I received this email on November 17th.
Panic followed…
I have heard of this happening but just never to me.
Immediately I started asking some questions:
What is the damage?
After taking a quick breath I opened up my passwords file and searched for how many times the stolen password appeared in my document:
If you notice in the bottom right corner I saw that the stolen password was used 76 times.
How long would it take me to change these passwords?
Since I now knew the exact accounts to check, I was able to put my anxiety in check.
No important accounts were accessed.
Here followed the extremely boring task of going to each of these sites, logging in and resetting the passwords.
Start to finish, 76 accounts took me about 1 hour.
How did someone get my password in the first place?
This is the hard part. No one really knows…
Most hacking is actually pretty basic. For example, you have probably received a fake phone call or a suspicious email. These people hope that you will fall for their trick and give out some personal information.
But, there is also a marketplace where stolen information is traded.
Every time Facebook, Target, Home Depot, etc, are hacked this information goes into a database somewhere. Profiles about people are generated and hackers continue to try and penetrate more valuable accounts (like your email account).
For most of us, this isn’t a problem. But, these different forms of hacking are the exact reason why so many celebs end up having their naked photos released on the Internet.
They definitely have “more to lose” than the rest of us.
Who did I report this to?
As I mentioned, no important accounts were touched. So at this point, I was feeling pretty good.
But, I know that most cyber crimes aren’t reported just because people don’t know how.
You can always Google “Cyber Crime” or go to the government’s site for just this type of thing: ic3.gov.
It took me about 10 minutes on IC3.gov and I printed a copy of my report for the records.
What can I (and everyone) do better next time?
Limit your risk
Everything that I am about to talk about is all about limiting your risk. I fully realize that everything has a pro and a con as well as an investment of time. These are my recommendations…
Use 2-step authentication
2-step authentication is industry jargon that means someone can’t access an account unless a second “step” takes place.
For example, I have this setup on Gmail account so it can’t be accessed unless I enter a code that is sent to my mobile phone. Theoretically, if you don’t have these two pieces of information, the account should not be able to be accessed.
Here are some guides to help you with the email provider that you use:
If you don’t see your email provider, just Google the service providers name + “2 step authentication.”
This is probably the most important of all my recommendations because we use email daily. Protect it!
Make each password unique and write them down somewhere
I always get the most resistance when I suggest not having one password for every site. The reason is that it is easy to remember.
While only 76 of my accounts were potentially at risk, imagine if all your accounts were susceptible.
I currently have 2001 passwords in my document since I started using the Internet.
Even if you can remember all of these (I assume I would bet that is a “no”), based on how long it took me, it would probably take you about 26 hours to change each of them.
The first rule in a password is to make them “strong.”
A strong password is defined as having:
- at least 15 characters
- uppercase letters
- lowercase letters
- numbers
- symbols, such as ` ! ” ? $ ? % ^ & * ( ) _ – + = { [ } ] : ; @ ‘ ~ # | < , > . ? /
One great tool is just to use strongpasswordgenerator.com. It will generate some pretty bizarre passwords like En_ ]zhV’)k4=Z
In a recent interview with John Oliver, former CIA hacker Edward Snowden suggested that a good password is something like MargaretThatcheris110%SEXY.
Wired did a follow-up and suggested something that is totally unrelated like “potato lampshade bike run…”
No matter what method you choose, the important point this is to make sure you have one password per site.
How do I track all these passwords?
If you haven’t already realized how much time I saved knowing exactly which passwords were hacked, start right now…
People use password managers like Last Pass. I just use a simple Google Sheet. Excel also is a great option.
You can make three columns: website address / login / password.
Just make a list and you are not much better off.
Visit only secure sites
A lot of people talk about “what is a secure website?”
Secure websites use a technology called SSL (Secure Sockets Layer). “This is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.”
When you look up into the corner of your browser, you will usually see the “http://” replaced with “https://”
That is how you know a site is “secure.”
If you use the Chrome browser by Google, Google will actually make it harder to visit these sites.
The former CEO of Google, Eric Schmidt, made a comment alluding to the fact that if you want to make sure someone can’t find “something,” don’t put it online.
He once said, “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”
So, even if that means Amazon, Google, Apple, Dropbox, Facebook, WordPress, Instagram, Snapchat, all of these companies have flaws. These flaws are what a hacker tries to exploit that will give them a door into the backend of their technology.
One of the greatest sayings is “what’s done can be undone.” So, anything that can be engineered can be reverse engineered.
Don’t pay a hackers ransom
I can see why hackers make a lot of money stealing passwords and extorting people. If I didn’t have a password document and unique passwords, I might pay the $9,000 the hacker wanted.
If we take back this responsibility there will be financial gain then people and it will encourage them to discontinue extorting money from people in this way.
Final thought…
Remember that the Internet one of the greatest tools ever created.
With it comes some darkness.
If we all take these steps the entire Internet will be a better place for us to grow our business and better connect with one another.
Do yourself a favor and take 10 minutes now and at least setup 2-step authentication.
Here’s to hoping that you never receive a threat like this one…
Leave a Reply