
  • offMainThreadPaintWorkerCount: 4
  • usesTiling: False
  • webgl1DriverExtensions: GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture
  • webgl1Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_frag_depth EXT_sRGB EXT_shader_texture_lod EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context
  • webgl1Renderer: Google Inc. -- ANGLE (NVIDIA GeForce GT 720 Direct3D11 vs_5_0 ps_5_0)
  • webgl1Version: OpenGL ES 2.0 (ANGLE 2.1.0.ae3b5a6552ee)
  • webgl1WSIInfo: EGL_VENDOR: Google Inc. (adapter LUID: 000000000000ba91) EGL_VERSION: 1.4 (ANGLE 2.1.0.ae3b5a6552ee) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_ANGLE_explicit_context
  • webgl2DriverExtensions: GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_multiview GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_float GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_norm16 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_EGL_image_external_essl3 GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture
  • webgl2Extensions: EXT_color_buffer_float EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_texture_float_linear WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context
  • webgl2Renderer: Google Inc. -- ANGLE (NVIDIA GeForce GT 720 Direct3D11 vs_5_0 ps_5_0)
  • webgl2Version: OpenGL ES 3.0 (ANGLE 2.1.0.ae3b5a6552ee)
  • webgl2WSIInfo: EGL_VENDOR: Google Inc. (adapter LUID: 000000000000ba91) EGL_VERSION: 1.4 (ANGLE 2.1.0.ae3b5a6552ee) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_ANGLE_explicit_context
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Direct3D 11
  • windowUsingAdvancedLayers: True

Modified Preferences

Misc

  • User JS: No
  • Accessibility: Yes
WestEnd
  • Top 25 Contributor
60 solutions 5377 answers

The only way someone to gain access to your password manager in firefox is through malware infections where you clicked on malware infected software or sites to get infections. firefox by itself didn't do this problem. What you asking is something you should be asking a computer shop to look at. Firefox is a browser by itself and if a installed addon caused this then this also isn't a firefox problem as well.

The only way someone to gain access to your password manager in firefox is through malware infections where you clicked on malware infected software or sites to get infections. firefox by itself didn't do this problem. What you asking is something you should be asking a computer shop to look at. Firefox is a browser by itself and if a installed addon caused this then this also isn't a firefox problem as well.
jscher2000
  • Top 10 Contributor
8642 solutions 70690 answers

Chosen Solution

sbjohn said

1) If someone's accessed my decrypted Firefox password file, should I assume every saved password has been compromised?

Yes. I don't see how the answer to that exact question could be anything else.

2)How do I get a list of all these sites if I do need to change the passwords on all or many of them?

(A) You can view them using the Saved Logins dialog on the Options page.

(B) You also can view the raw file contents:

Open your current Firefox settings (AKA Firefox profile) folder using either

  • "3-bar" menu button > "?" Help > Troubleshooting Information
  • (menu bar) Help > Troubleshooting Information
  • type or paste about:support in the address bar and press Enter

In the first table on the page, on the Profile Folder row, click the "Open Folder" button. This should launch a new window listing various files and folders in Windows Explorer.

Resize the Windows Explorer window so you can see the Troubleshooting Information page behind it. Then drag and drop the logins.json file onto the content area of the tab.

After a few moments, Firefox should display a structured view of the data, with entries for each saved login. The site names are visible, but usernames may be encrypted.

(C) If you need to export a readable list of usernames and passwords, see: https://support.mozilla.org/questions/1242014#answer-1176683

3) Is there any way to tell if this attack was launched from inside my apartment or remotely? I think I know the DNS ip of my home system at the time.

There's no way for me to tell. In your history, the timestamps are very close together, which suggests to me that it wasn't done completely by hand. Scripts to send keystrokes to the active window could be installed either locally or remotely through a variety of methods. I think you could get more informed speculation on a security forum where they may have seen this sequence of events before.

''sbjohn [[#question-1242355|said]]'' <blockquote> 1) If someone's accessed my decrypted Firefox password file, should I assume every saved password has been compromised?</blockquote> Yes. I don't see how the answer to that exact question could be anything else. <blockquote>2)How do I get a list of all these sites if I do need to change the passwords on all or many of them?</blockquote> (A) You can view them using the Saved Logins dialog on the Options page. (B) You also can view the raw file contents: Open your current Firefox settings (AKA Firefox profile) folder using either * "3-bar" menu button > "?" Help > Troubleshooting Information * (menu bar) Help > Troubleshooting Information * type or paste about:support in the address bar and press Enter In the first table on the page, on the Profile Folder row, click the "Open Folder" button. This should launch a new window listing various files and folders in Windows Explorer. Resize the Windows Explorer window so you can see the Troubleshooting Information page behind it. Then drag and drop the '''logins.json''' file onto the content area of the tab. After a few moments, Firefox should display a structured view of the data, with entries for each saved login. The site names are visible, but usernames may be encrypted. (C) If you need to export a readable list of usernames and passwords, see: https://support.mozilla.org/questions/1242014#answer-1176683 <blockquote>3) Is there any way to tell if this attack was launched from inside my apartment or remotely? I think I know the DNS ip of my home system at the time.</blockquote> There's no way for ''me'' to tell. In your history, the timestamps are very close together, which suggests to me that it wasn't done completely by hand. Scripts to send keystrokes to the active window could be installed either locally or remotely through a variety of methods. I think you could get more informed speculation on a security forum where they may have seen this sequence of events before.
jscher2000
  • Top 10 Contributor
8642 solutions 70690 answers

I don't know whether you've ruled out a persistent infection on your system. Please try one of the forums listed in this article: Troubleshoot Firefox issues caused by malware.

I don't know whether you've ruled out a persistent infection on your system. Please try one of the forums listed in this article: [[Troubleshoot Firefox issues caused by malware]].
cor-el
  • Top 10 Contributor
  • Moderator
17424 solutions 157436 answers

The System Details list shows you have RoboForm.

  • RoboForm Password Manager 8.3.7.1

When RoboForm is enabled then this would normally disable the Firefox Password Manager (only one PW manager can be active).

Were you using RoboForm already when this happened?

Were you using a master password in Firefox as without a MP you would only need access to logins.json and key4.db or key3.db ?

The System Details list shows you have RoboForm. *RoboForm Password Manager 8.3.7.1 When RoboForm is enabled then this would normally disable the Firefox Password Manager (only one PW manager can be active). Were you using RoboForm already when this happened? Were you using a master password in Firefox as without a MP you would only need access to logins.json and key4.db or key3.db ?