Tastytrade账号被莫名转出了50k wire

今天早上莫名看到账号被转出了一笔 wire 50k现金 只收到了邮件提醒 Thank you for reaching out. Full account restrictions have been placed on your account at this time. These restrictions can be removed at any time at your request. It looks like the wire was sent to Truist Bank account number 1430006402575. Unfortunately, it is too late to reject the wire request on our end. We have requested that our clearing firm, Apex Clearing Corporation, submits a wire recall request. From what we can tell, this account intrusion was not a result of deficiencies of tastytrade systems. It appears that the intruder was in possession of your login credentials and was able to login cleanly at first try. Further, it appears that you did not have two-factor authentication enabled for your account at the time of the unauthorized withdrawal. Unfortunately, this would have likely stopped the wire withdrawal from being requested as it is usually a very effective security measure. I see that you have updated your tastytrade password and enabled two-factor authentication for sensitive actions within your account. Please be sure when updating passwords to use strong password practices. Ideally, a password should be at least 12 characters and include a mix of lower-case and capital letters, numbers, and special characters such as @, $ or *. It should be unrelated to any of your prior passwords and should be unique and not used within more than one website or app. If you are struggling to think of something, you can use a password generator (there are several free options available) or pick a short sentence or phrase to use as inspiration and replace certain letters with numbers or special characters. You may want to consider changing the password tied to your email address associated with your tastytrade account. I am not indicating that your email is compromised, but this is a common place where such leaks occur. We strongly suggest that you enable two-factor authentication for sensitive actions AND at every login within your tastytrade account. You can do so by logging into your account at https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmy.tastytrade.com%2F&data=05%7C02%7C%7C9aef250986ea4f90fde208de9fc8ff4c%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C639123882785570514%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=uqdziWsCJFXHGSLfejw%2BqW7M0Gjo0IxqsXyLtgQEjBw%3D&reserved=0and follow Manage>My Profile>Security. You will see the toggle to enable these features. If offered, you should do this for all important websites. I would also suggest to never use the “stay logged in” feature for any website and be sure to clear your cookies/cache files routinely. It is a good practice to power cycle your internet router on a routine basis. Finally, frequent and routine virus scans on your devices are highly recommended. I wanted to let you know that wire withdrawals are extremely difficult to call back as the account intruder will act quickly to try to move the funds further away from the receiving bank account. If we caught this early enough, the return of the funds can take quite a bit of time as the bank needs to complete an investigation on their end. Such investigations can take over 90 days. I will keep you posted as more information becomes available to me. Please know that I am doing all I can to return these funds to you 已报警 /uploads/short-url/wVSb4LZHhfYesaMfTedlrz9zila.jpeg?dl=1 邮箱也被黑了

昨天我也是被盗号！我突然收到短信验证码，觉得不对就立马改的密码。我的密码是苹果自动生成的这样也能被盗。这么看来应该是tastytrade数据库不知道为啥泄露了

我靠真吓人啊 之前$250K $10K 没赶上。真的是你图它利息它图你本金

现在不知道咋整了 今天早上九点wire转出的.

有没有重复用密码？tastyworks和邮箱

两个可能性: Password recycling Email got hacked at any rate, To anyone reading this, please set up 2FA on all your financial, social, airline, and hotel accounts, PLEASE I BEG YOU

虾仁 我也薅了这个 赶紧加验证

他家app里好像没看到有加验证的地方？ /uploads/short-url/siQ0JqPbgFqBjZ8Pv8VFGreZtCl.jpeg?dl=1

这种能要回来吗

去网页版设置。

update： 家人们能不能管管俺啊 打电话给了truist 他们说这笔钱在pending 看到这笔钱了 怎么办啊

我的没有。苹果自动产生的

楼主看你截图fidelity也改了密码 这是hacker改的还是你自己操作的

打电话给tastytrade和背后的银行让他们试下能不能拦住这笔wire有用吗(我是小白)？

gotta learn to ask gemini man, it’s free /uploads/short-url/jCWYE7wxknlxUCkSfsSPRtPrq9E.png?dl=1 /uploads/short-url/aJEInFOZzOpaKxcVRRx3Ayabzbi.png?dl=1 /uploads/short-url/GQVRmHPyxFg8dySWO0M9iAeDxk.png?dl=1 /uploads/short-url/4v85501PxYXT4qBd0Dw3XYnu6ry.png?dl=1 did you secure your email and clear any forwarding per suggestion 4? number 1’s http://ic3.gov seems pretty legit? here’s how the number 1 IC3 kill chain works: https://www.justice.gov/elderjustice/media/1364056/dl?inline

