There’s been a rise recently in whole databases of email addresses being breached, stolen and blatantly posted on the web. Sometimes it was a specific hack to harvest addresses from ESPs, because the hackers (spammers?) know they have good addresses. But sometimes it was a hack to expose severely weak systems, as in Sony’s recent breaches.
Regardless of the type or purpose of the hack you as a consumer and email subscriber are most of the time left out in the cold. Your carefully protected email address is now at the eager hands of numerous spammers: or maybe even worse, identity thiefs. Instead of receiving a boatload of spam your email address could get hacked (read Yahoo Mail, Hotmail become new targets for hackers) and people taking over your online accounts. Let’s see…
PayPal, eBay, your online banking account, all your forum accounts, travel websites, shopping sites, gaming accounts like Steam or GameSpy, creative accounts like YouTube, Soundcloud or Audiotool… I don’t think I need to go on. Troy Hunt has done some tests on the plain text files (sigh) taken from the SonyPictures servers in a recent breach: see his report here.
One pass to rule them all?
Some of his most important findings are that passwords are reused across networks, and that they are in general quite simple: contrary to the common preaching of security experts to keep passwords unique, difficult and use special characters. The only secure password is the one you can’t remember, also by Troy Hunt, tells the story of the burden of many passwords and securing them for real with 1Password app. I’m not too sure a very complex master password will help, but at least it’s better than 123456 or jesus, right?
What can you do to do damage control when you have found out your email account (may) have been breached or your email address stolen? There are some options, and further on I will describe some options to prevent your email account from being exposed/hacked.
If stolen then…
Some simple but effective things to do are:
- Change the password of all affected accounts (if you can still login)
- Consult with your (web) mail providers on account access: they will have a secondary address or your cellphone number to get your account back to you
- Warn others who are in your address book to not open or click any ‘weird’ emails seeming to come from your account
To help prevent email addresses being stolen or compromised
- Change your password regularly, at least once a month
- Do not click on any links in weird or malicious emails, even if they seem to come from friends
- Only sign up for the services you really want and/or need, not just anything
- Use a difficult password, no cheating! Use uppercase and non-alfanumeric passes
These tips are by no means final or complete: just a reminder what some of the things are that you can do when it all goes wrong or how to prevent it of doing so. All the breaches so far have been truly dreadful, but regardless who is responsible in the end you as the actual owner of an email address have a responsibility too: too not let a hacker or spammer get hold of it too easily. Now go forth and secure your email address! This post might see a follow up in the near future when I have more tips on this subject.
A final tip on passwords: there’s a quite good password tester over at http://www.passwordmeter.com: it should give you the option to make and test a very strong password, to avoid the embarrassing event that someone accesses your account with hi-mom or microsoft…