Tesla Account Breached: Enable 2FA if you haven't already done so

[maximizese]

I received an odd email from Tesla showing that a purchase for a wall charger was made from my account. I did not order it and haven't logged into my Tesla account in well over 2 years. I confirmed with my credit card company that the order and charge was placed; so I told them it was fraud and that the shipping/billing address did not match my own. I tried to contact Tesla and got an auto-reply email that they will get back to me within 3-5 business days. Finally, I was able to contact UPS and have the package re-routed back to Tesla so the thief doesn't get the wall charger.

After logging back into my Tesla account, I enabled 2 Factor Authentication and reset my password. While 2FA still isn't 100% safe(hackers can still clone phone and device IDs), it's sure better than nothing. I don't think 2FA was available the previous time I logged in, but it's available now and I recommend you do so. I'm just glad the unauthorized user didn't play with the vehicle controls like blast the volume, running out my battery via HVAC/seat heaters, honking randomly, or opening my sunroof or trunk while it was raining. No other accounts of mine were breached and I'm assuming there might be an issue with Tesla's security. For instance, I'm not sure if there's an account lockout after X number of failed attempts or via an unusual IP address or if there's some sort of notification that an attempt was made. If not, it's not hard at all to create a bot to get through.

I'm not sure if the thief tried to send the wall charger to their own address, if the person at the address is at all connected to the thief, or if they planned to play porch-pirate, but they sent it to a New Jersey residence near a college. I'm assuming it's a college student trying to play hacker.

 

[SourJellybeans]

I'm assuming there might be an issue with Tesla's security

Did you:

• Use a strong password/passphrase?
• Use a unique password/passphrase not shared with any other account?

 

[jjrandorin]

I received an odd email from Tesla showing that a purchase for a wall charger was made from my account. I did not order it and haven't logged into my Tesla account in well over 2 years. I confirmed with my credit card company that the order and charge was placed; so I told them it was fraud and that the shipping/billing address did not match my own. I tried to contact Tesla and got an auto-reply email that they will get back to me within 3-5 business days. Finally, I was able to contact UPS and have the package re-routed back to Tesla so the thief doesn't get the wall charger.

After logging back into my Tesla account, I enabled 2 Factor Authentication and reset my password. While 2FA still isn't 100% safe(hackers can still clone phone and device IDs), it's sure better than nothing. I don't think 2FA was available the previous time I logged in, but it's available now and I recommend you do so. I'm just glad the unauthorized user didn't play with the vehicle controls like blast the volume, running out my battery via HVAC/seat heaters, honking randomly, or opening my sunroof or trunk while it was raining. No other accounts of mine were breached and I'm assuming there might be an issue with Tesla's security. For instance, I'm not sure if there's an account lockout after X number of failed attempts or via an unusual IP address or if there's some sort of notification that an attempt was made. If not, it's not hard at all to create a bot to get through.

I'm not sure if the thief tried to send the wall charger to their own address, if the person at the address is at all connected to the thief, or if they planned to play porch-pirate, but they sent it to a New Jersey residence near a college. I'm assuming it's a college student trying to play hacker.

Of course no company is fullproof, but, you mention you have not logged into your tesla account in "2 years" but, do you not have a tesla vehicle any longer? If you do, and you are using the tesla app, you are logging into your tesla account.

Have you ever (at any point in time) used any third party tesla application, even self hosted ones?

 

[maximizese]

Did you:

• Use a strong password/passphrase?
• Use a unique password/passphrase not shared with any other account?

Nope.
Yes. My Tesla account WAS a variation of my general "car related" password with a different number sequence at the end.

Of course no company is fullproof, but, you mention you have not logged into your tesla account in "2 years" but, do you not have a tesla vehicle any longer? If you do, and you are using the tesla app, you are logging into your tesla account.

Have you ever (at any point in time) used any third party tesla application, even self hosted ones?

Well I suppose I didn't include the Tesla App (I use that at least once a week), but haven't logged onto the website account in over 2 years. The point was that 2FA wasn't available the last time I logged in through the website so I wasn't aware. I'm not sure 2FA can be enabled or is mentioned anywhere on the Tesla App.

