My SpiderBasic account password has been leaked. However, the vulnerability is unknown.

[Kurzer]

I’d like to give a little update today, for anyone who’s interested.

I mounted the VDI file from my old Windows 7 machine in Windows 11 and scanned it with Windows Defender. Result: nothing found.

After that, I ran a few PowerShell scripts with the help of ChatGPT to do some additional checks (the scripts were suggested by the AI). They wrote their output into CSV files, which I then went through together with the AI.

01-run-hklm.csv and 02-run-hku.csv: strange program calls, odd filenames (e.g. expl0rer with a zero instead of an “o”, svchosts.exe, paths into AppData\Roaming).

03-startup-folders.csv: shortcuts/EXEs in the startup folder.

04-services.csv: services with Start=2 (auto) and unusual ImagePath (e.g. inside user folders).

05/06-scheduled-tasks-*: tasks that start things hourly/on logon; paths in AppData/Temp.

07-temp-exe-dll.csv: EXE/DLLs in Temp – often droppers/loaders.

08-drivers.csv: unknown .sys files in the drivers folder.

10-lsa-core.csv: additional packages in LSA, which looked suspicious (persistent access to login data).

All of these checks also came back clean. The AI was able to explain all entries in a plausible way (Microsoft or Intel services, or things clearly belonging to the Windows ecosystem).

I assume Windows Defender on Win 11 would have flagged something here as well if anything malicious had been present.

Looking back, the only explanations that make sense to me (as a total layman when it comes to viruses) are:

My old physical PC was eventually infected with some kind of malware operating below the OS (e.g. in the Master Boot Record or something like that).

Or this:
In early 2025, my email provider was hacked, and apparently login data from several accounts was stolen. I found out that multiple customers were affected when a support employee accidentally slipped during a phone call (after I had been pestering them for answers).

I was affected too and noticed it just a few hours after the hack, when someone tried to take over my Kleinanzeigen account (a German online flea market site). I suddenly got an email from Kleinanzeigen saying I had just posted a listing – which I definitely hadn’t. I immediately changed the login details, and that stopped the attack there.

But a few hours later I realized that my email account passwords at that provider had been changed. My mail clients started throwing login errors. I was still able to reset the passwords through the admin console – but only temporarily. Within minutes, the attackers had changed them again. Apparently, they had some exploit that allowed them to keep resetting the email passwords. What they couldn’t do was take over the admin console itself, so I kept logging in and changing the passwords back.

The annoying part: it was a Sunday, and the provider’s support line wasn’t available until Monday. So from Sunday noon until about 11 a.m. Monday, I was stuck in a loop:

1) Check emails in the client to see if the login still worked.
2) If not: Log into the admin console and change the password again.
3) Repeat.

I had to do this for four email accounts. It felt like Don Quixote fighting an automated hacker script. At least I managed to keep the stolen credentials from being usable for more than a minute or two. I logged everything, took screenshots, and sent reports every 30 minutes through the provider’s ticket system.

When I finally got through to support on Monday morning, they were clearly overwhelmed. Officially, they tried to downplay it: “Just change your password and your account will be safe again.” But with my logs and screen recordings I could prove that their explanation didn’t match reality at all. Later one employee even slipped and admitted that “things were going crazy because so many customers were calling about 'this'.”

That was the only incident where I directly noticed my login credentials being stolen. To me it still looked like only the email accounts were actively compromised. The access to Kleinanzeigen was taken over via the “forgot password” function once the attackers had my email.

I can’t say for sure anymore which old emails were still on the server at that time – maybe some of them could have revealed other accounts I was registered with. Normally I move older mails into local folders so they don’t stay on the provider’s servers. I also don’t think I ever received the SpiderBasic account password in plain text by email when I first signed up (that was many years ago), and if I had, I would have moved that mail into a local archive long ago.

That’s why I still find it strange how someone could have gotten hold of my old SpiderBasic account password through the email account takeover (not a new one, but the original password). In the recent blackmail email, the password was indeed correct, but the sender apparently didn’t even know which account it belonged to.

ChatGPT also suggested it could have been a compromised browser extension. I didn’t use any extensions on that old PC towards the end, but in the past I definitely did (like µBlock, UserAgentSwitcher).

Either way, I’m now setting up a completely different password manager on my new PC, and I’ll use that chance to rotate all my passwords.