Basic Cyber Security Interview Questions and Answers for Freshers

1. What is cryptography?

Cryptography aids to secure information from third parties who are called
adversaries. It allows only the sender and the recipient to access the data securely.

2. What is traceroute? Mention its uses.

Traceroute is a network diagnostic tool. It helps track the route taken by a packet
that is sent across the IP network. It shows the IP addresses of all the routers it
pinged between the source and the destination.

Uses:

 It shows the time taken by the packet for each hop during the transmission.
 When the packet is lost during the transmission, the traceroute will identify
where the point of failure is.

3. What is a firewall? Mention its uses.

A firewall is a network security device/system, which blocks malicious traffic such as

hackers, worms, malware, and viruses to maintain data privacy.

Uses:

 It monitors the incoming and outgoing network traffic. It permits or allows

only data packets that agree to the set of security rules.
 It acts as a barrier between the internal network and the incoming traffic
from external sources like the Internet.

Enroll in our Cyber Security course to learn from experts and get certified!

4. What is a three-way handshake?

It is a process that happens in a TCP/IP network when you make a connection

between a local host and the server. It is a three-step process to negotiate
acknowledgment and synchronization of packets before communication starts.
Step 1: The client makes a connection with the server with SYN.

Step 2: The server responds to the client request with SYN+ACK.

Step 3: The client acknowledges the server’s response with ACK, and the actual data
transmission beginsest

5. What is a response code? List them.

HTTP response codes indicate a server’s response when a client makes a request to
the server. It shows whether an HTTP request is completed or not.

1xx: Informational

The request is received, and the process is continuing. Some example codes are:

 100 (continue)
 101 (switching protocol)
 102 (processing)
 103 (early hints)

2xx: Success

The action is received, understood, and accepted successfully. A few example codes
for this are:

 200 (OK)
 202 (accepted)
 205 (reset content)
 208 (already reported)

3xx: Redirection

To complete the request, further action is required to take place. Example codes:
 300 (multiple choice)
 302 (found)
 308 (permanent redirect)

4xx: Client Error

The request has incorrect syntax, or it is not fulfilled. Here are the example codes for
this:

 400 (bad request)

 403 (forbidden)
 404 (not found)

5xx: Server Error

The server fails to complete a valid request. Example codes for this are:

 500 (internal server error)

 502 (bad gateway)
 511 (network authentication required)

Also, check out this blog for Top Cyber Security Skills!

6. What is the CIA triad?

CIA Triad is a security model to ensure IT security. CIA stands for confidentiality,
integrity, and availability.

 Confidentiality: To protect sensitive information from unauthorized access.

 Integrity: To protect data from deletion or modification by an unintended
person.
 Availability: To confirm the availability of the data whenever needed.

7. What are the common cyberattacks?

Here is a list of common cyberattacks aimed at inflicting damage to a system.

1. Man in the Middle attack: The attacker puts himself in the communication
between the sender and the receiver. This is done to eavesdrop and impersonate
to steal data.
2. Phishing: Here, the attacker will act as a trusted entity to perform malicious
activities such as getting usernames, passwords, and credit card numbers.
3. Rogue Software: It is a fraudulent attack where the attacker fakes a virus on
the target device and offers an anti-virus tool to remove the malware. This is
done to install malicious software into the system.
4. Malware: Malware is software that is designed to attack the target system.
The software can be a virus, worm, ransomware, spyware, and so on.
5. Drive-by Downloads: The hacker takes advantage of the lack of updates on
the OS, app, or browser, which automatically downloads malicious code to the
system.
6. DDoS: This is done to overwhelm the target network with massive traffic,
making it impossible for the website or the service to be operable.
7. Malvertising: Malvertising refers to the injections of maleficent code to
legitimate advertising networks, which redirect users to unintended websites.
8. Password Attacks: As the name suggests, here, the cyber hacker cracks
credentials like passwords.

Check out our blog on Cyber Security Tips and Best Practices to prevent Cyber
Security attacks!

8. What is data leakage?

Data leakage means the unauthorized transmission of data from an organization to

an external recipient. The mode of transmission can be electronic, physical, web,
email, mobile data, and storage devices, such as USB keys, laptops, and optical
media.

Types of data leakage:

 Accidental leakage: The authorized entity sends data to an unauthorized

entity accidentally.
 Malicious insiders: The authorized entity intentionally sends data to an
unauthorized entity.
 Electronic communication: Hackers make use of hacking tools to intrude the
system.

