My Accounts Were Hacked in 2015: Why I'll Never Skip 2FA Again
In 2015, I learned a hard lesson about account security. Two of my accounts - Skype and GitHub - were compromised, and it changed how I think about online security forever.
This experience didn't just make me a 2FA evangelist. It eventually led to the creation of Authn8, our solution for teams struggling with the very real challenge of securing shared accounts without sacrificing productivity.
In this article, I'll share what happened during my 2015 breach, the hard lessons I learned about two-factor authentication, and why the rise of shared team accounts creates a new security challenge that most people aren't addressing properly.
What Happened: The 2015 Breach
The Warning I Ignored
Three days before I realized anything was wrong, I received an email from a site called "Have I Been Pwned." I'd never heard of it before - this was 2015, and the service was still relatively new. The email said my credentials had been found in a data breach.
I ignored it. That was mistake number one.
My Security Habits (Or Lack Thereof)
Up until this point, I had terrible security practices:
- Same password for everything - I used one password across most of my accounts
- No 2FA anywhere - I didn't even know what two-factor authentication was
- Never changed passwords - Why would I? Nothing bad had happened... yet
I figured as long as I used a "strong enough" password, I'd be fine. I was wrong.
The Breach
When I finally realized something was wrong, two of my accounts had been compromised:
- Skype - Someone had accessed my account and was using it
- GitHub - My development account had been breached
The only reason it wasn't worse? My Gmail account had a longer, more secure password that was different from my usual one. Pure luck saved me from a much bigger disaster.
Getting Back In
Thankfully, I managed to recover both accounts. It took password resets, contacting support, and some anxious hours proving my identity. But I got them back.
That's when I made the decision that changed everything.
Why I Became a 2FA Convert
The Immediate Action
Right after regaining access to my accounts, I:
- Downloaded Google Authenticator
- Enabled 2FA on every account that supported it
- Started using unique passwords for each service
- Actually paid attention to security from that day forward
Understanding What 2FA Actually Does
Here's the simple truth: Passwords alone are broken because:
- They can be leaked in data breaches (like mine was)
- People reuse them across sites (like I did)
- They can be guessed or phished
- Once stolen, an attacker has full access
Two-factor authentication adds a second requirement:
- Something you know (password)
- Something you have (your phone, a security key, a code generator)
Even if an attacker steals your password in a breach, they can't get in without that second factor. If I'd had 2FA enabled in 2015, my accounts would have been safe despite the password leak.
My breach wasn't special or sophisticated. It was just a leaked password from a data breach, combined with my bad habit of password reuse. 2FA would have stopped it completely.
My New Security Protocol
After the breach, I implemented a complete security overhaul:
Immediate actions:
- ✅ Enabled 2FA on every account that supported it (email, social media, banking, cloud storage)
- ✅ Used Google Authenticator for TOTP codes instead of SMS (more secure)
- ✅ Created unique, complex passwords for every account using a password manager
- ✅ Saved backup codes in a secure location
- ✅ Set up login alerts for critical accounts
- ✅ Reviewed connected apps and revoked unnecessary access
Ongoing practices:
- Regular security audits every quarter
- Immediate 2FA setup on any new account
- Security key (hardware 2FA) for most critical accounts
- Monitoring for data breaches involving my email addresses
- Never, ever reusing passwords
The Peace of Mind
Here's what changed: I stopped worrying about account security.
Before 2FA, every news story about a data breach made me nervous. "Did I use that service? Should I change my password?" With 2FA enabled everywhere, even if my password leaks in a breach, my accounts remain secure.
I sleep better knowing that:
- An attacker would need physical access to my phone to compromise my accounts
- Login alerts notify me of any unusual access immediately
- My password manager creates impossible-to-guess unique passwords
- Even if one account is compromised, it can't cascade to others
Why We Built Authn8
The Gap in the Market
As I became more involved in security and helping teams implement 2FA, I kept running into the same problem: teams needed to share 2FA codes securely, but there were no good solutions. What I found shocked me:
- Password managers could store TOTP codes, but mixed passwords and 2FA in one tool (single point of failure)
- Consumer authenticator apps (Google Authenticator, Authy) weren't designed for teams
- Enterprise solutions existed but cost $15-30 per user per month
- No solution specifically addressed team 2FA code sharing with proper security
The market had two extremes:
- Consumer tools: Great for individuals, terrible for teams (no audit logs, can't revoke access)
- Enterprise IAM: Comprehensive but expensive, complex, and overkill for small teams
There was nothing in the middle - nothing built specifically for teams that just needed to share 2FA codes securely.
What We Needed
From my 2015 breach, I knew we needed:
- ✅ Strong 2FA protection on all accounts
- ✅ Encrypted storage of 2FA secrets
- ✅ No screenshots or insecure sharing
From the team reality, I knew we needed:
- ✅ Multiple people accessing the same 2FA codes
- ✅ Instant access revocation when someone leaves
- ✅ Audit logs showing who accessed what and when
- ✅ Granular permissions (not everyone needs every code)
- ✅ Works across devices (web, mobile, offline)
Building Authn8
That's why we built Authn8. It's specifically designed to solve the problem of team 2FA management:
Secure vault for team 2FA codes
- End-to-end encrypted storage
- No more screenshots or shared text files
- Organized by team, project, or client
Complete audit logs
- See who accessed which code and when
- Exportable for compliance reviews
- Critical for security investigations
Instant access control
- Assign codes to specific team members
- Revoke access in seconds when someone leaves
- No need to reset 2FA on the actual accounts
Multi-platform support
- Web app for desktop work
- iOS and Android apps for mobile
- Offline code generation (works without internet)
The Philosophy Behind Authn8
Authn8 exists because of two beliefs:
Belief 1: Security and productivity shouldn't be in conflict
You shouldn't have to choose between proper 2FA security and team efficiency. The right tools make security easier, not harder.
