Fidelity Account Hacked

[littleb]

New Year's eve I received an email from Fidelity informing me that my new IRA account needed profile information entered. Went to Fidelity's website and after reviewing the portfolio it looked like an IRA account with a 0 balance was the one in question. In the past Fidelity would send a letter requesting personal information on all our Fidelity accounts so this request did not seem odd to me.

I also thought I set up the IRA by mistake when moving two accounts from Vanguard to Fidelity nine months ago.

After speaking with a Fidelity Rep it was determined the account was set up four days earlier. The next step was speaking to the Fraud Department. I knew that someone hacked into the account because I was in the hospital the day the account was set up. DH was at the hospital too. The Fraud guy wanted to know if anyone had my sign on or access to it. I assured him that nobody knew my sign on not even DH. He determined the person who set up the IRA did it online with my user id and password. I told him I use a password manager and change passwords on a regular basis. Overall my passwords and user id's are not easy to guess. I ran a log report from my password manager and nothing seems suspicious. A rep from the company also confirmed this.

So I spent days changing all user id and passwords and downloading better ?? anti virus and malware software programs.

This is very concerning because we have 90% of our money at Fidelity. At the moment the Fraud Department has blocked our accounts and are doing an in depth investigation to determine how this happened.

 

[Unpaintedhuffhines]

Ack! that's terrible. If you aren't already, I suggest using two factor authentication - I can have your credentials, but if I don't also have your phone, I'd be out of luck to sign into your Fidelity account.

 

[littleb]

Ack! that's terrible. If you aren't already, I suggest using two factor authentication - I can have your credentials, but if I don't also have your phone, I'd be out of luck to sign into your Fidelity account.

A already do the two step process. That is why this is so perplexing.

 

[sengsational]

If something got into one of your devices that you use to log into Fidelity, that might be how they did it....a key logger. But my first thought was that you went for a phishing email in the past. That's where you get a legit looking email, click a link, and they present you with what looks like Fidelity's login. They get your credentials then, if it's a good one, the bounce you to the real Fidelity site, so everything works perfectly, but they now have your credentials and can use them at a later date.


EDIT: I just read you use two-factor. Always?

 

[Aerides]

did you access your accounts while in the hospital - from their network perhaps?

 

[Jerry1]

Scary. One of my worst nightmares. I’ve even discussed it on the site. The fear of waking up and seeing that zero balance on my main IRA (half of my wealth). I’m glad yours was only zero on a new (fraudulent) account and that you did not apparently lose anything.

That you use a password generator and two factor authentication is very troubling. Please keep us informed in what Fidelity finds out.

 

[littleb]

If something got into one of your devices that you use to log into Fidelity, that might be how they did it....a key logger. But my first thought was that you went for a phishing email in the past. That's where you get a legit looking email, click a link, and they present you with what looks like Fidelity's login. They get your credentials then, if it's a good one, the bounce you to the real Fidelity site, so everything works perfectly, but they now have your credentials and can use them at a later date.


EDIT: I just read you use two-factor. Always?

I read about a key logger. If I was plished it was many many years ago since I am more aware now. I always do the two step factor if it is offered at my financial institutions.

 

[littleb]

did you access your accounts while in the hospital - from their network perhaps?

No, the day the account was set up I was not able to sign on to anything.

I also have my password manager on my phone where you need to know the Master Password (20 characters) to even get to the apps in question.

 

[Involuntary Retiree]

Yikes! Please keep us posted as the investigation develops, if you don't mind.

 

[littleb]

Scary. One of my worst nightmares. I’ve even discussed it on the site. The fear of waking up and seeing that zero balance on my main IRA (half of my wealth). I’m glad yours was only zero on a new (fraudulent) account and that you did not apparently lose anything.

That you use a password generator and two factor authentication is very troubling. Please keep us informed in what Fidelity finds out.

My biggest fear too. Thank goodness I have my money in three different places so that a block does not effect me.

I am hoping Fidelity has a state of the art fraud department that can get to the bottom of this.

 

[CRLLS]

OMG! I can't imagine how that might feel. I hope they can make you whole soon. Thank you for posting. It has made me enable 2FA on my account.