9. Explain port scanning.

A port scan helps you determine the ports that are open, listening, or closed on a
network. Administrators use this to test network security and the system’s firewall
strength. For hackers, it is a popular reconnaissance tool to identify the weak point
to break into a system.
Some of the common basic port scanning techniques are:

1. UDP
2. Ping scan
3. TCP connect
4. TCP half-open
5. Stealth scanning

Check out this interesting blog on Hacking Software now!

10. Explain brute force attack and the ways to prevent it.

A brute force attack is a hack where the attacker tries to guess the target password
by trial and error. It is mostly implemented with the help of automated software
used to login with credentials.

Here are some ways to prevent a brute force attack:

1. Set a lengthy password

2. Set a high-complexity password
3. Set a limit for login failures

11. Explain the difference between hashing and encryption.

Hashing Encryption
A one-way function where you cannot Encrypted data can be decrypted to the
decrypt the original message original text with a proper key
Used to verify data Used to transmit data securely
Used to send files, passwords, etc. and to Used to transfer sensitive business
search information

12. What is the difference between vulnerability assessment (VA) and penetration
testing (PT)?
Vulnerability Assessment (VA) Penetration Testing (PT)
Identifies the vulnerabilities in a network Identifies vulnerabilities to exploit them to
penetrate the system
Tells how susceptible the network is Tells whether the detected vulnerability is
genuine
Conducted at regular intervals when Conducted annually when there are
there is a change in the system or significant changes introduced into the
network system
13. Mention the steps to set up a firewall.

Following are the steps you have to follow to set up a firewall:

1. Username/password: Alter the default password of a firewall device.

2. Remote Administration: Always disable the Remote Administration feature.
3. Port Forward: For the web server, FTP, and other applications to work
properly, configure appropriate ports.
4. DHCP Server: Disable the DHCP server when you install a firewall to avoid
conflicts.
5. Logging: Enable logs to view the firewall troubleshoots and to view logs.
6. Policies: Configure strong security policies with the firewall.

Want to know How to become a cyber security engineer in 2023? check this blog out!

14. What is SSL encryption?

Secure Socket Layer is a security protocol that is used for the purpose of encryption.
It ensures privacy, data integrity, and authentication in the network like online
transactions.

The following are the steps for setting up an SSL encryption:

1. A browser connects to an SSL-secured web server.

2. The browser requests the server’s public key in exchange for its own private
key.
3. If it is trustworthy, the browser requests to establish an encrypted
connection with the web server.
4. The web server sends the acknowledgement to start an SSL encrypted
connection.
5. SSL communication starts to take place between the browser and the web
server.

15. What steps will you take to secure a server?

A server that is secured uses the Secure Socket Layer (SSL) protocol to encrypt and
decrypt data to protect it from unauthorized access.

Below are the four steps to secure a server:

Step 1: Secure the root and administrator users with a password

Step 2: Create new users who will manage the system

Step 3: Do not give remote access to administrator/default root accounts

Step 4: Configure firewall rules for remote access

Intermediate Cyber Security Interview Questions and Answers

16. What is the difference between HIDS and NIDS?

Host Intrusion Detection System Network Intrusion Detection System
Detects the attacks that involve hosts Detects attacks that involve networks
Analyzes what a particular Examines the network traffic of all devices
host/application is doing
Discovers hackers only after the Discovers hackers at the time they generate
machine is breached unauthorized attacks

17. Mention the difference between symmetric and asymmetric encryption.

Differentiator Symmetric Encryption Asymmetric Encryption
Encryption Key Only one key to encrypt Two different keys (public and private
and decrypt a message keys) to encrypt and decrypt the message
Speed of Encryption is faster and Encryption is slower and complicated
Execution simple
Algorithms RC4, AES, DES, and 3DES RSA, Diffie-Hellman, and ECC
Usage For the transmission of For smaller transmission to establish a
large chunks of data secure connection prior to the actual data
transfer

18. What is the difference between IDS and IPS?

Intrusion Detection System Intrusion Prevention System
A network infrastructure to detect A network infrastructure to prevent intrusions by
intrusion by hackers hackers
Flags invasion as threads Denies the malicious traffic from threads
Detects port scanners, malware, Does not deliver malicious packets if the traffic is
and other violations from known threats in databases

19. What are the different layers of the OSI model?

OSI model was introduced by the International Organization for Standardization for
different computer systems to communicate with each other using standard
protocols.

