Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

My Firefox installation was hacked to try to get my Coinbase login, how do I track how this happened?

JoePowell
JoePowell
more options

I was an early Firefox adopter (about a decade of use, after netscape and Mozilla usage for the previous decade), but switched to Chrome a few years back. With recent improvements I have been trying Firefox again, and overall very happy.

But, something I had installed a while back took over my installation. I think it may have been an "anti-adblock" add-on, but can't be sure.

The way I know I was hacked is because:

1) When I first upgraded Firefox to 57.0 and restarted the browser, I got a 'your computer has been hacked, you need to click on this link to fix it' scam (with loud siren sound). I had to restart Firefox several times, resetting some extensions, to be able to even use it because this scam was displayed in an uninterruptible window under Firefox (I couldn't enter anything other than information the scam wanted, cancel just restarted the scam prompt). I suspect now that this going away was just the code stopping trying to get information when there was some resistance.

2) Today I tried to login to my coinbase (Bitcoin and related trading) account. After the typical login prompt I expected the normal 2-factor request. But instead, there was a security warning that I needed to 'validate my email account', with a prompt that clearly wanted me to enter my GMail account email and password. This would have given access to one of the ways coinbase validates accounts (but not the SMS verification that I also have enabled). This is definitely not a normal coinbase request, and clearly a hack. With Bitcoin where it is, this hack could be worth 10's of thousands of dollars. I have validated that Coinbase never requests this information through searches, but not directly with Coinbase (nothing online shows them requesting such strange and compromising information).

So, I have reverted to using Chrome. I have never had such a hack through Chrome. This is truly nasty and I can't use Firefox with any chance of this happening: I'm effectively trusting you guys with the keys to my kingdom. I've changed passwords, but now I wonder what all this hack may have accessed. Changing all passwords for all accounts Firefox may have seen logins for is an enormous task.

So, I have not reset the hacked Firefox, I'm just not running it. It should still have whatever code is there to take over my Coinbase account (and likely more). How do I figure out what happened here? I really would like an alternative to Chrome, but this is not remotely acceptable and has damaged my ability to trust Firefox substantially.

I was an early Firefox adopter (about a decade of use, after netscape and Mozilla usage for the previous decade), but switched to Chrome a few years back. With recent improvements I have been trying Firefox again, and overall very happy. But, something I had installed a while back took over my installation. I think it may have been an "anti-adblock" add-on, but can't be sure. The way I know I was hacked is because: 1) When I first upgraded Firefox to 57.0 and restarted the browser, I got a 'your computer has been hacked, you need to click on this link to fix it' scam (with loud siren sound). I had to restart Firefox several times, resetting some extensions, to be able to even use it because this scam was displayed in an uninterruptible window under Firefox (I couldn't enter anything other than information the scam wanted, cancel just restarted the scam prompt). I suspect now that this going away was just the code stopping trying to get information when there was some resistance. 2) Today I tried to login to my coinbase (Bitcoin and related trading) account. After the typical login prompt I expected the normal 2-factor request. But instead, there was a security warning that I needed to 'validate my email account', with a prompt that clearly wanted me to enter my GMail account email and password. This would have given access to one of the ways coinbase validates accounts (but not the SMS verification that I also have enabled). This is definitely not a normal coinbase request, and clearly a hack. With Bitcoin where it is, this hack could be worth 10's of thousands of dollars. I have validated that Coinbase never requests this information through searches, but not directly with Coinbase (nothing online shows them requesting such strange and compromising information). So, I have reverted to using Chrome. I have never had such a hack through Chrome. This is truly nasty and I can't use Firefox with any chance of this happening: I'm effectively trusting you guys with the keys to my kingdom. I've changed passwords, but now I wonder what all this hack may have accessed. Changing all passwords for all accounts Firefox may have seen logins for is an enormous task. So, I have not reset the hacked Firefox, I'm just not running it. It should still have whatever code is there to take over my Coinbase account (and likely more). How do I figure out what happened here? I really would like an alternative to Chrome, but this is not remotely acceptable and has damaged my ability to trust Firefox substantially.

All Replies (1)

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

JoePowell said

1) When I first upgraded Firefox to 57.0 and restarted the browser, I got a 'your computer has been hacked, you need to click on this link to fix it' scam (with loud siren sound). I had to restart Firefox several times, resetting some extensions, to be able to even use it because this scam was displayed in an uninterruptible window under Firefox (I couldn't enter anything other than information the scam wanted, cancel just restarted the scam prompt). I suspect now that this going away was just the code stopping trying to get information when there was some resistance.

There are a number of websites like that. Typically users encounter those as a result of clicking or interacting in some other manner with an ad on a popular site. Pressing the Esc key several times in a row quickly can break the authentication/reload cycle.

Normally ending up on that kind of page would not be the result of client-side malware, although that is possible. I assume you have run numerous cleaning programs to ensure that your system is okay? If you need suggestions, see: Troubleshoot Firefox issues caused by malware.

If you aren't already running uBlock Origin (https://addons.mozilla.org/firefox/ad.../ublock-origin/), you may want to do that, and remove any extensions you don't recognize and trust.

And if you think there's any possibility that your build of Firefox has been tampered, you can:

Clean Reinstall

We use this name, but it's not about removing your settings, it's about making sure the program files are clean (no inconsistent or alien code files). As described below, this process does not disturb your existing settings. It's not essential to uninstall Firefox, but you can if you like, saying No to any request about removing personal data.

It only takes a few minutes.

(A) Download a fresh installer for Firefox to a convenient location:

https://www.mozilla.org/firefox/all/

(B) Exit out of Firefox (if applicable).

(C) Using Windows Explorer/My Computer, rename the program folder as follows (you might have one or both):

C:\Program Files (x86)\Mozilla Firefox =to=> C:\Program Files (x86)\OldFirefox

C:\Program Files\Mozilla Firefox =to=> C:\Program Files\OldFirefox

(D) Run the installer you downloaded in step (A). It should automatically connect to your existing settings.

Any improvement?