tastytrade怎么说？如果一般的客服不给力赶快要求跟supervisor直接对话？

这家有前科啊？ https://www.google.com/search?q=tastytrade+leak+site:www.reddit.com&client=safari&hs=wakp&sca_esv=31f3bc1e9f0acfe0&hl=en-us&prmd=nvi&sxsrf=ANbL-n45N8LAux0icyXgK9twLvvUMdJWUw:1776795697467&sa=X&ved=2ahUKEwjq-Yrjx_-TAxXVnisGHZe8HVgQrQJ6BAgPEAY&biw=440&bih=742&dpr=3 https://www.google.com/search?q=tastytrade+leak+site:www.reddit.com&client=safari&hs=wakp&sca_esv=31f3bc1e9f0acfe0&hl=en-us&prmd=nvi&sxsrf=ANbL-n45N8LAux0icyXgK9twLvvUMdJWUw:1776795697467&sa=X&ved=2ahUKEwjq-Yrjx_-TAxXVnisGHZe8HVgQrQJ6BAgPEAY&biw=440&bih=742&dpr=3

让truist freeze啊

On April 4, my brother’s account, who had a unique password and 2FA enabled, was compromised. The hackers did not withdraw money or change info and trigger 2FA. Though I have repeatedly emailed multiple divisions and Tom, Scott and Tony at Tastytrade, no one is helping me understand what happened and how to resolve. 太吓人了

是不是没有密码也能发出来？

附议，联系turist fraud要求freeze，这个账户的开户信息应该都是假的，用来一进一出的mule账号

我看网页版2FA要SMS或者Authenticator app，LZ是没有设置吗，还是2FA somehow got bypassed？

看楼主贴的客服回复的邮件是说 2FA 完全没打开然后密码泄漏了。 顺便贴一下之前的讨论： https://www.uscardforum.com/t/topic/497875/28 /c/investment/stock-market/13 在使用一个完全隔离的设备之前个人觉得其他的一些简单容易做到的安全实践带来的收益更高： 独立的强密码并且不要存储在不安全的地方或者在不安全的环境使用。 2FA / MFA（确保你的 recovery 邮箱也加上了 MFA）。 不要过度分享隐私信息，包含用户名，账号号码等等。 高危操作开启邮件和 push notification。 网页操作使用单独的浏览器 profile 或者隐私模式。 不使用…

发出来什么？没看懂

他说的发出来=Wire转账给陌生人账户

登录app提示有login attempt。看来是有泄露。我设置了2fa

不行，得有密码才能发出来

TMD. 我手机貌似收不到这家的SMS. 死活收不到sms，但随便打开个打字框，能自动抓取6位数. 破案了. 需要取消iphone对垃圾短信的过滤

or use an authenticator app like authy

家人们 truist不让freeze 开了个case 说client info无可奉告 tastrytrade这边索性就装死 说联系了apex clearing submit了一个recall

他家客服一言难尽fraud只用邮件回

那没用了，钱明天就到肯尼亚/柬埔寨了

报警有用吗？ 这家真是草台班子啊。Fidelity IBKR这些靠谱多了。

被盗要是追不回来那就真是不敢用了 以后我不骂Merrill了 连账户神难因为总要你手动填表发过去

好坑啊 我有点慌了

不一定，pull可能要hold一段时间

他是push的 不知道异地登陆也可以直接用账户密码登录上去

家人们 警察拿了sewrch warrent 明天去冻结了不知道来不来得及

每次看到这种情况，我就感叹老牌full service brokerage能接盘大部分大客户是有道理的。几百万的账户连个客户在需要的时候都联系不上，真的有人会放心用嘛？

早上吓坏了 这还是一个账户 把所有saving和brokage密码都改了

你为什么会放置现金在Tastytrade? 如果买了SGOV，你还有反应的时间。

现在转头把所有的现金换成sgov了…

你们那警察很给力啊。明早去branch可能来得及 https://www.truist.com/content/dam/truist-bank/us/en/documents/cra/truist-branches.pdf https://www.truist.com/content/dam/truist-bank/us/en/documents/cra/truist-branches.pdf https://www.truist.com/content/dam/truist-bank/us/en/documents/cra/truist-branches.pdf 找法庭开order可以让turist调开户时的监控（如果他们没有主动配合的话），看看骗子假ID的工艺。如果是online开户的就呵呵了

