I’ve been receiving unrequested 2FA codes from multiple sites. I think I’m being hacked, but not sure how, or how to stop it.

Over the past week, I have received unrequested 2FA verification codes from Apple, Facebook, Google, and Snapchat. Strangely, they each happened on a separate day. Saturday, a bunch of texts from Apple. Sunday, a bunch of texts from Facebook. Monday was Snapchat, and Tuesday was Google.

These texts also persisted after a password change – for example, I got 3 codes in a row from Apple, changed my password, then got a couple more codes.

Some background:

  • I use unique, complex, randomly-generated passwords for everything.

  • I store my passwords in 1Password. The password for 1Password itself is complex, pretty long, and exists only in my head. I have never written it down or shared it with anyone. Same for my individual site passwords.

  • The 1Password vault is stored on Dropbox (which is secured with 2FA itself). Checking my Dropbox account activity, no devices have accessed the account other than my own.

  • My devices: Windows desktop, Windows laptop, iPhone X. All encrypted. None have left my possession. I have not sold, traded, donated, or otherwise relinquished control of any device for quite some time.

  • Some interesting things about the verification codes:

    • The texts themselves appear to be legit. For example, Facebook also sends an email along with an SMS. In the Facebook account/security settings, you can access a list of emails that Facebook has recently sent you. These unrequested verification emails are in there.

    • For the Apple codes, I did NOT receive the standard 2FA notification on my iPhone, like what you normally see when logging in to a new device. Just the SMS. This at least partially leads me to believe that someone is trying to add my phone # to their own account, not logging in with my account.

    • Snapchat is also an interesting case, because I did not have that password stored ANYWHERE – 1Password or otherwise. I made the account in a hurry, gave it a random password that I forgot to document, and promptly forgot it.

    • For Google, it appears pretty easy to send anyone a verification text with only a phone number, using Google’s own password recovery system.

How likely is it that someone has all of my passwords, versus the chance that they are (whether mistakenly or not) trying to add my phone number to their own account?