Below are the various layers of the OSI model:

 Physical layer: This layer allows the transmission of raw data bits over a
physical medium.
 Datalink layer: This layer determines the format of the data in the network.
 Network layer: It tells which path the data will take.
 Transport layer: This layer allows the transmission of data using TCP/UDP
protocols.
 Session layer: It controls sessions and ports to maintain the connections in
the network.
 Presentation layer: Data encryptions happen in this layer, and it ensures that
the data is in a usable/presentable format.
 Application layer: This is where the user interacts with the application.

20. What is a VPN?

VPN stands for virtual private network. It is a private network that gives you online
anonymity and privacy from a public Internet connection. VPN helps you protect
your online activities, such as sending an email, paying bills, or shopping online.

How does a VPN work?

1. When you make a VPN connection, your device routes the Internet
connection to the VPN’s private server, instead of your Internet Service Provider
(ISP).
2. During this transmission, your data is encrypted and sent through another
point on the Internet.
3. When it reaches the server, the data is decrypted.
4. The response from the server reaches the VPN where it is encrypted, and it
will be decrypted by another point in the VPN.
5. At last, the data, which is decrypted, reaches you.

Are you excited to know about the Access Control List, so check out this blog!

21. What do you understand by risk, vulnerability, and threat in a network?

 Threat: A cyber security threat can cause potential harm to an organization’s

assets by exploiting a vulnerability. It can be intentional or accidental.
 Vulnerability: A vulnerability is a weakness or a gap in the security system
that can be taken advantage of by a malicious hacker.
 Risk: A risk happens when the threat exploits a vulnerability. It results in loss,
destruction, or damage to the asset.

22. How do you prevent identity theft?

To prevent identity theft, you can take the following measures:

1. Protect your personal records.

2. Avoid online sharing of confidential information.
3. Protect your Social Security Number.
4. Use strong passwords, and change them at regular intervals.
5. Do not provide your bank information on untrustworthy websites.
6. Protect your system with advanced firewall and spyware tools.
7. Keep your browsers, system, and software updated.

Enroll in our Cyber Security Course in Bangalore to upskill yourself!

23. Who are White Hat, Grey Hat, and Black Hat Hackers?

Black Hat Hackers

A Black Hat Hacker uses his/her hacking skills to breach confidential data without
permission. With the obtained data, the individual performs malicious activities such
as injecting malware, viruses, and worms.

White Hat Hackers

A White Hat Hacker uses his/her hacking skills to break into a system but with the
permission of the respective organizations. They are professionals known as Ethical
Hackers. They hack the system to identify its vulnerability and to fix it before a
hacker takes advantage of it.

Grey Hat Hackers

A Grey Hat Hacker has the characteristics of both a Black Hat Hacker and a White Hat
Hacker. Here, the system is violated with no bad intention, but they do not have the
essential permission to surf the system, so it might become a potential threat at any
time.

Check out this interesting blog on Cyber Security Consultant Career!

24. When should you do patch management, and how often?

Patch management has to be done immediately once the updates to the software is
released. All the network devices in the organization should get patch management
in less than a month.

25. What are the ways to reset a password-protected BIOS configuration?

BIOS being hardware, setting it up with a password locks the operating system.
There are three ways to reset the BIOS password:

1. you need to unplug the PC and remove the CMOS battery in the cabinet for
15–30 minutes. Then, you can put it back.
2. You can use third-party software such as CmosPwd and Kiosk.
3. You can run the below commands from the MS-DOS prompt with the help of
the debug tool. For this method to work, you need to have access to the OS
installed.

Debug
o 70 2E
o 71 FF
quit

This will reset all BIOS configurations, and you need to re-enter the settings for it.
26. Explain the MITM attack. How to prevent it?

In the Man-in-the-Middle attack, the hacker eavesdrops on the communication

between two parties. The individual then impersonates another person and makes
the data transmission look normal for the other parties. The intent is to alter the
data, steal personal information, or get login credentials for sabotaging
communication.