这太吓人了，希望lz尽快拿回来

是盗贼登录到lz账户然后发起wire transfer out？一般这种情况在submit时系统不都是要send一个验证code吗？lz账户上的电话号被改了？

他没设置2fa tasty应该默认是不发code

能fdic赔付吗？ 这是监守自盗还是系统安全性差

https://www.reddit.com/r/tastytrade/s/dJbKVsNy32 看看这个 tastytrade的2fa没有login 2fa 还有这个 https://www.cbsnews.com/amp/chicago/news/couple-retirement-account-hacked-tali-erez-hartal-tastytrade/ https://www.cbsnews.com/amp/chicago/news/couple-retirement-account-hacked-tali-erez-hartal-tastytrade/ A Chicago area couple logged into their retirement account only to find out it had been hacked, and a large chunk of their retirement savings was gone. The response from the online brokerage firm is only adding insult to injury.

fdic好像不包这个 不是很懂 但事情都发生了 心态保持平和 希望能要回来吧

这是故意留后门？

Fidelity客服很好，IBKR客服基本没有，只能开ticket

应该是去年的某个时候release了login 2FA, 可能之前出了几次这样的事故了

IBKR 转钱不容易。

这是哪个券商？

/uploads/short-url/2sJyidv7XgasUEDekFTfmPFGB0d.png?dl=1 这个家玩期权比较便宜，其他没好处了。大钱放fidelity或者charles schwab.

邮箱被黑了那是真各种账户都危险。

我邮箱都是Yubi key保的。感觉暂时唯一安心的操作。然后基本所有其他服务都是sso，disable password

感觉是邮箱？你有俄语邮件 应该是被黑了

没有密码能不能让tasty发短信验证码？

Francis958: Further, it appears that you did not have two-factor authentication enabled for your account at the time of the unauthorized withdrawal. 这个是怎么设置。。。

所以撸了10k 后要把钱放多久？….

one year

truist回复 at this time we have taken the appropriate action on the Truist account. We have not received a recall from your institution and are in need of a Hold Harmless. It is recommended that the matter be reported to their financial institution if you have not already done so. 我打电话给tastytrade 看起来他们是一点事儿不办啊 想要一个unauthorized claim form， security incident form 还有 hold harmless form 问什么都是we are working this really hard and will have update soon. 还让我不要打电话了 会delay进度

找你要hold harmless form你可不能签，是tastytrade给truist签

这一堆操作搞完了钱早转走了吧

钱应该被hold住了 转不出去了

tastetrade是一点也不想担责任

是警察去了branch才hold住的吗？还是truist主动freeze了账户？

先不管责任不责任的，wire recall到今天还没发出去真的是太垃圾了。 （做笔记，用各路套壳apex clearing的券商就得有觉悟，出问题没法当天联系上apex clearing的fraud部门）

/uploads/short-url/oTwiQeIw2a0Tb8gmeYlrZTzu9gi.jpeg?dl=1 我哭了 警察太好了 fund还在 freeze了 还帮我去tastytrade要钱了 改天我要去警察局送花！

这太吓人了…2FA都能被绕过？感觉Tastytrade可能有严重的security issue啊。楼主有没有报警？wire一旦发出去基本追不回来，但还是值得试试拦一下。

送个锦旗ZS

给老美警察见识见识中式锦旗哈哈

支持，让敬业的警察感受一下中式感激

我记得 SoFi 用的就是 Apex Clearing。查了下 WeBull、Betterment、Frec、M1 也是

查了一下coinbase也是。神奇的是robinhood一开始用的apex，gme以后就换成自己的了。是不是这么说起来robinhood还更靠谱一点，毕竟出了事不用cross company communication。

我感觉用 apex clearing 的 wire 功能不一定是用的 clearing。很多券商只是股票交易用的 apex clearing RH 比 coinbase 靠谱点吧，开始股票交易的也更早。想要最靠谱就选 Fidelity，AUM 大 /uploads/short-url/jmQhiFbgQTGieZ1uZDyNouLRVF1.jpeg?dl=1 RH 也算前十了

警察好样的，同时tastytrade太烂了。。。

谭赚我赚

我靠，长好快

/uploads/short-url/n7lJZp5xlhmizZP1gtynMTawdFU.jpeg?dl=1

楼主钱要回来一定要写个教程！

送个精致点的餐点，请在场的警察一起吃。

楼主钱要回来了吗？