[SOLVED] How did I get hacked from 2 different accounts using different passwords?

[onechi]

Look, I consider myself decently tech savvy, I don't download suspicious torrents, open emails telling me I won a million dollars or go on phishing sites. Hear me out.
Both my email and a gaming account I use got hacked, they share the same email but different passwords. I'm a bit lost as to how it happened.

27 Oct 6pm received a “verification code” email from the game, the contents of the email is really basic and just says “verification code xxxx” doesn’t say what its for (ie password reset/email change/2fa code). I did not see this email until the next day as I don’t have push notifications for my email. I know the game has 2fa so it could've been a 2fa code, but they would've needed another verification to change my email on the account ( I know this is the case because I tested it on a new account I made), which makes me think they bypassed the 2fa? I guess its possible right?

When I woke up, I was logged out. I attempted to login to my game but I wasn’t able to, then I found out my email was not registered anymore. When I checked the deleted folder in my email it was when I noticed the above email. The email was ‘read’ and deleted, I obviously knew it wasn’t me as I didn't even check my email then.

Of course since then I’ve changed my passwords, added more security, did virus scans etc. But what I’m confused about is:

• My email and game have 2 different passwords, it would’ve been really unlikely that they were able to get 2 different passwords? I thought it could’ve been malware but I’ve scanned my PC using a few anti viruses that came up with nothing, I also did a scan a few days back and didn’t get anything.
• Gaining access to my games account seemed like that was their only goal. It was an outlook account that has a feature to retrieve emails that were deleted from the deleted folder, and that was the only email that was there, no other 2fa was triggered. I figured if it was really malware they would’ve done more than just gain access to my game? I checked my other accounts/social media/paypal etc to see “last login location” and didn’t see anything suspicious anywhere
• My other assumption was that they gained access to my email first but how would they have known that the email was registered to the game? My characters name is not the same as my email nor does the game feature your email anywhere. If they were trying to gain access to my email as an initial goal, I feel like they would’ve done more harm instead of just getting a gaming account.

This is a really old email (I’ve been using it for probably 15+ years) and yes its on haveibeenpwned but I’ve changed my passwords since then, the last pwn happened 2 years ago before I even played this game. I have not shared my account with anyone or used public wifi in forever.

I should also add that on the same day 28 Oct, I scoured the internet and was able to find my account on sale. The next day the seller actually took down the ad and I was not able to find another ad for my account.

Any insight would be appreciated so I can stop this from happening again!

 

[rgd1101]

I don't download suspicious torrents

so you do download torrents?

 

[onechi]

so you do download torrents?

Yeah, won't deny that I download movies here and there.

 

[Zerk2012]

Yeah, won't deny that I download movies here and there.

Don't play that game but most have a password reset/ forgot my password that can be used by your Email.

 

[JohnBonhamsGhost]

was able to find my account on sale.

if your account was "stolen" and was posted for sale somewhere the user names, passwords, and linked email accounts would've already been changed or there would be no sense in even trying to sell it.
so you would've not been able to access the account at all if this was the situation.

you don't mention the actual game, why?

many games will update security protocols and emails like this will be sent out just letting you know things have changed.
usually reason would be mentioned but may just be some bot with zero info or just a low enough budget game that they don't bother.
sometimes you will need to log back in to be re-registered into their altered or new system.

unless you have been dealing in shady content that would lead to some very specific targeting malware then it is impossible for this game situation and your email account having mysterious messages just "read & deleted" behind your back to be related.

more than likely you just saw it, thought it was spam, and deleted it but don't remember.
unless you're a Somnambulist or take Ambien and did it without knowing in the middle of night.

 

[rgd1101]

refresh os install.
and stop pirating

 

[onechi]

if your account was "stolen" and was posted for sale somewhere the user names, passwords, and linked email accounts would've already been changed or there would be no sense in even trying to sell it.
so you would've not been able to access the account at all if this was the situation.

you don't mention the actual game, why?

many games will update security protocols and emails like this will be sent out just letting you know things have changed.
usually reason would be mentioned but may just be some bot with zero info or just a low enough budget game that they don't bother.
sometimes you will need to log back in to be re-registered into their altered or new system.

unless you have been dealing in shady content that would lead to some very specific targeting malware then it is impossible for this game situation and your email account having mysterious messages just "read & deleted" behind your back to be related.

more than likely you just saw it, thought it was spam, and deleted it but don't remember.
unless you're a Somnambulist or take Ambien and did it without knowing in the middle of night.

Yep, the email and password have been changed. I was able to re register for an account using the same email.

The game's Genshin Impact.

They don't inform you that your email has been changed, they do send an email with a 'verification code' but the email is vague and doesn't say anything, it just says like "verification code xxxx, your verification code will expire in 30 minutes" and has no other information on what it was requested for. I tested it with a new account and got the same results.
I don't delete my emails at all, plus I knew I didn't request the verification code because well, I didn't change anything in my account. Which is why I've been scratching my head wondering how it happened, it would make sense if they shared the same password but I know they don't.