I thought I was quite careful and secure when it came to my dealings online. I even bought a great piece of software called roboform so that I could easily maintain different passwords on different sites.
Unfortunately I didn’t change the passwords I had created before I got roboform and I received a strange email the day before yesterday
make yourself more safe. bcoz i went through your paypal account,
hosting and domain logs. its not very easy to remain safe in the
internet. i busted your inbox. sorry for that.
At first I thought it was a joke or some kind of spam but looking a bit further down in my inbox I saw 4 emails from paypal detailing 4 different payments.
total: $140
I went into panic mode and changed passwords in as many of my most important accounts as I could; email, paypal, hosting etc.
After a while I really started to wonder exactly how this person had accessed my account. I’m really careful when it comes to phishing – could it have been a virus with a keylogger built in? I decided to just ask him (her?)
Shouldn’t a hacker reveal how the hack was done so that the victim can
learn how to improve their security?What mistakes did I make?
They were kind enough to answer
yeah you got me right, i didn’t mean to harm you. i just want to warn
you. here is your mistake:
1. stop using the same password for all of your accounts.
2. don’t give out your main email account and password to random
sites, bcoz many sites are hackable. hackers extract email accounts
from those sites, like i found your email+pass
[361] declancostello*****.com:******so that’s all, sorry again if i harm you anyway.
If you’ve got the same password on multiple sites, at least change them on the most important ones so that anyone who gets hold of a password doesn’t have access to everything.
A chain is only as strong as it’s weakest link.
Roboform comes with a plugin for firefox so that you can select a site + account from a list and it will navigate to the login page, fill in your details and submit them so that you get brought to your logged in page with a single click. Just make sure that the passwords you save are unique to each site.
P.S.
I filed a suspicious transaction report with paypal and they refunded the money taken by my would-be attacker 
