Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What Should I Do When My Account Is Involved in a Breach?

//

I received 2 notices below concerning my e-mails (Yahoo & Google) being exposed. I  changed passwords on both. Is this common? If it reoccurs what are my options? I have a lot of information stored in e-mail accounts is there a back up application before getting new accounts?
Email Password: Exposed Online (may or may not be readable)
Type of Compromise: Potential breach
Where your data was found: web page
Potential Impacted Site: www.adobe.com

Email Password: Exposed Online (may or may not be readable)
Where your data was found: social media

This has happened to me as well.

I want to be clear: normally, this does not mean your accounts have actually been hacked.

However, depending on the specifics of the breach, and your own security habits, it could mean your account is at risk.

Your initial response to change passwords was correct.

Become a Patron of Ask Leo! and go ad-free!

The first thing to do

Your instincts were good.

If you have any concern at all, changing your account password is exactly the right first step. Most of the time it’s actually unnecessary, but since we can’t predict when “most of the time” really is, it’s by far the safest thing to do right away.

Naturally, make sure to change it to a secure password, particularly if you’ve been lazy about that in the past.

You’re at much higher risk if you previously used a weak password – even if the hackers didn’t actually get the password itself in the data breach. Depending on the data included in the breach, there are techniques hackers can use to try millions, if not billions, of different passwords at high speed to see which ones work. The weaker your password was, the more likely they are to discover it.

You’re also at higher risk if you used that same password elsewhere. This turns into more work.

The second thing to do

Depending on your personal security habits, the next step can get messy.

Security Breach! Do you use that same password for other accounts?

If so, go change the password at each of those other accounts. Make sure to give each a unique password so you’re never using the same password twice. Use a password manager if you have trouble keeping track of all your passwords – it’ll let you use lots of complex passwords and still keep them unique, because you won’t have to remember them.

The issue is simple: if a hacker is somehow able to get your password for the account affected by the breach, they’ll have an email address / password pair. Those are often the exact same log-in credentials people use at other online services: same email address, same password. Hackers know this, and immediately start trying that combination at a variety of online services. If you use the same password at multiple sites, losing one could be as good as losing them all.

This “password reuse” scenario has recently been blamed for several widespread account hijacks at popular, and sometimes sensitive, services.

If your account has been hacked

If you suspect your account actually has been hacked and accessed by someone else, you need to do much more than just change a password.

In short, you need to change or verify every bit of your account profile that could be used to reset or recover your password (for instance, phone numbers, security questions, and more). Hackers have been known to use this to re-hack an account, if all you’ve done was change your password. They’ve also been known to change this information so they can get back in whenever they want.

More about the steps you need to take are in this article: Email Hacked? 7 Things You Need to do NOW. It applies to much more than just email accounts.

Something to consider

This is also a good time to consider two-factor authentication if your account provider(s) support it.

Two factor, or multi-factor, authentication is an added security layer that prevents hackers from signing in to your account even if they know the password.

I now strongly suggest two-factor authentication, along with complex and unique passwords, for any account you consider even moderately sensitive.

Is this common?

You asked if this was common.

All I can say is yes … and no.

It does seem like we hear about massive account breaches at an increasing pace. In my opinion, that pace will escalate until we come up with something better than passwords for user authentication.

As I said, it’s happened to me. My email address shows up on no fewer than five lists of breached accounts.1 I’ve changed more than a few passwords as a result.

But even showing up as part of five separate breaches, I’ve not been hacked.  I believe that to be the more common case, but there’s no way to know for sure.

Find out if your account is part of a breach

Aside from the various security and credit monitoring services that include this as a feature, you can look for your own email address on major breach lists. ‘;–have i been pwned?2 is a free service that will tell you if your email address appears in any breach for which they have the data.

This is where I showed up five times: MySpace, Adobe, Gawker, LinkedIn, and Patreon.3

You can also sign up to be notified if a new breach contains your email address. This is how I learned of my involvement in the Patreon breach, for example.

Backing up email

You also asked if there was a backup application for email, should you decide to get a new account.

Absolutely. It’s called any desktop email program.

Seriously, get a program like Thunderbird or Microsoft Office Outlook or any of a number of others. Install that on your PC, configure account access using the IMAP protocol, and the program will dutifully download all of your email to your PC as a backup. On top of that, since I’m certain you’re also backing up your PC, you’ll be further protected that way as well.

Back up your email regardless of whether you’re involved in a breach or not. There are so many different ways you could lose access to your email account that you simply must have a backup or you risk losing everything stored in it – often without warning or recourse.

Remember: if it’s only in one place, it’s not backed up.

Podcast audio

Play

Footnotes & references

1: Apparently I still have a MySpace account. Who knew?

2: “pwned” is hacker-speak for “owned” as in, has your account been “owned” by someone else. Pwned is typically pronounced “powned”.

3: It’s important to note that in none of these breaches were passwords actually exposed. At worst, hashed password data may have been included. In all cases, of course, email addresses, and other possibly personal but less sensitive account information, may have been included.

Posted: July 20, 2016 in: Email Security
Shortlink: https://askleo.com/22845
« Previous post:
Next post: »

New Here?

Let me suggest my collection of best and most important articles to get you started.

Of course I strongly recommend you search the site -- there's a ton of information just waiting for you.

Finally, if you just can't find what you're looking for, ask me!

Confident Computing

Confident Computing is the weekly newsletter from Ask Leo!. Each week I give you tools, tips, tricks, answers, and solutions to help you navigate today’s complex world of technology and do so in a way that protects your privacy, your time, and your money, and even help you better connect with the people around you.

The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition

Subscribe for FREE today and claim your copy of The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition. Culled from the articles published on Ask Leo! this FREE downloadable PDF will help you identify the most important steps you can take to keep your computer, and yourself, safe as you navigate today’s digital landscape.



My Privacy Pledge

Leo Who?

I'm Leo Notenboom and I've been playing with computers since I took a required programming class in 1976. I spent over 18 years as a software engineer at Microsoft, and after "retiring" in 2001 I started Ask Leo! in 2003 as a place to help you find answers and become more confident using this amazing technology at our fingertips. More about Leo.

2 comments on “What Should I Do When My Account Is Involved in a Breach?”

  1. Do NOT just click on a link in a notice of hacked e-mail or anything else.
    This could just be a Phishing scam.
    Go to the site and access it as normal and change your data there. If it is scam mail you probably weren’t breached but this is a good opportunity to do as Leo says. Choose a strong password that you don’t use elsewhere.

    Reply
    • Was the first thing I thought also. It’s a well known scam, Leo might want to add this to his article, preferably in the first few lines.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.