I’m going to lead with the conclusion here: get a password manager, transfer your passwords into it, erase them from your browser. We’ve been giving this advice to our customers for quite a while now and we discovered yet another reason to confirm our opinion while on our summer family vacation this year.

My father-in-law was having some trouble doing something on his desktop computer “up at the lake” where we took our family holiday this year. Messing around with it, we discovered that his account on his Windows 10 computer did not have admin privileges. Instead, there was another account on the machine called “Admins” which seemed to be an administrative account. Chuck, my father-in-law had no recollection of setting up that account but we figured he must have at some point for some reason. Not being an admin on your own computer seemed strange to me because it will cause problems with installing programs and doing other things on the computer.

We rebooted the machine and tried to log in to the “Admins” account but it seemed none of the passwords Chuck new or had written down would work to access it. I remoted-in to my computer at home and downloaded a program I use there to delete the password on a Windows computer. Upon logging-in to this mystery “Admins” account, my concerns were raised significantly, there was only one file on the desktop and it was called, “PASSWORDS.TXT”. We opened up that file and found that it contained the remembered passwords from each of the 3 browsers installed on the computer, Chrome, Internet Explorer and FireFox. This was 17 pages of of passwords when printed out.

We ran a scan on the computer and found a small piece of malware designed to harvest all the passwords saved in browsers on the computer. The malware had run on the computer over the course of two days in June, probably during that time it changed the security configuration of the computer, created the bogus “Admins” account, stole the passwords and transmitted them to the miscreants who placed the trojan horse on the computer. It then covered it’s tracks, including items in the Event Log.

This week, my father-in-law has spent many hours resetting the passwords on all his accounts and implementing LastPass password manager. As far as we know, none of his accounts were breached but the bad guys have had 2 months to monkey around with them so we are really lucky. The Avast Antivirus installed on the computer had given no indication of the breach during this time.

This kind of breach has a long tail that goes beyond the immediate account problems. The IDs and passwords used (including in one case an SSN) are now public and miscreants can use them to test any other accounts that were not stolen. For example, if Chuck’s account information for, say, Amazon was not stolen, but he uses the same email and password for it as for some account that was stolen, his Amazon account could later be successfully attacked. Clean-up includes changing and randomizing passwords on every single online account he owns.