Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

What Should I Do When My Account Is Involved in a Breach?

//

I received 2 notices below concerning my e-mails (Yahoo & Google) being exposed. I  changed passwords on both. Is this common? If it reoccurs what are my options? I have a lot of information stored in e-mail accounts is there a back up application before getting new accounts?
Email Password: Exposed Online (may or may not be readable)
Type of Compromise: Potential breach
Where your data was found: web page
Potential Impacted Site: www.adobe.com

Email Password: Exposed Online (may or may not be readable)
Where your data was found: social media

This has happened to me as well.

I want to be clear: normally, this does not mean your accounts have actually been hacked.

However, depending on the specifics of the breach, and your own security habits, it could mean your account is at risk.

Your initial response to change passwords was correct.

Become a Patron of Ask Leo! and go ad-free!

The first thing to do

Your instincts were good.

If you have any concern at all, changing your account password is exactly the right first step. Most of the time it’s actually unnecessary, but since we can’t predict when “most of the time” really is, it’s by far the safest thing to do right away.

Naturally, make sure to change it to a secure password, particularly if you’ve been lazy about that in the past.

You’re at much higher risk if you previously used a weak password – even if the hackers didn’t actually get the password itself in the data breach. Depending on the data included in the breach, there are techniques hackers can use to try millions, if not billions, of different passwords at high speed to see which ones work. The weaker your password was, the more likely they are to discover it.

You’re also at higher risk if you used that same password elsewhere. This turns into more work.

The second thing to do

Depending on your personal security habits, the next step can get messy.

Security Breach!Do you use that same password for other accounts?

If so, go change the password at each of those other accounts. Make sure to give each a unique password so you’re never using the same password twice. Use a password manager if you have trouble keeping track of all your passwords – it’ll let you use lots of complex passwords and still keep them unique, because you won’t have to remember them.

The issue is simple: if a hacker is somehow able to get your password for the account affected by the breach, they’ll have an email address / password pair. Those are often the exact same log-in credentials people use at other online services: same email address, same password. Hackers know this, and immediately start trying that combination at a variety of online services. If you use the same password at multiple sites, losing one could be as good as losing them all.

This “password reuse” scenario has recently been blamed for several widespread account hijacks at popular, and sometimes sensitive, services.

If your account has been hacked

If you suspect your account actually has been hacked and accessed by someone else, you need to do much more than just change a password.

In short, you need to change or verify every bit of your account profile that could be used to reset or recover your password (for instance, phone numbers, security questions, and more). Hackers have been known to use this to re-hack an account, if all you’ve done was change your password. They’ve also been known to change this information so they can get back in whenever they want.

More about the steps you need to take are in this article: Email Hacked? 7 Things You Need to do NOW. It applies to much more than just email accounts.

Something to consider

This is also a good time to consider two-factor authentication if your account provider(s) support it.

Two factor, or multi-factor, authentication is an added security layer that prevents hackers from signing in to your account even if they know the password.

I now strongly suggest two-factor authentication, along with complex and unique passwords, for any account you consider even moderately sensitive.

Is this common?

You asked if this was common.

All I can say is yes … and no.

It does seem like we hear about massive account breaches at an increasing pace. In my opinion, that pace will escalate until we come up with something better than passwords for user authentication.

As I said, it’s happened to me. My email address shows up on no fewer than five lists of breached accounts.1 I’ve changed more than a few passwords as a result.

But even showing up as part of five separate breaches, I’ve not been hacked.  I believe that to be the more common case, but there’s no way to know for sure.

Find out if your account is part of a breach

Aside from the various security and credit monitoring services that include this as a feature, you can look for your own email address on major breach lists. ‘;–have i been pwned?2 is a free service that will tell you if your email address appears in any breach for which they have the data.

This is where I showed up five times: MySpace, Adobe, Gawker, LinkedIn, and Patreon.3

You can also sign up to be notified if a new breach contains your email address. This is how I learned of my involvement in the Patreon breach, for example.

Backing up email

You also asked if there was a backup application for email, should you decide to get a new account.

Absolutely. It’s called any desktop email program.

Seriously, get a program like Thunderbird or Microsoft Office Outlook or any of a number of others. Install that on your PC, configure account access using the IMAP protocol, and the program will dutifully download all of your email to your PC as a backup. On top of that, since I’m certain you’re also backing up your PC, you’ll be further protected that way as well.

Back up your email regardless of whether you’re involved in a breach or not. There are so many different ways you could lose access to your email account that you simply must have a backup or you risk losing everything stored in it – often without warning or recourse.

Remember: if it’s only in one place, it’s not backed up.

Podcast audio

Play

Footnotes & references

1: Apparently I still have a MySpace account. Who knew?

2: “pwned” is hacker-speak for “owned” as in, has your account been “owned” by someone else. Pwned is typically pronounced “powned”.

3: It’s important to note that in none of these breaches were passwords actually exposed. At worst, hashed password data may have been included. In all cases, of course, email addresses, and other possibly personal but less sensitive account information, may have been included.

2 comments on “What Should I Do When My Account Is Involved in a Breach?”

  1. Do NOT just click on a link in a notice of hacked e-mail or anything else.
    This could just be a Phishing scam.
    Go to the site and access it as normal and change your data there. If it is scam mail you probably weren’t breached but this is a good opportunity to do as Leo says. Choose a strong password that you don’t use elsewhere.

    • Was the first thing I thought also. It’s a well known scam, Leo might want to add this to his article, preferably in the first few lines.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.