Belief 2: Every team deserves enterprise-grade security
You shouldn't need a massive budget for proper access control and audit logs. Small teams have the same security needs as large enterprises.
My 2015 breach taught me that account security matters. The years since taught me that teams need purpose-built tools to maintain that security without sacrificing productivity.
Lessons Learned: 10 Years Later
What I'd Tell My 2015 Self
If I could go back and talk to myself before that breach:
- Enable 2FA everywhere today - Don't wait until after you get hacked
- Use a password manager - Unique passwords for every account
- Avoid SMS for 2FA - Use authenticator apps or hardware keys
- Save backup codes - And store them somewhere safe offline
- Regularly audit your security - Quarterly reviews, not once-a-year
- Monitor for breaches - Use services like Have I Been Pwned
- Think about teams early - If you might share accounts, plan for secure sharing from the start
- Don't reuse passwords - Not even variations like "Password1" and "Password2"
- Enable login alerts - Know immediately when someone accesses your accounts
- Take security seriously before something bad happens - Not after
Common Questions About 2FA Security
Is 2FA really necessary if I have a strong password?
Yes, absolutely. Even the strongest password can be compromised through data breaches, phishing, keyloggers, or social engineering. 2FA provides protection even when your password is stolen. My 2015 breach would have been prevented by 2FA on my email account, regardless of password strength. Think of it this way: your password is a lock, 2FA is a deadbolt. You want both.
What's the most secure type of 2FA?
From most to least secure:
- Hardware security keys (YubiKey, Titan): Physical device, nearly impossible to phish
- Authenticator apps (Google Authenticator, Authy, Authn8): Code generated on your device
- Push notifications (Duo, Okta): Approve login on your phone
- SMS codes: Vulnerable to SIM swapping, but better than nothing
I recommend authenticator apps for most people - they balance security and convenience well.
What happens if I lose my phone with my 2FA app?
This is why backup codes are critical. When you set up 2FA, most services provide backup codes - save these somewhere secure (not on your phone). You can also:
- Use multiple devices with the same 2FA codes (scan the QR code on your phone and tablet)
- Use a tool like Authn8 that syncs across devices
- Contact support for account recovery (usually requires identity verification)
Should teams disable 2FA because it's too hard to share?
Absolutely not. Disabling 2FA because of team access challenges is like removing your seatbelt because it's uncomfortable. Instead, use purpose-built tools like Authn8 that are designed for team 2FA sharing. The security risk of no 2FA is far greater than the inconvenience of managing it properly.
Can 2FA be hacked?
While no security measure is 100% foolproof, 2FA is extremely difficult to compromise. The main attack vectors are:
- Real-time phishing (tricking you to enter your code on a fake site immediately)
- SIM swapping (for SMS-based 2FA)
- Social engineering (convincing support to disable 2FA)
- Malware on your device
These attacks are sophisticated and targeted. For the vast majority of account compromises (including my 2015 breach), 2FA would have prevented the attack entirely.
Is it safe to share 2FA codes with my team?
It depends on how you share them. Sharing via screenshots, text messages, or email is not safe. However, sharing through purpose-built team 2FA tools with encryption, audit logs, and access control is secure. The key is using the right method - not avoiding 2FA sharing entirely. Learn more about secure team 2FA sharing.
Conclusion
That Tuesday morning in 2015 when I discovered my accounts had been hacked was one of the worst days of my professional life. The panic, the embarrassment, the days of recovery work - I wouldn't wish it on anyone.
But it taught me something invaluable: Account security isn't optional, and 2FA isn't just a nice-to-have feature - it's essential.
Ten years later, I've seen the rise of a new challenge: teams needing to share accounts securely. The same 2FA that protects individual accounts creates friction for team workflows. I've watched teams take dangerous shortcuts - screenshots of QR codes, disabling 2FA entirely, sharing secrets in text files.
That's why we built Authn8. Not to replace 2FA, but to make it work for teams the way it works for individuals - with proper security, audit trails, and access control.
The lessons from my 2015 breach remain true:
- Passwords alone are broken
- 2FA prevents the vast majority of account compromises
- Security measures only work if you actually use them
But we've added new lessons for the team era:
- Shared accounts are a reality, not something to avoid
- Teams need purpose-built tools, not individual workarounds
- Security and productivity can coexist with the right approach
Don't wait for your own 2015 breach moment. Enable 2FA on your accounts today. If you're managing a team, use tools designed for team security, not individual workarounds.
Ready to Stop Sharing 2FA Codes via Screenshots?
Get started with Authn8 today - free for up to 3 users. See how purpose-built team 2FA management transforms your security and saves hours every week.
Get Started Free (Up to 3 Users)Your future self will thank you. Trust me, I know from experience.