I Was Hacked: Help!

Hacking – to gain unauthorized access to data in a system or a computer.

It is not like having your identity stolen, although it can feel that way in the moment. Having your email, banking, or other credentials stolen and used not only feels like an invasion of your privacy but can lead to varying degrees of financial loss or long and difficult calls to customer support. With the internet now a few decades removed from the government institutions and universities who originally invented and used it, the days of the internet being a wild west landscape are essentially over. Advertisers, corporations, and governments track to varying degrees what we do on the internet, and some people have now had the same password for over 10 years. While you might be alarmed by the former, the latter is what should concern you.

The internet has history now, WayBackMachine offers us glimpses, but what you really need to worry about are the hundreds if not thousands of lists circulating on the dark web which contain usernames and passwords collected from known and unknown leaks. We sometimes hear about the big ones, but it’s just as likely that the hobbyist forum you signed-up for in 2002 was not all that secure, and somewhere out there on a list is your login information.

So, you have been hacked and are living in a post-hacked world. The first thing you need to do is change your password (like yesterday), and if this was an email account check your inbox rules and forwarding rules – these are often modified by hackers and not to your benefit. You should also scan your PC for viruses and adware, in particular you need to be looking for key-logging software – software that keeps track of everything you type and transmits that to the hacker.

To be honest though it is unlikely this is how your password was stolen. Like most of us, hackers prefer to get it from the source, you. This can be accomplished a myriad of ways, whether your password is something easy to guess – birthdays, hobbies, dates of important life events – a fake email saying your password has expired and needs to be reset (which you act on), or from one of those lists circulating on the internet. If they have a list of everyone’s username and password that signed-up for a Target account, you can be damn sure they’ll pick out the @Gmail.com, @Yahoo.com, and @Outlook.com addresses and give those a try to see if they can’t get into your mailbox. They will utilize scripting and automation to find the usernames and passwords that work, so do not think they need to type all those credentials in themselves.

By now you have changed your password to something no one could ever guess, how can they guess Flaming09 if they do not know of your secret love for flamingo dancing, or the competition you entered in 09? You have also checked your inbox and forwarding rules and ran scans on your PC. What else can you do to be sure this never happens again? The #1 thing you must do to secure your most important accounts is setup multi-factor authentication (MFA).

After all, your phone number is unique, and messages sent to it are only seen by you. You could – I’m not recommending this – set your password to “Password123” and put flyers up all over town with nothing but your email address and password printed in big bold letters on it, and your account would still be secure. All your banking accounts need MFA enabled and configured, and any account to which a credit card is tied should also have MFA enabled and configured. While there have been some clever attempts to circumvent MFA it is far easier and profitable for a hacker to find a more vulnerable target.

-Peter T. Belies