No never used a 3rd party Tesla app...because I didn't trust their future security measures as I assumed that many of them would be defunct in a few years and data would eventually sit unsecured.

My purpose in sharing this is that 2FA is available and I would recommend using it to avoid my scenario, but please do as you wish.

 

[jjrandorin]

Nope.
Yes. My Tesla account WAS a variation of my general "car related" password with a different number sequence at the end.


Well I suppose I didn't include the Tesla App (I use that at least once a week), but haven't logged onto the website account in over 2 years. The point was that 2FA wasn't available the last time I logged in through the website so I wasn't aware. I'm not sure 2FA can be enabled or is mentioned anywhere on the Tesla App.

No never used a 3rd party Tesla app...because I didn't trust their future security measures as I assumed that many of them would be defunct in a few years and data would eventually sit unsecured.

My purpose in sharing this is that 2FA is available and I would recommend using it to avoid my scenario, but please do as you wish.

Using 2FA is a good warning. I enabled it when it became available, which I think was near the end of 2020. IMO some form of 2FA should be used on anything people care about.

 

[SourJellybeans]

Yes. My Tesla account WAS a variation of my general "car related" password with a different number sequence at the end.

Ah, as someone who works in computer security, I would put my money on that general car related password being compromised at some other site/service, the bad guys bought the list and sprayed it across everything they could find, iterating the number sequence at the end until they were successful. Unfortunately, this is super common. Using a unique password for each account and storing them in a password manager is a good practice, in addition to MFA.

Also, to answer your question:

I'm not sure if there's an account lockout after X number of failed attempts or via an unusual IP address

It looks like Tesla uses Akamai's Web Application Firewall service. At minimum, this does browser/user_agent profiling to detect automated attempts, and it'll temporarily block you after 5 incorrect guesses, though I didn't test it exhaustively to see if it'll eventually do that by IP address or escalate block duration for successive attempts (I'm not an Akamai customer, we use one of their competitors). There are issues with blocking by IP address, like if you're on a NAT'd IP and get blocked and now no one else on that network can use their app or car connectivity (a university wireless network is a good example of this). It's also not super effective, bad guys can use botnets, free VPN services, proxy services, or just spin up dynamic cloud compute with ephemeral IP addresses. You're better off throttling by IP if anything, and then applying stronger authentication controls.

 

[maximizese]

Ah, as someone who works in computer security, I would put my money on that general car related password being compromised at some other site/service, the bad guys bought the list and sprayed it across everything they could find, iterating the number sequence at the end until they were successful. Unfortunately, this is super common. Using a unique password for each account and storing them in a password manager is a good practice, in addition to MFA.

Also, to answer your question:

It looks like Tesla uses Akamai's Web Application Firewall service. At minimum, this does browser/user_agent profiling to detect automated attempts, and it'll temporarily block you after 5 incorrect guesses, though I didn't test it exhaustively to see if it'll eventually do that by IP address or escalate block duration for successive attempts (I'm not an Akamai customer, we use one of their competitors). There are issues with blocking by IP address, like if you're on a NAT'd IP and get blocked and now no one else on that network can use their app or car connectivity (a university wireless network is a good example of this). It's also not super effective, bad guys can use botnets, free VPN services, proxy services, or just spin up dynamic cloud compute with ephemeral IP addresses. You're better off throttling by IP if anything, and then applying stronger authentication controls.

Yeah, I had an inkling that perhaps I was a little careless and fell into the "well if it hasn't happened already, it's probably fine" heuristic. I have a bare minimum knowledge about all this tech stuff...my wife is much better at it than me. My baby-cousin is now 26, has a Masters in CS from Berkeley, and used to participate in those multi-day white hat hackathons.

My extended family members are hyper-competitive with Scrabble and Boggle. During the first Thanksgiving in the pandemic we played a web version of Boggle; my cousin created a bot that cross-referenced dictionary.com's data so while we might come up with 20-30 words, my cousin would have every possible word. Anyways, I should probably talk to him about this. I bet you're right though about my general car related password being compromised. It just takes one set of physical data tapes to get stolen or one website to get breached for a data leak to occur. I've been on at least 7 car related forums pretty much since 2000.