I received 2 notices below concerning my e-mails (Yahoo & Google) being exposed. I changed passwords on both. Is this common? If it reoccurs what are my options? I have a lot of information stored in e-mail accounts is there a back up application before getting new accounts?
Email Password: Exposed Online (may or may not be readable) Type of Compromise: Potential breach Where your data was found: web page Potential Impacted Site: www.adobe.com Email Password: Exposed Online (may or may not be readable) Where your data was found: social media
This has happened to me as well.
I want to be clear: normally, this does not mean your accounts have actually been hacked.
However, depending on the specifics of the breach, and your own security habits, it could mean your account is at risk.
Your initial response to change passwords was correct.
Become a Patron of Ask Leo! and go ad-free!
The first thing to do
Your instincts were good.
If you have any concern at all, changing your account password is exactly the right first step. Most of the time it’s actually unnecessary, but since we can’t predict when “most of the time” really is, it’s by far the safest thing to do right away.
Naturally, make sure to change it to a secure password, particularly if you’ve been lazy about that in the past.
You’re at much higher risk if you previously used a weak password – even if the hackers didn’t actually get the password itself in the data breach. Depending on the data included in the breach, there are techniques hackers can use to try millions, if not billions, of different passwords at high speed to see which ones work. The weaker your password was, the more likely they are to discover it.
You’re also at higher risk if you used that same password elsewhere. This turns into more work.
The second thing to do
Depending on your personal security habits, the next step can get messy.
Do you use that same password for other accounts?
If so, go change the password at each of those other accounts. Make sure to give each a unique password so you’re never using the same password twice. Use a password manager if you have trouble keeping track of all your passwords – it’ll let you use lots of complex passwords and still keep them unique, because you won’t have to remember them.
The issue is simple: if a hacker is somehow able to get your password for the account affected by the breach, they’ll have an email address / password pair. Those are often the exact same log-in credentials people use at other online services: same email address, same password. Hackers know this, and immediately start trying that combination at a variety of online services. If you use the same password at multiple sites, losing one could be as good as losing them all.
This “password reuse” scenario has recently been blamed for several widespread account hijacks at popular, and sometimes sensitive, services.
If your account has been hacked
If you suspect your account actually has been hacked and accessed by someone else, you need to do much more than just change a password.
In short, you need to change or verify every bit of your account profile that could be used to reset or recover your password (for instance, phone numbers, security questions, and more). Hackers have been known to use this to re-hack an account, if all you’ve done was change your password. They’ve also been known to change this information so they can get back in whenever they want.
More about the steps you need to take are in this article: Email Hacked? 7 Things You Need to do NOW. It applies to much more than just email accounts.
Something to consider
This is also a good time to consider two-factor authentication if your account provider(s) support it.
Two factor, or multi-factor, authentication is an added security layer that prevents hackers from signing in to your account even if they know the password.
I now strongly suggest two-factor authentication, along with complex and unique passwords, for any account you consider even moderately sensitive.
Is this common?
You asked if this was common.
All I can say is yes … and no.
It does seem like we hear about massive account breaches at an increasing pace. In my opinion, that pace will escalate until we come up with something better than passwords for user authentication.
As I said, it’s happened to me. My email address shows up on no fewer than five lists of breached accounts.1 I’ve changed more than a few passwords as a result.
But even showing up as part of five separate breaches, I’ve not been hacked. I believe that to be the more common case, but there’s no way to know for sure.
Find out if your account is part of a breach
Aside from the various security and credit monitoring services that include this as a feature, you can look for your own email address on major breach lists. ‘;–have i been pwned?2 is a free service that will tell you if your email address appears in any breach for which they have the data.
This is where I showed up five times: MySpace, Adobe, Gawker, LinkedIn, and Patreon.3
You can also sign up to be notified if a new breach contains your email address. This is how I learned of my involvement in the Patreon breach, for example.
Backing up email
You also asked if there was a backup application for email, should you decide to get a new account.
Absolutely. It’s called any desktop email program.
Seriously, get a program like Thunderbird or Microsoft Office Outlook or any of a number of others. Install that on your PC, configure account access using the IMAP protocol, and the program will dutifully download all of your email to your PC as a backup. On top of that, since I’m certain you’re also backing up your PC, you’ll be further protected that way as well.
Back up your email regardless of whether you’re involved in a breach or not. There are so many different ways you could lose access to your email account that you simply must have a backup or you risk losing everything stored in it – often without warning or recourse.
Remember: if it’s only in one place, it’s not backed up.