My Account Was Hacked – Here’s How to Control the Damages
Here are the critical steps you need to take if this happens to you
Ok, let’s set one thing clear from the beginning: you are not safe online. I am not safe online. Online safety is an oxymoron. Nobody is and never will be safe online.
In order for you to be 100% protected against any kind of digital threat, it would imply that you never own or use a computer, a mobile phone, access internet via wireless or 3G, pay taxes online, stream music, own a credit card, order books, look at what your frenemies are posting on Facebook… oh, and, of course, you wouldn’t be reading this article either. You’d have to live in a jungle, with no connection to the outside world.
Any system has vulnerabilities and can be breached into. No matter what anyone tells you for your comfort, no matter what precautions they say they’ve taken, all you get is the illusion of a safety net.
At some point, any of the services that you use or ever used can be hacked into.
Information about you can be either leaked online, used for blackmailing, identity theft, financial damages, sold to third parties, and I could go on with this list forever, but I think you already got the idea.
It doesn’t even matter how small or insignificant you consider the attacked website to be. Always remember that information is as precious as gold and you should treat it accordingly.
In this article, we’ll cover the important steps you have to take if your online provider got hacked and what to do about it, in order to prevent any damage.
But first, let’s walk through some of the major hacks and data breaches from the past couple of years, and how they impacted the users:
1. Ashley Madison – August 2015 – 37 million people that were using the Ashley Madison site had their data published online, including credit card and sexual preferences. The service encouraged extramarital affairs, by helping users cheat on their partners. It led to many divorces and even some suicides.
2. iCloud / Apple – September 2014 – Not even cloud storage is safe from data breaches. Hundreds of nude celebrity photos leaked online, in a hack that was dubbed “The Fappening”. Apple later reported that the data was obtained using a highly targeted attack on user names, passwords and security questions.
3. Sony Pictures Entertainment – November 2014 – You most likely remember the Sony hack, that was allegedly planned by North Korea. 47.000 social security numbers of Sony employees were taken by attackers, plus names, address and financial information. However, the press mainly focused on the gossip side of the hack. The published stories covered the private conversations between Hollywood actors and movie industry players that also leaked.
4. Snapchat / SnapSaved – October 2014 – Also known as the Snappening, in reference to the Fappening, more than 13 GB of Snapchat videos and photos leaked online. The files were breached via a third-party app, SnapSaved, that was used to save and access Snapchat files.
5. IRS – May 2015 – More than 330.000 taxpayers were affected in this data breach. It may seem like a small number, compared to other data breaches, but the impact was disastrous. The attackers gained access to filed tax returns, financial information and social security numbers.
6. Vtech – November 2015 – Information on 6.4 million children and 5.9 million adults were exposed in what experts consider the largest theft of personal data targeting kids. Name, gender and birthdate were among the stolen data on the kids, while parents had their name, mailing address, secret question and answer for password retrieval, IP address, download history and encrypted password leaked. We don’t even want to imagine what could happen if some ill-intentioned individuals would pair the info on the parents and their children.
7. LastPass – June 2015 – Who says password manager services are safe? LastPass servers were attacked last summer. The data accessed by the intruders included email addresses, password reminders and authentication hashes. However, encrypted user data (aka your stored passwords) was not breached. The company prompted all the users to update their master password immediately.
8. eBay – May 2014 – One of the biggest data breaches of all times, that let 145 million users with their names, email and postal addresses, phone numbers, birthdates and encrypted passwords exposed.
9. Anthem – February 2015 – A data breach of the second biggest health insurer in America exposed medical information of 80 million customers. Plus names, birthdays, social security numbers, email and home addresses.
10. Spotify – November 2014 – Not even music streaming services are safe from attackers. Last year, over a thousand Spotify users had their email addresses and passwords leaked online. Gaana, the most popular indian music streaming service, with more than 7.5 million monthly users, also got hacked and had its database exposed.
And this is just a small fraction of the services that were hit in the past two years. Due to the rising number, you could even say that data breaches became something very common.
Now, before we jump into concrete advice, how do you find out that a service you use was breached?
1. Theoretically, you should find out directly from the hacked service, due to the data breach notification law. This forces the American companies that were subject to a data breach, or reasonably believed to have been, to inform their customers.
In the European Union, a similar breach notification law was introduced, but it only refers to personal data held by telecoms and internet service providers.
3. There are also some sites that gather the publicly available details from the major hacks and let you search through them, to see if your information is among the stolen data. Have i been pwned? is one of them.
My account was hacked. Now what?
These are the critical steps you should take if you discover that one of the services you use was hacked:
1. First of all, this is not a good time to panic. Take a deep breath and keep your calm.
The opposite, not caring, nor taking any measures, isn’t an option either.
You should be aware that things could quickly escalate in an unwanted direction. It doesn’t matter if you think the service is unimportant to you.
