What do I do if my email and social accounts are hacked?
Written for the Occupancy Marketing blog
This article started off being written a few weeks ago and was going to be solely focused on the steps you should take if you discover that your social accounts have been hacked.
But last week one of the cornerstones of internet security, the OpenSSL cryptographic library, was found to have a security bug. The “Heartbleed” bug, which on the 7th of April meant that 17% (around half a million) of the internet’s secure web servers were believed to be vulnerable to the attack, allowed the theft of the servers’ private keys and users’ session cookies and passwords.
Affected sites include Google, Facebook, Tumblr, Pinterest, Dropbox and Netflix. This means that the many trusted websites are now recommending that you reset your passwords and the possibility of accounts being hacked is now much greater than before.
What does this mean for me?
Many of the world’s main websites have already fixed the issue but the advice from security experts is to reset your passwords. Yup, all of them. If, like me, you have a lot of websites that you regularly log in to then you may have tens or even hundreds of passwords – resetting them all is not going to be fun but it is still very much advised. If you have been following best practice for passwords then you won’t have used the same password for each site and each password will be unique so that should mean that you can focus on only changing passwords for the sites that you use most frequently – LastPass have created a very handy resource for checking which sites have been affected. There’s also a Chrome Extension to alert you to sites which are still vulnerable (but this won’t help you identify sites which may have been vulnerable but are now fine).
In summary: you should start changing your passwords now.
How can I make a better password?
- Never use the same password on different sites – if a hacker manages to find out that an email address/password combination works on one site then all they need to do is run a program to test that same email address and password combination across a few thousand other sites and suddenly you’re in real trouble.
- Use “two-factor verification” or “two-step sign-in” if a site offers it – this means that a site such as Twitter or PayPal will also text you a code for you to enter each time you log in (it’s a bit more hassle but since a hacker in a faraway place is unlikely to physically have your phone as well then it’s a great way to prove that it’s really you).
- Use a password tool to generate and store your passwords for you – LastPass and 1Password both help protect your passwords and although some people see this as “all your eggs in one basket” it’s a much easier way of improving the quality of your passwords and protecting yourself. The main downside here is that password managers are not yet integrated with phone or tablet operating systems, meaning that you may still have to manually type in your long and difficult passwords on these devices.
- Make your passwords better by stringing together four or more random words and checking it against a password checker – forget substituting numbers for letters or using a capital at the start and random punctuation at the end, that might be hard for a human to guess but a computer can make light work of such formulaic passwords; simply using four random words and putting them together makes something easy for you to remember and nearly impossible for a computer to guess. More information here!
I’ve got a strong new password – can I still be hacked?
Yes. There are many ways for people to hack into accounts and, by extension, access your personal information or bank details in order to gain access to other sites, commit fraud or simply send out spam messages from your account.
How can I protect myself?
- Use long, unique passwords!
- Don’t share your account login details with anyone.
- If the site or app looks dodgy don’t use it. Don’t click ad banners, don’t install software from pop-ups and always search online for reviews of software before you decide to install it.
- Don’t give permission to a website or app to post things to your social accounts unless you really need to and periodically review your list of approved apps to cut out any old ones.
- Make sure that you have up to date antivirus software running on your computer and always install operating system and trusted software updates.
- Your domain name is likely to be key to your online identity so make sure that you take a note of when any domain names are set to expire and log in a month before to renew them. (Better yet – set them to auto-renew).
- Routinely check your account details – make sure that your contact details are up to date (especially if you have moved house/office location or have changed your email address or phone number).
- Add two-factor verification to any sites that you can – see which sites support it here.
- Don’t use an email address at your domain as your login, especially for your website hosting, your domain registrar or for your company social accounts – use a secure email address instead, such as a gmail.com address.
How will I know if I’ve been hacked?
- Actions you didn’t make such as new friends or new likes.
- Unexpected posts or private messages from your social account.
- Unexpected email notifications from the site, especially ones stating that you recently made changes to your account.
- For domain, DNS or hosting hacks your email or website go down.
- Start by checking that the problem isn’t you and your computer – check your computer’s antivirus and delete any malware or virus programs.
- Go to the hacked website and change your password (if you can) – if you can’t you should contact support and ask for help.
- Revoke access to all third-party services/apps, even ones that you previously trusted – you can always add them back later.
- If you use the same username/password combination on any other websites then change your password there too.
- Take note of and then delete any unwanted posts.
- Report whatever activity has gone on to the site.
- Personally contact anyone that your account has spammed, especially if there’s a chance that you could infect their computers with a virus or malware.
- Double check all of your other accounts.
- Tell your followers that you were hacked.
What to do I do if I discover that I’ve been hacked?
- Start by checking that the problem isn’t you and your computer – check your computer’s antivirus and delete any malware or virus programs.
- Go to the hacked website and change your password (if you can) – if you can’t you should contact support and ask for help.
- Revoke access to all third-party services/apps, even ones that you previously trusted – you can always add them back later.
- If you use the same username/password combination on any other websites then change your password there too.
- Take note of and then delete any unwanted posts.
- Report whatever activity has gone on to the site.
- Personally contact anyone that your account has spammed, especially if there’s a chance that you could infect their computers with a virus or malware.
- Double check all of your other accounts.
- Tell your followers that you were hacked