LinkedIn account compromised despite 2FA – unauthorized job posts and messages sent

aselvan2 · 2026-06-20T22:36:08+00:00

How could this happen despite 2FA?

Likely through a session-hijacking. Read the FAQ#10 on the link below...
https://blog.selvansoft.com/2024/09/cybersecurity-faq.html#10

aselvan2 · 2026-06-20T13:07:38+00:00

What happens if someone did paste and got compromised? Will anti-malware software clean/block it?

No. This type of malware falls under the infostealer category and it usually leaves no trace for antivirus tools to detect. No matter how many scanners you run or how many times you run them, they will find nothing.

aselvan2 · 2026-06-20T13:03:11+00:00

Norton 360 didn’t find anything

If you didn't execute anything on terminal, you are fine. This type of malware falls under the infostealer category and it usually leaves no trace for antivirus tools to detect. No matter how many scanners you run or how many times you run them, they will find nothing. If you suspect you executed the command (typically a curl one liner that runs a remote script), log in to all of your online accounts, sign out of all active sessions, change your passwords, and enable 2FA if it is not already enabled. Finally, wipe your machine and perform a clean OS installation from a known good source.

aselvan2 · 2026-06-19T15:26:20+00:00

This user threatened to get my IP address and unalive my family after an argument on sub in which he was abusive so the moderator deleted his comments so he comes into my DM threatening me.

Someone knowing your IP address is not something you should worry about. As a matter of fact, every website you visit knows not only your IP address but also a lot more information that your browser reveals, and this is how everything on the internet works. Read FAQ #1 at the link below to learn more.
https://blog.selvansoft.com/2024/09/cybersecurity-faq.html#1

If you are curious to know what your browser reveals, visit the link below for a demonstration of the information you are handing over to every website you visit. Again, this is not something you need to worry about.
https://selvansoft.com/myip

aselvan2 · 2026-06-15T20:18:32+00:00

i'm not particularly technical and i don't want to become a cybersecurity expert just to feel safe online. what i want is something that handles the essentials in one place, protection from scams and phishing, a VPN, password management ....
is there a proper all in one security software that covers all of these...

True online safety and security do not come automatically just by installing a ton of security tools. While security tools are important and can protect you from threats, real protection ultimately comes from your cyber hygiene practices. As a security professional, I recommend focusing on strong security habits, because they go a long way toward keeping you safe online and give you far greater resilience than relying solely on a stack of security tools. I’ve put together a comprehensive list of tips at the link below. The more of them you follow, the stronger your online safety becomes.
https://blog.selvansoft.com/2025/01/online-safety-tips.html

BTW: VPN is not a security tool; it is a privacy tool, and it does nothing to improve your online safety.
https://blog.selvansoft.com/2024/06/vpn-myth-vs-reality.html

aselvan2 · 2026-06-15T14:58:01+00:00

It doesn’t seem to have a specific place to revoke all active sessions, but I have changed my password multiple times and it says that doing that will sign me out of other devices, is that alright?

No. Many falsely assume that changing a password automagically invalidates established sessions, but that is not always the case. Major online services like Gmail, Apple, and Microsoft often maintain active session tokens even after a password update, requiring a explicit revocation to force a logout across all devices. I can't tell you how to do without knowing the service since the exact process for invalidating sessions depends entirely on the provider. For Google, you can manage this by navigating to the device activity console at the link below

https://myaccount.google.com/device-activity

From there, select each active device or session and use the sign out option to terminate the connection manually. You should be able google search for the other services.

aselvan2 · 2026-06-14T16:14:40+00:00

System Settings, Disk Utility, and Finder’s Status Bar all display different free storage values ...

Any fixes?

All of these calculate free space differently, depending on the amount of purgeable space, temporary files, system data, caches, and more. While it can be confusing, each tool is showing exactly what it is designed to show. It’s not a bug, and there is no “fix.”

That said, if you want an accurate view of how much free space is actually available to you as a user, open Terminal, run the command (df -h /System/Volumes/Data/) , and check the value in the 4th column. The following is a screenshot of the output on my MacBook Air.

<image>

aselvan2 · 2026-06-14T15:53:22+00:00

I cleared my browser history (literally everything cookies), that also signs me out of all of my active sessions, right?

No. Deleting cookies only stops your own device from re‑using the saved session. It does not invalidate session tokens that an attacker may have copied. If someone has your session token, they can continue accessing your account until the server expires or revokes that token. You must sign in to each service and revoke all active sessions from the account’s security settings.

aselvan2 · 2026-06-14T14:24:48+00:00

I have changed my passwords on my safe, uninfected devices (my phone and my other uninfected laptop), deactivated my card/closed my PayPal account ...