These are a few ways to prevent a MITM attack:

1. Public key pair based authentication

2. Virtual private network
3. Strong router login credentials
4. Implement a well-built Intrusion Detection Systems (IDS) like firewalls.
5. Strong WEP/WPA encryption on access points

27. Explain the DDoS attack. How to prevent it?

Distributed denial-of-service attack overwhelms the target website, system, or

network with huge traffic, more than the server’s capacity. The aim is to make the
server/website inaccessible to its intended users. DDoS happens in the below two
ways:

Flooding attacks: This is the most commonly occurring type of DDoS attack. Flooding
attacks stop the system when the server is accumulated with massive amounts of
traffic that it cannot handle. The attacker sends packets continuously with the help
of automated software.

Crash attacks: This is the least common DDoS attack where the attacker exploits a
bug in the targeted system to cause a system crash. It prevents legitimate users from
accessing email, websites, banking accounts, and gaming sites.

To prevent a DDoS attack, you have to:

1. Configure firewalls and routers

2. Recognize the spike in traffic
3. Consider front-end hardware
4. Empower the server with scalability and load balancing
5. Use anti-DDoS software

28. Explain the XSS attack. How to prevent it?

Cross-site scripting also known as XSS attack allows the attacker to pretend as a
victim user to carry out the actions that the user can perform, in turn, stealing any of
the user’s data. If the attacker can masquerade as a privileged victim user, one can
gain full control over all the application’s data and functionality. Here, the attacker
injects malicious client-side code into web services to steal information, run
destructive code, take control of a user’s session, and perform a phishing scam.

Here are the ways to prevent an XSS attack:

1. Cross-check user’s input

2. Sanitize HTML
3. Employ anti-XSS tools
4. Use encoding
5. Check for regular updates of the software

29. What is an ARP, and how does it work?

Address Resolution Protocol is a communication protocol of the network layer in the

OSI model. Its function is to find the MAC address for the given IP address of the
system. It converts the IPv4 address, which is 32-bit, into a 48-bit MAC address.

How ARP works:

1. It sends an ARP request that broadcasts frames to the entire network.

2. All nodes on the network receive the ARP request.
3. The nodes check whether the request matches with the ARP table to find the
target’s MAC address.
4. If it does not match, then the nodes silently discard the packet.
5. If it matches, the target will send an ARP response back to the original sender
via unicast.

30. What is port blocking within LAN?

It refers to restricting users from accessing a set of services within the local area
network. The main aim is to stop the source from providing access to destination
nodes via ports. Since all applications run on the ports, it is necessary to block the
ports to restrict unauthorized access, which might violate the security vulnerability in
the network infrastructure.

Advanced Cyber Security Interview Questions and Answers For Experienced

31. What are the protocols that fall under the TCP/IP Internet layer?
Application NFS, NIS, SNMP, telnet, ftp, rlogin, rsh, rcp, RIP, RDISC, DNS, LDAP,
Layer and others
Transport Layer TCP, SCTP, UDP, etc.
Internet IPv4, ARP, ICMP, IPv6, etc.
Data Link Layer IEEE 802.2, PPP, etc.
Physical Layer Ethernet (IEEE 802.3), FDDI, Token Ring, RS-232, and others

32. What is a botnet?

A botnet, which is also known as a robot network, is a malware that infects networks
of computers and gets them under the control of a single attacker who is called a
‘bot herder.’ A bot is an individual machine that is under the control of bot herders.
The attacker acts as a central party who can command every bot to perform
simultaneous and coordinated criminal actions.

The botnet is a large-scale attack since a bot herder can control millions of bots at a
time. All the botnets can receive updates from the attacker to change their behavior
in no time.

33. What are salted hashes?

When two users have the same password, it will result in the creation of the same
password hashes. In such a case, an attacker can easily crack the password by
performing a dictionary or brute-force attack. To avoid this, a salted hash is
implemented.

A salted hash is used to randomize hashes by prepending or appending a random

string (salt) to the password before hashing. This results in the creation of two
completely different hashes, which can be employed to protect the users’ passwords
in the database against the attacker.

34. Explain SSL and TLS.

Secure Sockets Layer (SSL)

It employs encryption algorithms to keep any sensitive data that is sent between a
client and a server by scrambling the data in transit. This helps prevent hackers from
reading any data, such as credit card details and personal and other financial
information; it is done by keeping the Internet connection secure.