 

[Midpack]

Ack! that's terrible. If you aren't already, I suggest using two factor authentication - I can have your credentials, but if I don't also have your phone, I'd be out of luck to sign into your Fidelity account.

A already do the two step process. That is why this is so perplexing.

Without the users phone, hacking 2FA is difficult and rare, and even then the user has to fall for a phishing attempt so the hacker can grab a session cookie. A two-factor code changes every few seconds, so taking that from the user page is pointless.

I hope the OP will keep us posted, hopefully there’s more to the story. And we shouldn’t leave Fidelity’s culpability up in the air IMO.

2FA greatly enhances security.

https://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/

 

[littleb]

OMG! I can't imagine how that might feel. I hope they can make you whole soon. Thank you for posting. It has made me enable 2FA on my account.

No money lost since I called within a few days of the Fidelity email.

 

[Rianne]

Went to Fidelity's website and after reviewing the portfolio it looked like an IRA account with a 0 balance was the one in question. In the past Fidelity would send a letter requesting personal information on all our Fidelity accounts so this request did not seem odd to me.

I also thought I set up the IRA by mistake when moving two accounts from Vanguard to Fidelity nine months ago.

After speaking with a Fidelity Rep it was determined the account was set up four days earlier. The next step was speaking to the Fraud Department.

When you spoke to the fraud dept., did they say the account was set up online or via phone? Our log in is voice verified over the phone. You mentioned they sent a letter, via e-mail or snail mail? Opening a new IRA account gives hacker ability to see your entire portfolio? Or does Fidelity wait for updates in your profile before actually setting it up? It seems strange that hacker would not attempt something else in the process of setting up new IRA. Fraud dept. should be able to tell you what they know about your entire portfolio now.

 

[Jerry1]

OMG! I can't imagine how that might feel. I hope they can make you whole soon. Thank you for posting. It has made me enable 2FA on my account.

Nothing was lost. A new account was set up. Probably on the way to a loss, but stopped in progress thankfully. Still very upsetting I’m sure.

 

[Midpack]

No money lost since I called within a few days of the Fidelity email.

So Fidelity confirmed they sent the original email? And you reviewed your email inbox from 4 days ago to see if anything questionable came in?

 

[stephenson]

I’m not yet convinced this was hacking - or at least that it was done from outside.

Fidelity should be able to scratch down through the entire event ... including whether a 2FA code was sent, when it was sent, if it was used, etc ...

 

[Dalmore]

Definitely interested in the full story here. I am wondering if maybe it was an agent that made a mistake. DW had a $2,000 gift to her IRA last year. I caught the error and gave it back.

 

[MRG]

If I was inclined to hack someone's account and had their username and password I wouldn't set up new a account.[emoji41] Maybe tell Fidelity to back off and see if they fund it?

 

[MRG]

Definitely interested in the full story here. I am wondering if maybe it was an agent that made a mistake. DW had a $2,000 gift to her IRA last year. I caught the error and gave it back.

Most hacks are internal.

 

[Rianne]

Most hacks are internal.

I always wondered where those few thousand went after a run up in the market. Somebody's getting a new car.

 

[littleb]

Definitely interested in the full story here. I am wondering if maybe it was an agent that made a mistake. DW had a $2,000 gift to her IRA last year. I caught the error and gave it back.

I had an agent involved in moving money from an IRA to my ROTH the middle of December. I asked three reps at Fidelity if the agent opened this new IRA account. All three said "no." The money transfer was from December 13 and the new IRA was set up the end of December.....It is a possibility to me.

 

[jazz4cash]

Nothing was lost. A new account was set up. Probably on the way to a loss, but stopped in progress thankfully. Still very upsetting I’m sure.

This is what I am thinking also. Very upsetting but it sounds like the security measures in place worked. Please continue to report the details which is can help the rest of us.

 

[GravitySucks]

Finally got me off my a$$ to setup the 2FA too.
Best of luck OP!

OMG! I can't imagine how that might feel. I hope they can make you whole soon. Thank you for posting. It has made me enable 2FA on my account.

 

[John Galt III]

LittleB, what's the skinny? Did you get 'Wells Fargoed' by Fidelity (they set up an account you didn't ask for) or was there outsider fraud? Curious minds want to know.