The breached data can be used to hack into other accounts of yours (especially if you use the same password for multiple accounts – please don’t), identity theft, financial damage, blackmailing and cause all sorts of other unwanted headaches.
2. Log into the account of the service that was hacked as soon as you find out about the breach.
Glance over the settings for your account, see if there’s anything fishy or changed there.
If you can’t access your account anymore, reset the password via email.
If you used a fake email for it, or you don’t have access to that email account anymore, you’ll have to contact the administrators of that website and prove it’s your account.
3. Change the password for that service. Use a strong, unique password.
If you’ve been reading our blog constantly, you most likely know how much we insist on this issue: never, ever reuse a password. You should have unique, strong passwords, that you change periodically.
However, if it’s too late for this and you recycled the password from the compromised website, change the password for all other services.
You can use a password generator, such as Norton Identity Safe Password Generator, in order to create strong passwords.
In the future, prepare for the worse and make sure you don’t reuse the passwords, in order to minimize the impact in case of a hacked account. You wouldn’t use the same key for your house and for you car, would you?
Remember to treat the answers to the password security questions the same as you treat your password. Don’t use real answers, instead generate strong passwords. The real answers can be easily discovered by attackers.
And never keep your passwords in a file on your computer, mail or cloud. Instead, you can use a passwords management application, like LastPass or Dashlane. This way, you won’t have to memorize 30-40 strong passwords, with all their capital letters and symbols and numbers, passwords that you regularly change. You’ll only have to remember the master password for your LastPass account, your other passwords will be safely encrypted.
4. If available, activate two-factor (or more) authentication.
The two-factor authentication (or two-steps verification) will add an extra layer of security, using your mobile phone. It works as a secondary authentication method, besides your password.
It will send you a one-time, unique digit code by SMS or generated by an authentication app installed on your phone.
Gmail, Twitter, Facebook and Amazon are among the ones who offer this option. You can find an extended list on TwoFactorAuth.org.
5. Change the password to your email or any other linked accounts.
As soon as you find out about the breach, change the password for the email you used to create the account for the service that got hacked.
Also look over the email settings, especially the Email Forwarding, Filters, Reply-to Address and Security Questions, to make sure that everything’s in order. An attacker will try to leave some kind of a back door opened, to come back into the account.
Your email address is most likely tied to many of your online accounts. If any of those is compromised, you’ll have to change the password to any other service that was remotely linked.
Also de-authorize all the third-party apps, that use your account.
Here’s a potential example: the BestNine application, that many users linked at the end of 2015 with their Instagram account, in order to see their most popular photographs of the year. Or logging into Spotify using your Facebook account. If either of them was breached, then you’d be in trouble. You would have to change the password to your Spotify or Instagram account, to your Facebook account and to your email account.
After the attack, be suspicious to any emails or unsolicited phone calls. Make sure you don’t open any emails that appear to be spam. We talked more about this in a dedicated blog post, that covers how malware creators use spam campaigns in order to maximize their impact.
Take all the financial protection measures available.
1. Keep an eye on your money. Monitor your bank account daily in the upcoming months. Immediately report to your financial institution if anything looks suspicious.
2. Activate every security measure available: SMS alerts for transactions, two-steps confirmations via mobile phone. Also, in the future, it would be best if you’d use credit card instead of debit card.
3. Freeze your credit report – it won’t be accessed, so you won’t be able to open an account for cell phone, apartment, car insurance etc. You’ll have to unfreeze it temporarily, if you want to apply for something, and then refreeze it.
4. For extra security measures, you can ask your bank to flag your account. This way, they will ask extra questions if anyone calls them pretending to be you.
Do a quick check-up of your computer’s security, make sure it’s clean.
1. Use adequate protection, to make sure that nobody can get into your operating system. Install a good antivirus and run a deep scan. Check to see if your firewall is activated. It’s also recommended that you use an anti second-generation malware security program.
2. Keep your software up to date. Check to see if all the security patches for your operating system are installed. Or let us take care of that.
3. Uninstall old software apps you don’t use anymore. It will improve your computer’s performance, while reducing the chances of a cyber attack that exploits their vulnerabilities.
If someone is trying to blackmail you, call the police and report it to them.
Collect the evidence, keep any threatening emails or any other form of communication. Take screenshots.
Don’t even consider paying. First of all, it would be impossible for someone to prove you that they’ll keep their promises if you pay that money. You’ll only prove that you are vulnerable to blackmailing and the matter surely won’t end there.
If your data was leaked online and you are in the European Union, you may be able to take advantage of the “right to be forgotten” law. Also contact your local police department.
Here’s a checklist of these steps, to come back to it in case you need it:
You can’t be safe, not even if you never use the Internet and you don’t own a computer or mobile device. Don’t forget that your data is still registered by the government, health, insurance and financial institutions or postal office.