Transport Layer Security (TLS)

TLS is the successor of SSL. It is an improved version protocol that works just like SSL
to protect the information transfer. However, to provide better security,
both TLS and SSL are often implemented together.
35. What is data protection in transit vs data protection at rest?
Data Protection in Transit Data Protection at Rest
Data is transmitted across devices or Data is stored in databases, local hard
networks drives, or USBs
Protects the data in transit with SSL and TLS Protects the data at rest with firewalls,
antiviruses, and good security practices
You must protect the data in transit since it You should protect the data at rest to
can become vulnerable to MITM attacks, avoid possible data breaches even when
eavesdropping, etc. stolen or downloaded

36. What is 2FA, and how can it be implemented for public websites?

Two-factor authentication (2FA) requires a password, along with a unique form of

identification like a login code via text message (SMS) or a mobile application, to
verify a user. When the user enters the password, he/she is prompted for the
security code to log in to the website. If the code mismatches, the user will be
blocked from entering the website.

Examples of 2FA: Google Authenticator, YubiKey, Microsoft Authenticator, etc.

37. What do you mean by Cognitive Cybersecurity?

Cognitive Cybersecurity is a way of using human-like thought mechanisms and

converting them to be used by Artificial Intelligence technologies in cyber security to
detect security threats. It is to impart human knowledge to the cognitive system,
which will be able to serve as a self-learning system. This helps identify the threats,
determine their impact, and manifest reactive strategies.

38. What is the difference between VPN and VLAN?

Virtual Private Network Virtual Local Area Network
Provides secure remote access Used to group multiple computers that are
to a company’s network geographically in different domains into the same
resources geographical broadcast domain
A network service A way of subnetting the network
Companies wishing to connect Companies wishing to employ traffic control and
with their remote employees easier management will use a VLAN
will use a VPN

39. Explain phishing. How to prevent it?

In phishing, an attacker masquerades as a trusted entity (as a legitimate

person/company) to obtain sensitive information by manipulating the victim. It is
achieved by any kind of user interaction, such as asking the victim to click on a
malicious link and to download a risky attachment, to get confidential information
such as credit card information, usernames, passwords, and network credentials.

The following are some of the ways to prevent phishing:

1. Install firewalls
2. Rotate passwords frequently
3. Do not click on or download from unknown sources
4. Get free anti-phishing tools
5. Do not provide your personal information on an unsecured/unknown site

40. Explain SQL injection. How to prevent it?

SQL injection is an injection attack where an attacker executes malicious SQL

commands in the database server, including MySQL, SQL Server, or Oracle, that runs
behind a web application. The intent is to gain unauthorized access to sensitive data
such as client information, personal information, intellectual property details, and so
on. In this attack, the attacker can add, modify, and delete records in the database,
which results in the data integrity loss of an organization.

Ways to prevent SQL injection:

1. Limit providing read access to the database

2. Sanitize data with the limitation of special characters
3. Validate user inputs
4. Use prepared statements
5. Check for active updates and patches

Have a look at this Cyber Security Tutorial, which will make it easier for you to dive
into this field!

Scenario-based Cyber Security Interview Questions and Answers

41. You have a suture from where you receive the following email from the help
desk:

Dear YYY,
We are deleting all inactive emails to create space for other new users. If you want
to save your account data, please provide the following details:
First Name and Last Name:
Email ID:
Password:
Date of Birth:
Alternate Email:

Please submit the above detail by the end of the week to avoid any account
termination.

Considering the above scenario, how would you react as a user? Explain briefly.

The above email is an excellent illustration of phishing. Here are the reasons why:

1. A reputed organization will never ask for an employee’s personal information

in the mail.
2. In a normal mail, the salutation is not done in a generalized manner. This
happens only in spam emails where the attacker tricks you into ‘biting.’

As a rule of thumb, you should never revert to a sender who demands personal
information and passwords via emails, phone calls, text messages, and instant
messages (IMs). You must not disclose your data to any external party even if the
sender works for organizations such as ITS or UCSC.

Want to learn more about Cyber Security? Enroll in our Cyber Security Course now
and practice essential cyber security interview questions!

42. You get an e-card in your mail from a friend. It asks you to download an
attachment to view the card. What will you do? Justify your answer.

1. Do not download the attachment as it may have malicious viruses, malware,

or bugs, which might corrupt your system.
2. Do not visit any links as it might redirect you to an unintended page.
3. As fake email addresses are common and easy to create, you should not
perform any action like clicking/downloading any links, unless you confirm it with
the actual person.
4. Many websites masquerade as a legitimate site to steal sensitive information,
so you should be careful not to fall into the wrong hands.