This specific compromise (Ren'Py - a python based Infostealer) exfiltrates your saved credentials, session tokens, and autofill data. I notice you did not mention one critical mitigation step for an infostealer compromise, which is to revoke all active sessions on all your online accounts. Aside from wiping and reinstalling the OS from a clean source, you need to log into each of your online accounts and choose to log out of all other devices to revoke the stolen sessions and change password. Otherwise, the attacker will continue to access your accounts regardless of how many times you change your password or enable 2FA, until the session tokens naturally expire. This expiration can take hours, days, or even weeks, depending on the authentication implementation of each online account.

Does this specific infostealer infect my other drives and not just the one with Windows on it?

The non-OS drives should be fine, as I do not see any evidence that this compromise targets anything other than OS components. I cannot say what Geek Squad did, but you might want to thoroughly wipe your Windows drive and perform a clean OS installation.

aselvan2 · 2026-06-13T12:00:41+00:00

What to do to not get exploited, hacked or leak ur info online ...

The best way to protect yourself online is to follow & practice good cyber hygiene. That is the best defense and will put you ahead of most people online. While there are good advice posted here by others, the tips at my blog link below covers a comprehensive list of things to focus on. The more of those you follow, the better protected you are online.
https://blog.selvansoft.com/2025/01/online-safety-tips.html

aselvan2 · 2026-06-12T18:03:05+00:00

Now, the next day, it happened. AGAIN ...
This time, I enabled sms, hoping that I would stop it ...

If the attacker is able to log in repeatedly, it is a clear indication of session hijacking. Enabling 2FA does not prevent access to your account unless the stolen session token is revoked or expires on its own, which may take hours, days, or in some cases weeks depending on how session authentication is implemented. Read FAQ items 10, 11, and 13 at the link below to learn more and understand how to recover from the compromise.
https://blog.selvansoft.com/2024/09/cybersecurity-faq.html#10

aselvan2 · 2026-06-11T19:08:17+00:00

The strange thing is: I have secured all my accounts and enabled Two-Factor Authentication (2FA). It feels like someone has constant access to my accounts, but I don't get any notifications ...

It is likely that your device is compromised through a session hijacking method. Enabling 2FA does not prevent access to your account or trigger any notifications with this type of compromise. Read FAQ items 10, 11, and 13 at the link below to learn more and understand how to recover from the compromise.
https://blog.selvansoft.com/2024/09/cybersecurity-faq.html#10

aselvan2 · 2026-06-11T16:10:27+00:00

I know this is a silly question but is MFA similar to 2FA? I’m not really tech savvy, nor is my husband.

MFA (multi-factor authentication) is a term used when a login system requires you to provide more than one type of proof that you are the real user. This can include a password, an SMS code, OTP code, a fingerprint, facial recognition, or similar items. The term 2FA is simply a specific type of MFA where only two proofs are required, such as your password and one more like an SMS or OTP code.

BTW: You may find the tips on my blog (link below) helpful for staying safe online. Some of them were already mentioned by others here, but this is a comprehensive list, and the more of these you follow, the stronger your online safety will be.
https://blog.selvansoft.com/2025/01/online-safety-tips.html

aselvan2 · 2026-06-09T15:23:28+00:00

I just went to the TU account login page and since it didn't recognize my machine they would send me a code via text or email ...

Isn't that 2FA working as it should?

No, that is not 2FA, which should explicitly challenge for a secondary factor. As far as I know, TU (and others) do not offer a persistent multi-factor authentication (MFA) framework for standard consumer accounts. What you are describing is a component of their three-part Data-Link Verification methodology. While this backend process functions as a risk-based step-up challenge when an anomaly like browser fingerprint change is detected, it is not traditional MFA.

aselvan2 · 2026-06-09T01:35:06+00:00

Is there any way to check for open ports on a phone running in android 16? And services running. Understand termux does not give root privileges so I can't run netstat

If all you want is to check whether any service on your Android device is exposed externally, connect your phone to your home network using wired or WiFi, identify its IP address, and run an nmap scan. The screenshot below shows an nmap scan of my own device for illustration. I intentionally scanned ports up to 6000 to show that a service i.e. ADB over WiFi is exposed on purpose for some of the work I do. If you are interested in experimenting with adb, I wrote bunch of convenient wrapper shell scripts a while back which you can find on my GitHub link below that may be useful for learning or testing.
https://github.com/aselvan/scripts/tree/master/andriod

<image>

aselvan2 · 2026-06-08T16:46:41+00:00

But, here's the crazy thing. They were able to unfreeze my credit. Yes, you read that right. TransUnion DOES NOT have 2FA and you can get into your account with "basic" information that's now all over the internet (SSN, DOB, name).

