Vanguard hacking attempt

[Golden Mean]

I got an email an hour ago that my secure access to Vanguard was disabled, due to too many failed password attempts. And I was not currently trying to login to Vanguard. Fun. I intended to do a transfer for living expenses tomorrow. Slightly concerned due to the "I needed to mail a notarized form" post on this forum.

Tried to login, and it was true, I was locked out. The email suggested I use the "Forgot your user name or password?" link. I was able to use that route, though there was one point where I could select "I know my password". Clicking that did not work. I did in fact have to change my password. Luckily all the 2fa stuff worked and I was able to change it and login.

I immediately initiated my transfer for Nov.

Thinking of setting up an "enhanced password", which appears to make phone call stuff smoother and hopefully would allow me to initiate a transfer over the phone. Can anyone confirm this, or confirm you can do a transfer (out) even when web login is locked?

I was never asked the "security questions" I see mentioned in old posts on the Boglehead site. Maybe they did away with those? If not, I'm going to wait for the transfer to complete and then login and see if I can find them and re-do them. If they are there, the answers I gave are 20 years old (and not written down anywhere).

Also, concerned someone will keep banging on my login and get me more permanently locked out. So far it's quiet.

 

[fosterscik]

I'm sure you have a long complicated password and I wouldn't be too worried if it were me, but I deliberately keep accounts at Vanguard and Fidelity so that I have access to funds if I'm locked out (or if someone spoofed their way into one as someone tried today at my Fidelity account).

 

[JohnDoe]

I got an email an hour ago that my secure access to Vanguard was disabled, due to too many failed password attempts. And I was not currently trying to login to Vanguard. Fun. I intended to do a transfer for living expenses tomorrow. Slightly concerned due to the "I needed to mail a notarized form" post on this forum.

Tried to login, and it was true, I was locked out. The email suggested I use the "Forgot your user name or password?" link. I was able to use that route, though there was one point where I could select "I know my password". Clicking that did not work. I did in fact have to change my password. Luckily all the 2fa stuff worked and I was able to change it and login.

I immediately initiated my transfer for Nov.

Thinking of setting up an "enhanced password", which appears to make phone call stuff smoother and hopefully would allow me to initiate a transfer over the phone. Can anyone confirm this, or confirm you can do a transfer (out) even when web login is locked?

I was never asked the "security questions" I see mentioned in old posts on the Boglehead site. Maybe they did away with those? If not, I'm going to wait for the transfer to complete and then login and see if I can find them and re-do them. If they are there, the answers I gave are 20 years old (and not written down anywhere).

Also, concerned someone will keep banging on my login and get me more permanently locked out. So far it's quiet.

It might not hurt change your user ID, too, and make it as strong as your password.

 

[imjustawarrior]

Is it possible that your login ID is similar to someone else's, and they accidentally type in your login ID instead of their own?

I doubt someone tried to brute force your password, but maybe there is a hack that I'm not aware of. I'm actually very out of date on all this stuff.

 

[Markola]

Did you try to login through that email, or did you go to Vanguard.com and try to login there?

 

[COcheesehead]

Did you try to login through that email, or did you go to Vanguard.com and try to login there?

My thoughts too.

 

[COcheesehead]

With 2FA, I can’t even get to putting in a password at Fidelity until I enter the 2FA code. So how can someone do a try until fail at Vanguard?

 

[Sunset]

.

Tried to login, and it was true, I was locked out. The email suggested I use the "Forgot your user name or password?" link. I was able to use that route, though there was one point where I could select "I know my password". Clicking that did not work. I did in fact have to change my password. Luckily all the 2fa stuff worked and I was able to change it and login.

Hopefully you did NOT use the email links, but instead when to Vanguard via your normal browser saved address. Otherwise you just gave your password to the bad people.

 

[Graybeard]

I was never asked the "security questions" I see mentioned in old posts on the Boglehead site. Maybe they did away with those?

Any time I have called Vanguard they always ask me a security question if I am going to talk about my accounts. If I say it has nothing to do with my accounts it is a general question then we can skip that.

 

[engineernerd]

FYI, for phone access what Vanguard offers is not a password but a "passphrase." So before you call them to set that up, think of a whole phrase, not just a single word.

There are those who think your phrase should be random words strung together rather than an actual phrase, for better security, but the downside of something like that is you might FORGET your passphrase - and at Vanguard, this means you have to mail a notarized form to remove this security measure before they will restore your phone access. How do I know, you ask?

They also have voice authentication as another option ("At Vanguard, my voice is my password"), but I have read that this is spoofable so I haven't gone that way.

 

[Fermion]

Is it possible that your login ID is similar to someone else's, and they accidentally type in your login ID instead of their own?

I doubt someone tried to brute force your password, but maybe there is a hack that I'm not aware of. I'm actually very out of date on all this stuff.

I am leaning toward this if your user name was something like JohnStevens and maybe some other JohnStevens1 tried to log in and forgot the 1, then just kept trying thinking they were mistyping their password?

 

[tulak]

An advantage to using a password manager is that it will only offer to fill in the password is if you are at the correct site.

This should eliminate the risk of clicking on a bad link in an email to get your password, but as others have mentioned, you should never click on links in emails.

Even though we’re not sure if that’s what the OP did.

 

[statsman]

It might not hurt change your user ID, too, and make it as strong as your password.