43. A staff member in a company subscribes to various free magazines. To activate

the subscription, the first magazine asks her for her birth month, the second
magazine asks for her birth year, and the third magazine asks for her maiden name.
What do you deduce from the above situation? Justify your answer.

It is highly likely that the above-mentioned three newsletters are from a parent
company, which are distributed through different channels. It can be used to gather
essential pieces of information that might look safe in the user’s eyes. However, this
can be misused to sell personal information to carry out identity theft. It might
further ask the user for the date of birth for the activation of the fourth newsletter.

In many scenarios, questions that involve personal details are unnecessary, and you
should not provide them to any random person, company, or website unless it is for
a legitimate purpose.

44. To print billing, you have to provide your login credentials in your computing
labs. Recently, people started to get a bill for the print, which was never done by
them. When they called to complain, the bill turned out to be correct. How do you
explain the above situation?

To avoid this situation, you should always sign out of all accounts, close the browser,
and quit the programs when you use a shared or public computer. There are chances
that an illegitimate user can retrieve your authorized data and perform actions on
behalf of you without your knowledge when you keep the accounts in a logged-in
state.

45. In our campus computer lab, one of my friends logged into her Yahoo account.
When she left the lab, she made sure that the account was not left open. Later, she
came to realize that someone re-accessed her account from the browser, which
she has used to send emails, by impersonating her. How do you think this
happened?

There are two possible scenarios:

1. The attacker can visit the browser’s history to access her account if she hasn’t
logged out.
2. Even if she has logged out but has not cleared the web cache (pages a
browser saves to gain easy and quick access for the future)

46. An employee’s bank account faces an error during a direct deposit. Two
different offices need to work on it to straighten this out. Office #1 contacts Office
#2 by email to send the valid account information for the deposit. The employee
now gives the bank confirmations that the error no longer exists. What is wrong
here?

Any sensitive information cannot be shared via email as it can lead to identity theft.
This is because emails are mostly not private and secure. Sharing or sending personal
information along the network is not recommended as the route can be easily
tracked.

In such scenarios, the involved parties should call each other and work with ITS as a
secure way of sending the information.

Check out this interesting blog on the difference between Cyber Security and
Information Security!

47. You see an unusual activity of the mouse pointer, which starts to move around
on its own and clicks on various things on the desktop. What should you do in this
situation?

A. Call any of the co-workers to seek help

B. Disconnect the mouse
C. Turn your computer off
D. Inform the supervisor
E. Disconnect your computer from the network
F. Run anti-virus
G. Select all the options that apply?

Which options would you choose?

The answer is (D) and (E). This kind of activity is surely suspicious as an unknown
authority seems to have the access to control the computer remotely. In such cases,
you should immediately report it to the respective supervisor. You can keep the
computer disconnected from the network till help arrives.

48. Check out the list of passwords below, which are pulled out from a database:

A. Password1
B. @#$)*&^%
C. UcSc4Evr!
D. akHGksmLN

Choose the passwords that are in line with the UCSC’s password requirements.

The answer is C (UcSc4Evr!). As per the UCSC requirements, a password should be:

1. Minimum of 8 characters in length

2. Having any of the three from these four types of characters: lower case,
upper case, numbers, and special characters.

49. The bank sends you an email, which says it has encountered a problem with
your account. The email is provided with instructions and also a link to log in to the
account so that you can fix it. What do you infer from the above situation? Explain.

It appears to be an unsolicited email. You should report it as spam and move the
email to the trash immediately in the respective web client you use (Yahoo Mail,
Gmail, etc.). Before providing any bank-related credentials online, you should call the
bank to check if the message is legitimate and is from the bank.

50. In your IT company, employees are registering numerous complaints that the
campus computers are delivering Viagra spam. To verify it, you check the reports,
and it turns out to be correct. The computer program is automatically sending tons
of spam emails without the owner’s knowledge. This happened because a hacker
had installed a malicious program into the system. What are the reasons you think
might have caused this incident?

This type of attack happens when the password is hacked. To avoid this, whenever
you set a password, always use a proper standard, i.e., use passwords that are at
least 8-character length and have a combination of upper case/lower case letters,
symbols/special characters, and numbers.

Other scenarios of the above attack could be:

1. Dated antivirus software or the lack of it

2. Dated updates or security patches