So you’ve just unlocked your phone after waking up to see that your Twitter timeline isn’t loading. Strange — but maybe they’re just experiencing one of their fail whales for the first time in years. You decide to go check on your Amazon order that should be arriving today. Instead, to see that you can’t login there either. You swipe down to your notification center to see a few “Password Changed” notifications, except, when you tap on one of these email notifications, you’re directed to your Gmail sign in page. That’s when it hits you.
You’ve been hacked.
First, relax. You need a level head to handle this situation. You’re one of many that are targeted every day, and it’s no surprise considering there were over 1,500 data breaches in just 2017. Now that you’ve taken a moment to assess the situation, it’s time to get an idea of how much needs to be recovered.
Just a social media account? No big deal.
Your credit cards and bank accounts? This may be a pretty big hassle.
Let’s start with the accounts you still have access to that shared information (passwords, email addresses, etc.) with accounts that have been compromised.
Change your passwords.
Sign in to every account that may be related and change your password to something different. Even if you don’t have access to an account anymore, check all your devices to see if you’re still signed in. This will allow you to take back control without having to go through a recovery process. For a quick reminder, use the following password tips:
Make your new password long!
Brute forcing is one of the most common ways to test passwords if they’re not already in some database. A longer password makes it much more difficult to guess — even for automated systems.
Password Strength. Courtesy of XKCD. Source
Words and phrases that you mix together are usually much safer and easier to remember. It’s also a super simple way to come up with a long password.
Sprinkle in some Flavor
Add in numbers and symbols either between or as a replacement to letters. This will not only make it harder for others to guess but will also easily satisfy the password requirements that a lot of sites and apps may enforce.
Don’t Make it Easy to Guess
Your password is only as secure as it is secret. Don’t use things like your name, part of your email, your first pet’s name, or your birthday. Yeah, that means spike2001 isn’t a good password.
Don’t Use Passwords from Other Sites
This one still needs to be said because people still do it. If someone manages to gain access to one of your accounts, (or even worse: it’s leaked in a data breach) they now have access to every single other account you used that password on. Either use different variants of your passwords or use a Password Manager. Nobody expects you to remember all your passwords anymore, so let an app do it for you. Here at MelonDev, we use 1Password — but there are many really good options out there.
Change these Again Often… when you’re done dealing with this chaos.
This one is hard to remember to do, and even I’ll admit that I’m not the best at it. However, if you change your passwords even once a year, that’s an even lower chance that it’ll appear because of some data breach from a site you used in 2007.
If you want to get better at this, features like 1Password’s WatchTower will let you know when your passwords age too much and give you a heads up when it’s time to change them.
Got your passwords changed?
Good. You’re on the right track to ensuring what you still have is safe. Now let’s work on recovering what you’ve had taken from you.
Recover What’s Lost
Now that you’ve secured what you can, it’s time to take back what you’ve lost. Depending on whether or not you still have that email address you used to sign up with 3 years ago, this may vary in difficulty. Remember, that if the hacker has changed any of the personal information associated with any of these accounts that you may need to reach out to the support team to help get things reverted.
Companies like Google have very well-made recovery steps, however. You should be able to get back into your account just by telling them a bit about yourself and the types of activities you did on your account.
Secure Your Cash
Sign in to your online bank accounts, credit cards, PayPal, loan accounts, etc. and ensure that nothing has been tampered with. Change your passwords and double check personal info here, too, just in case.
If there’s any sliver of a chance that the hacker may have been able to get into your account, let the institution know immediately. They’ll ensure that whatever Fraud Department or tools they use are keeping a close eye on your activity.
If you see unrecognized transactions, dispute them immediately. They’ll get your missing money back to you, but it may take a few days — better to get the process started sooner.
Depending on the severity of the situation, your bank may recommend getting new cards or a new account entirely. For the sake of your sanity, we hope this isn’t necessary.
Determine the Cause
To prevent yourself from getting hacked again in the future, it’s important to review what happened and prevent it from happening again.
Some common methods include:
There’s that term again! If your password was the same as another account (especially an account that was a victim in a breach), then that’s your root issue. You essentially just mailed your hacker a key to your house. Protect yourself with new passwords and a password manager.
Keyloggers and Malware
A bit more rare, but still plausible. If you’ve installed anything new or fishy recently, chances are your personal info was grabbed by watching your keystrokes. Run a virus and malware scan on your device to ensure there’s nothing devious installed that shouldn’t be. Malwarebytes is free and will do the trick.
This method of hacking is usually overlooked completely. Every website you use and visit has different bits of information. Full address here, last four of your credit card there, last name over there…
Different companies use different pieces of personal information to identify you (especially for customer support purposes). If you can call back multiple times and gather more info about your account, which you can then use to verify yourself with another company, then you just got access — no matter how good your account security was.
While scary, some companies are getting better at this. Amazon, for example, now requires you to confirm that you’re calling support via a text message before they can assist you with any account-specific questions. These automated security measures aren’t subject to failure, like the human-controlled counterparts.
Many websites (especially banks) use “Security Questions” to keep your account safe. The problem with these is that they usually ask questions that can be found on public-facing social media accounts. When choosing security questions, make sure you truly pick ones you won’t be posting about. “What is the make and model of your first car?” and “What’s your favorite vacation spot?” are probably ones you’d want to avoid.
This is DEFCON 1 of account hijacking. Password resets are only possible of a hacker gains access to your primary (or even secondary) email accounts. Your email address is essentially a master key that can reset your access to everything you do online. You should treat it that way, and ensure that you take the most important steps possible to protect it.
You’ve gone from not having access to anything to recovering your accounts and understanding how they were lost to begin with. There are a few final steps you should take to ensure this doesn’t happen again.
De-Authorize Old or Suspicious Apps
You know all those “Login with…” buttons around the web? Every time you use that feature, you are granting a website access to some (or all) of your account data and giving them permission to interact with it. Visit your account settings on sites like Facebook, Twitter, and Google and ensure that everything that still has access to your account really needs it.
Turn on Two-Step Verification
You trust some of your most valuable data to just one string of text… one or two words that someone can type in and see everything. Enable two-step.
Two-Step Verification requires another method of verification, besides your password, before you can sign in. The most common forms are using something like an Authenticator App that provides codes for you, but even turning on SMS Verification is better than nothing.
Don’t Open Suspicious Emails
Phishing emails are getting better and better. If you ever get an important account alert: make sure it’s addressed to you. Emails (especially from banks) that start with “Dear Customer” or “To whom it may concern” are most likely to be fake. If you want to be extra safe, go the extra mile of going to websites yourself and not clicking links in emails that are sent to you.
If you’re ever not sure if an email is legitimate or not, forward it to the company support team. Many will review it for you and confirm whether or not it was sent by them.
Your Online Identity is Important
You need to take the steps to protect it. Once you have everything re-stablished, you should consider getting someone to watch your back. MelonDev offers tools like Brand Management that will help handle chaos like this for you and assist with actions like fan engagement or audience boosting. You probably would have found this advice much faster if you had someone to ask directly and didn’t have to resort to a Google search for help.