Sadly, you can't change the user ID on your own even when you are logged into your Vanguard account. It requires a phone call to Vanguard, or at least it did when I attempted it a couple of years ago.

 

[Golden Mean]

Thanks for all replies. I did go straight to Vanguard. No link clicking for me.

Last night I was thinking about whether I could/should change my username, just as a few responses here mentioned. Great idea! My current username is super short and made up from my name; something that was the norm 25 years ago when I setup the account.

That'd be a great way to get away from someone finding out your username and constantly locking you out. I'll probably generate something with a letter/number mix, if I can.

I keep my passwords in KeePassXC (which supports notes/memos too), so no issue saving weird passphrase/question responses.

Waiting for my transfer to complete before I muck with any security settings. Going to browse the GFs account while I do her monthly transfer and get a lay of the land.

 

[Golden Mean]

I'm sure you have a long complicated password and I wouldn't be too worried if it were me, but I deliberately keep accounts at Vanguard and Fidelity so that I have access to funds if I'm locked out (or if someone spoofed their way into one as someone tried today at my Fidelity account).

I have a Schwab account (which was prev with Ameritrade, which was prev with Scottrade), but I dont' have cash in there since they make you manutally buy a good MMF and then sell manually to buy investments. Might have to do something about that.

I do keep 2 extra months of cash in my checking, so I wouldn't be totally SOL but it's still unnerving to contemplate being locked out of your "income stream".

 

[Golden Mean]

With 2FA, I can’t even get to putting in a password at Fidelity until I enter the 2FA code. So how can someone do a try until fail at Vanguard?

With Vanguard you don't get the 2FA challenge until you put in a good username/password combo. Same with Schwab, I believe.

 

[Golden Mean]

Sadly, you can't change the user ID on your own even when you are logged into your Vanguard account. It requires a phone call to Vanguard, or at least it did when I attempted it a couple of years ago.

Missed this on my first read though. That kinda sucks. I'll follow up here, if/when I try to change it.

 

[MRG]

Sadly, you can't change the user ID on your own even when you are logged into your Vanguard account. It requires a phone call to Vanguard, or at least it did when I attempted it a couple of years ago.

Probably still does. The username is part of the primary data keys used to validate security.

 

[RetMD21]

I use a version of my initials and name at Vanguard. Years ago I forgot the exact format couldn't login. I wonder if I locked someone else's account. I should probably change to a more cryptic user ID.

 

[JoeWras]

I doubt someone tried to brute force your password, but maybe there is a hack that I'm not aware of. I'm actually very out of date on all this stuff.

It's less of a brute force, and more of a strong arm.

First, glad to see OP is doing everything right.

As for the multiple attempts besides someone out there typing in the wrong ID, here's why this may happen. Pretty much ALL of us, yes reader, you too, have a password out there in the clear on a dark web. It is probably very old and has been changed.

No matter. What happens is that some hackers can correlate your hacked password data with various financial accounts and give it a try. This worked really well for hackers before 2FA became common. A lot of people use the same password for everything. Don't do that!

If the hacker succeed with OP, the next step would have likely been to get them to give up their 2FA somehow. See the other recent thread about a Fidelity hack attempt where that was in progress.

So:
- Yeah, don't use the same password for everything
- Good idea to change your account ID away from an email address or well known ID like your name
- Use 2FA
- Don't respond to texts on finance accounts that come to you. Call them instead and see what's up

And so on.

I'm blathering about all this and just realized my VG and Fido IDs are the same. Duh-oh! Physician, heal thyself. I have some work to do.

 

[audreyh1]

Three different posts about sophisticated scam attempts started on the same day is pretty alarming.

 

[JoeWras]

Three different posts about sophisticated scam attempts started on the same day is pretty alarming.

And incoming minutes ago a hacked Netflix account thread.

 

[Gremlin]

It's less of a brute force, and more of a strong arm.

First, glad to see OP is doing everything right.

As for the multiple attempts besides someone out there typing in the wrong ID, here's why this may happen. Pretty much ALL of us, yes reader, you too, have a password out there in the clear on a dark web. It is probably very old and has been changed.

No matter. What happens is that some hackers can correlate your hacked password data with various financial accounts and give it a try. This worked really well for hackers before 2FA became common. A lot of people use the same password for everything. Don't do that!

If the hacker succeed with OP, the next step would have likely been to get them to give up their 2FA somehow. See the other recent thread about a Fidelity hack attempt where that was in progress.

So:
- Yeah, don't use the same password for everything
- Good idea to change your account ID away from an email address or well known ID like your name
- Use 2FA
- Don't respond to texts on finance accounts that come to you. Call them instead and see what's up

And so on.

I'm blathering about all this and just realized my VG and Fido IDs are the same. Duh-oh! Physician, heal thyself. I have some work to do.

Because of a comment I read on this website, about 3 months ago we made separate passwords for each one of our financial accounts because they all had the same one!

 

[MdaPetralia]

With 2FA, I can’t even get to putting in a password at Fidelity until I enter the 2FA code.

I think you have this backwards as you should only get the prompt for the 2FA code (if enabled) after a valid user id and password combo are entered.

 

[RetMD21]

Because of a comment I read on this website, about 3 months ago we made separate passwords for each one of our financial accounts because they all had the same one!

That was once me. My new innovation is unique emails addresses for each financial account through a paid email provider.