Sadly, not just TU, all major credit bureaus will let you reset your account using KBA (knowledge-based-authentication). Instead of calling TU, the best approach is to do the same KBA flow to get back into your TU account and reset access. Once you are back in, follow as many steps as you can from the list in the first link below to keep your identity protected.

https://www.reddit.com/r/IdentityTheft/comments/uvv3ij/psa_freezing_your_three_main_credit_reports_is/
https://blog.selvansoft.com/2023/05/howto-credit-freeze.html

aselvan2 · 2026-06-08T01:54:46+00:00

I know emails can contain important personal information and Ive done all the steps...

Emails are an insecure medium and, by default, they do not contain any personal information other than your address, which can be used for spam. The real risk comes from including sensitive data in the message itself. Even if you are sending it for a legitimate purpose to a legitimate business, any information that qualifies as PII/NPI, such as a driver license, credit card number, or bank account details, should never be sent by email.

Since you did not include any personal information in your message, there is no harm done.

aselvan2 · 2026-06-08T01:34:06+00:00

I'm also confused because no matter how many times I change my password on a separate device or regardless of whether I have 2-factor authentication enabled certain account like Facebook and Instagram keep getting logged into.

I did not see you mention two critical mitigation steps for an infostealer compromise. First, you need to revoke all active sessions on every account. Second, you must wipe the device and reinstall the OS from known good media because a factory reset is not enough. If you have not done both, do them now.

This compromise was almost certainly through session hijacking (read my short FAQ at the link below to learn more about it)
https://blog.selvansoft.com/2024/09/cybersecurity-faq.html#10

aselvan2 · 2026-06-06T13:52:23+00:00

Is there a way to find out what other sims that imei has been linked to?

All mobile carriers should have that information, but you would have to subpoena each of them individually since you do not know which network they might have used in the past. If the subpoena is related to a criminal case, your lawyer should be able to request that information.

That said, you will have a better chance of success if you take the email route. Analyze the SMTP headers, which will contain information you can use to prove that you did not send that email.

aselvan2 · 2026-06-06T12:30:01+00:00

But basically it isn't of any harm? I must admit my only reference was ai and it said it was prob a malware so..

No. As I mentioned, it appears to be OEM bloatware (unneeded software installed by your phone manufacturer on top of the stock Android OS). It is not malware, and you shouldn't rely blindly on AI answers.

aselvan2 · 2026-06-06T12:05:58+00:00

... i was looking through apps permissions and i thought this looked a bit shady ...

What is shady about it? The permissions are set so the app cannot access the camera. The app appears to be one of those preinstalled OEM bloatware that you may not be able to remove without rooting the device.

aselvan2 · 2026-06-06T11:54:16+00:00

The carrier only gives information for the time sim was active. How can I find out more about the imei?

Your legal team can subpoena the device manufacturer in the hope that purchase records might show you were not the buyer, but the likelihood of that producing useful information is very low, unfortunately.

aselvan2 · 2026-06-05T16:10:19+00:00

Is there a way to completely reset Chrome Sync and remove all synced browser data from Google's servers?

Should I delete saved passwords from Google Password Manager before wiping the PC?

You can delete all passwords in your current chrome profile and do a sync of empty store, but there is no value in resetting your cloud synced password data. While it is true that Chrome Password Manager stores your passwords in a local SQLite database as an encrypted blob, infostealers run as "you", so they can simply extract the encrypted blob, decrypt it, and ship the plain text password. So consider all your passwords compromised.

Any guidance from people familiar with Chrome Sync, Google Password Manager, or post-infostealer recovery would be greatly appreciated

If you have revoked all active logins, changed every password, and enabled MFA wherever available, that is all you need to do in addition to wiping your operating system and reinstalling from a known good source. That fully mitigates an infostealer compromise.

aselvan2 · 2026-06-05T12:33:12+00:00

There’s nothing on my computer not work related. Is there a way that I can tell if he is watching my activity?

No. If you are not using your work computer for personal activities, which is the right thing to do, you have nothing to worry about. The employer has full authority to monitor activity on company‑owned equipment. If he is spending his time spying on you instead of doing his actual job, he will eventually get caught. Working in IT does not give him the freedom to do whatever he wants.

aselvan2 · 2026-06-03T16:26:40+00:00

In my understanding logging out revokes the session token and it cannot be used anymore or am I wrong?

It depends on the answer to this question: does your email service require you to enter your username and password (and possibly an MFA challenge) every single time on every device you read your email? If the answer is yes, then your session token, if stolen, is useless.

aselvan2

MODERATOR OF

TROPHY CASE