What to Do If A Site You Use is Pwned (Data Breach)

“Pwned” is the slang for when an account of yours, on some web site, got compromised in a data breach. So, hackers probably have personal information of yours.

There are hackers trying to steal information from web sites, all the time. Some site that you’ve registered with, probably has been hacked at some time.

You can check sites to find out what major sites are known to have had data stolen. Having checked one of those sites, and then saying “I have been pwned twice” is not likely accurate. More likely it has happened dozens of times, you just don’t know about it. On the other hand, hopefully some of the sites didn’t get anything really useful about you.

You might also hear directly from the company to “change your password, we got hacked”.

People stealing information from sites are interested in more than your email address. Randomly picking a site from https://haveibeenpwned.com/PwnedWebsites , here’s what they might have gotten: Email addresses, Genders, Geographic locations, IP addresses, Passwords, Usernames, Website activity, Years of birth.

What Is the First Thing to Do?

Use a password generator, to make a random password, unique for each site. The password generator should be in a password keeper software, since you’ll never remember the long random password. The password keeper will copy your password into the clipboard for you to paste, or it will paste your username and password directly into the web site for you.

Hackers know that most people use the exact same password, or minor variations their computer can quickly test, on all their accounts. Hackers know how to keep track of everything they have already discovered about all the many people with your user name, on websites around the world, and use that knowledge to get into the next account they find with your user name. It really is important that you use different (meaning random computer-generated) passwords for each site.

For your password keeper’s master password (the password you use to open your password keeper), and for the few sites you log into often, make a long, highly memorable, easy to type password. Here’s how to make a password like that, and some of the password keepers that are good to use: https://www.glerner.com/password aka http://computerhelp.glerner.com/2016-strong-passwords-for-wordpress/

I only have passwords I remember for a) my computer, b) my password keeper, c) my email software and web browser, same company so same password, but you could use your password keeper, d) my WordPress administration and e) the SSH access to my site. Really, only 2-5 passwords you remember, total.

Then change your password periodically, on each site with any personal information at all, since sites get hacked more often than they should. Maybe once a year, or more often if you get a hunch it’s time; and definitely change the password if you hear the site got hacked. Yes, I recommend do the work to update the passwords of all sites that have any important information about you.

https://haveibeenpwned.com will tell you if your email address(es) have been made public, and what info was released in the hack. Some while back, I signed up for their email notifications (free) and yesterday got one. This time the hack included passwords. Then I spent 4 hours pouring thru 467 1Password [excellent password keeper software] accounts from 2007-2008 that I had (foolishly) used the same, simple password on. Fortunately, most are harmless forums or some such, but I did find about 40 which went to accounts with stores. I had to visit each one, and change my password. This time, I’m taking full advantage of 1Password’s unique password generator for each site. At least I won’t have to go thru all this again. — T.V.

Now, about that compromised data…

My main recommendation, for most sites: Lie. Don’t give sites authentic information, unless essential. Never give your birthday unless it’s a government or bank or legal site (give wrong info unless there some legal requirement you tell the truth). Only give your address if they are shipping something to you. What’s your first pet’s name? “peppermint”. What’s your favorite flavor? “submarine”. Where did you go to school? “orangutan”. Your password keeper will have a place for keeping the question and the answer you gave, so if you ever need to give the answer to their “secret question”, you can.

Just assume that everything you type into every site, will be stolen.

When you redo your password, consider whether that site needs your primary email address. Use different email addresses for less-trusted sites.

Remember, saying “Happy Birthday, Mom” on Facebook, if your mom has her maiden name showing, tells the world “your mom’s maiden name” and “Happy Birthday, Dad” tells “your maiden name”. Yes, there really are people who browse social media sites to gather information, to steal your info and hack into your accounts.

If someone has your birth date and mom’s maiden name, they can fool some banks or other sites, to resetting your password and emailing it to your email address that they already broke in to. The hacker can have their computer intercept the email and delete it before you ever see it. So, lie.

Even lie on Facebook what your birthday is. Your friends and family will know; but ask them to “play along”.

