Hello - Thank you. My password was complicated. In addition to 2FA SMS, I also had the AUTHY app which the attacker added their device too somehow. @Silkjaer if you can assist that would be great. I have no idea how the attacker connected my phone to my GMAIL account. The only thing I can think of is the information was retrieved from @gatehub . Gatehub mentioned phone numbers were not taken during the attack, but there is no other way this attacker would be able to connect it. The AT&T account is not even in my name, I am just a line on a family plan.
Sunday July 7 6:50AM EST - I receive two texts from Google asking me to verify a log into my Gmail with a Google Pin. I do not think anything of it, but go in and change my password, and check if anything is different.
Tuesday July 9 5:15PM EST - My phone loses service, I can not call or text (not even over Wi-Fi). Not sure what's going on I turn phone/data on/off still nothing. I contact other members on my family plan, and their phones are working fine. I run to apple store (across the street from me). I see a tech there who dials in AT&T support. It takes about two hours, but AT&T support thinks the Apple tech messed up my SIM card. She reconnects me, and before signing off give me the number for the fraud department. I don't notice any rogue sign ins or email access attempts during this time, I write it off as a glitch and go about my night.
Monday July 15 2:00PM EST - My phone loses service again. At the same time I am at my desk, and notice GOOGLE emailing me critical security alert sign in attempts sign in. That's when it hit me they were trying to get into my gmail account using the 2FA from google. I quickly change the password back and let google know it is not me on the other devices. Not having access to my phone I used my other recovery email to reset the password. The attacker than just reset it again using the phone. I was able to reset a 4th time, but what I failed to do was click the button that signed myself out of all other web browsers instantly.
At 2:15PM in a full panic not sure what they are going after still, I get an alert from AUTHY that a new device was added to my app. (The same LINUX device that was hacking my GMAIL). Then immediately I emailed @gatehub support that I am being hacked and to lock my account. At 2:18 and 2:19 I got two emails of New Device Authorization from Gatehub, I deleted both and removed from my trash within seconds. I was too late, by 2:24PM six figures of XRP were moved to a new account. Here is the link showing the wallets transactions including my withdrawal.
At 4:11PM GateHub let me know my account was now locked.