Alliant Credit Union security?

[aspiringboglehead]

My Alliant Credit Union account was apparently hacked today, even though I use two-factor authentication with them, had a strong unique password, and never entered the password except on secure devices. I received an SMS message with a two-factor-authentication code despite not having logged in; when I logged in to check what had happened, the site showed a successful login from an Amazon AWS IP address unconnected to me, and telephone support confirmed that that login was successful and was able to access my account.

No transactions were initiated, and I changed my account number and username. I'm just curious if anyone has had any similar experience with Alliant recently. I'm quite savvy with computer security and have never had an online account hacked before. I've been an Alliant customer for ten years and am concerned that they couldn't explain how the login was permitted even though I use two-factor authentication; it suggests a wider problem.

[CAsage]

I changed my account number and username.

Did you mean you changed your account username and password - how can you choose (and I'm asking, not quibbling) to change your account number? Would that not mess up every link to every other account or credit payment you have? Yikes! Bad news if someone did hack that, it's what we all fear.

[aspiringboglehead]

Did you mean you changed your account username and password - how can you choose (and I'm asking, not quibbling) to change your account number? Would that not mess up every link to every other account or credit payment you have? Yikes! Bad news if someone did hack that, it's what we all fear.

Yes, at their suggestion I will begin using new checks and update all direct deposits, routine ACH withdrawals, etc. That's a minor inconvenience; it's not unmanageable.

I did tell them "everyone who's ever gotten a check from me has my account number," and their reply was that people I give checks to are probably more reputable than the person who hacked my account. (I'm not sure if that's true, but it seems likely.)

[CAsage]

So ... good thing no funds were taken or transactions initiated. So .... what did they get exactly? Scary that someone hacked in, but I'd still be worried about what and why. Honestly, this whole two-factor thing was supposed to make it safe, but now ... if someone steal your cell phone they can confirm everything from there! Scary world.

[Lastrun]

Have you ever given your credentials to an aggregation site? The reason is I had a similar issue with Capital One just last week but my account there has been closed for about a year. Only thing I could think of is was at one time that account was linked to Personal Capital that I also do not use anymore,

[aspiringboglehead]

Have you ever given your credentials to an aggregation site? The reason is I had a similar issue with Capital One just last week but my account there has been closed for about a year. Only thing I could think of is was at one time that account was linked to Personal Capital that I also do not use anymore,

No! I avoid those like the plague.

[CalculatedRisk]

it suggests a wider problem.

The wider problem may be that you were phished. If you log in using a fake website, the perpetrators can intercept both your login/password and a session cookie that allows them to avoid requiring 2FA.

Did the 2FA text you got include a link? Did you follow that link or type in the website by yourself?

[arf30]

I've noticed some sites have fake 2FA - TD Bank for example requires a code when logging in through desktop, but not through the mobile website. It's possible Alliant has a similar loophole and all they needed was your username and password.

[aspiringboglehead]

The wider problem may be that you were phished. If you log in using a fake website, the perpetrators can intercept both your login/password and a session cookie that allows them to avoid requiring 2FA.

Did the 2FA text you got include a link? Did you follow that link or type in the website by yourself?

The 2FA from Alliant is just a numeric code.

I'm quite confident I wasn't phished.