On most sites you don’t buy something, give a false name, with the false name in the email address (since hackers have software that guesses your name from your email address, knowing how many sites use first name last name, or first initial last name, for the email address).

How Many Email Accounts Do You Need?

I advise having one email address for work, one for family and friends, one published on your web site, one for newsgroups (or one for only a specific newsgroup), one or several for shopping sites, one for known or suspected spammers. Yes, separate email accounts. (Not just your name with a different number at the end, some email accounts should be lacking any identifying information.) Forward them all to your primary email if you want, or have your email program retrieve from the several accounts; have your tech-savvy friend show you how.

Why? Because your email addresses are going to get spread around, and you want to be able to filter or redirect or delete emails by account name. Because if a newsletter email account gets lots of spam, you can delete that email address and you won’t have to contact all your family and friends and coworkers asking them to use a different email account.

Never use Hotmail or Yahoo Mail, not even for the “suspected spammer” accounts, they are among the worst email account providers in terms of how much spam you’ll get. Most of the spam with “your friend’s name” in the From field, is from Yahoo and Hotmail, right? Hackers read your address book from the site…

Make free email accounts either with your own domain name if you have one, and also get free email accounts with GMail, or from some company with equivalent security.  Phoenix WordPress Meetup email hosting experts and email marketing experts, have never in the 3 years I’ve been going, suggested any company other than GMail. (Don’t listen to the “I don’t want Google having my information” excuse, they already have indexed your information from all the places in the world where it is publicly available, right? And they know how to intercept and block as many hacker tricks, spammer sites, online scams, etc. as any company in the world.)

Can You Do Anything About Your Information That Was Stolen?

Not really. If it is an important account, you can have the company close the account and make another. You can change to another company. If there is enough damage done you can charge someone with fraud, of course pursue it, if doing that makes sense.

But once that information is stolen, it is likely going to be shared among hackers, or businesses who will buy information (for marketing, usually) rather than gathering information about their customers legitimately and marketing to new customers legitimately. Many times hackers make money by selling the information, rather than by using it themselves for fraud.

If you own a web site, and don’t want your site on the “pwned” lists, definitely pick your hosting company with security as a major concern. Many of these massive security breaches were from web sites not hosted with proper security. Few companies that host web sites (whether they host the company’s web site or customer’s web sites) have someone whose job is monitoring global anti-hacker sites and implementing security rules to block the attacks. (I’m guessing other breaches were done by temp employees literally stealing the database, and password cracking software got most of the user names and passwords and other encrypted information.)

Can the Company Be Trusted, Once Breached?

There is really no way to know if a company fixed the security hole that let hackers steal information.

Definitely ask them whether they have taken adequate new measures to ensure security.

Sometimes you will get the sense the company has done nothing to improve security, after a breach.

Sometimes, though, the breach and customer complaints had the company increase security, so they are now much more attentive to security than their competitors.

What Other Ways Can You Increase Your Information Security?

Always run anti-virus software on your computer. Avast and Panda Cloud are free and have excellent reviews from security experts; Norton and Kaspersky are top-rated paid anti-virus. Also use firewall software, usually available with anti-virus software. Malware on web sites or in emails could infect your computer, for example recording your keystrokes.

Use strong WiFi encryption, with a long random password. Use current firmware in your WiFi router, as it likely has security improvements.

Use VPN software all the time when you are out of the house or office, any place where the Internet connection isn’t secure. It makes people snooping on your Internet traffic, see only encrypted data.

Check if a web site has an https:// version, and always use it. If the site doesn’t always switch you to https:// alert their web master

Use the secure email transfer protocols your ISP and your email program probably support (POP3 and IMAP both use SSL/TLS, use it, have your ISP tell you how to confirm it is set up correctly).

Find out how to install and use encrypted emails, that validate the information received is the information sent, and validate the sender is who they claim to be. For example, Thunderbird has an Enigmail add-on. Look for software with “public key encryption”, most often using the PGP standard. Then give someone your public key, and have them give you their public key, and you can send encrypted emails to each other. (Never let anyone else but your most trusted person, maybe the person who keeps your will and your password keeper master password for handling your affairs when you die, have your private key.)






Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.