What to do when you’ve been hacked

Because sooner or later, it’s probably going to happen to all of us

Security “leaks” and breaches on popular services are becoming so common it’s almost comical. Except that if your account gets hacked, it could have dire consequences for your privacy and even financial security. Whether it’s a simple social network like Twitter (where 250,000 users’ details have been leaked) or your email account that gets hacked, here’s what you need to do to get control back and protect yourself going forward.

[Security is dead. Now what do we do? and The everyday agony of the password]

1. Find out if your account has been hacked. Sometimes it’s obvious when your account has been compromised. On Twitter, the hacker might post in your name. For your email account, all of the sudden family and friends are telling you you’ve been spamming them like some Nigerian scammer. Even worse, you might find fraudulent charges on your credit card if one of your online shopping accounts gets compromised.

If you’re not sure or you want to keep tabs on any possible leaks associated with your email address, sites like Pwned List and Should I Change My Password will check your email address against publicized databases of compromised accounts. Both will alert you, if you create an account, in the event your email winds up on any new compromises.

2. Try to regain control of your account immediately. First, scan your computer for malware to make sure your PC is clean. Then try to change the password on the account; you might get lucky. If you’re able to get in, also change the account security question. Because security questions are very basic and also easily guessable, however, it’s best to fib a bit on those answers. E.g., if asked your favorite sports team, answer with your favorite quote.

Change your password to one that’s as long as possible, with mixed case letters, numbers, and symbols. A passphrase is easier to remember than random alphanumeric characters, but the most important factor is length and that you don’t use the same password everywhere (more on that it a bit).

If you can’t get back into your account, contact the security team for the service right away. If your email has been hacked, set up a new email address that you can use for secure communications only (and a separate new email address for stuff like newsletters).

3. Change your password for every site you’ve used the same password. Using the same password for multiple accounts is convenient but it leaves you vulnerable. If you’ve used the same password as the compromised account anywhere else, change it to a unique one right away.

A password manager like KeePass and LastPass makes it easier to create truly unique passwords for each site and service. Alternatively, you could create a master passphrase and tweak it slightly for each service; so, for example, you can use ThisIsMyPassword-forWebMail and ThisIsMyPasword-forGoofingOffonFacebook.

4. Notify friends and family of possible security issues. Often hackers will use your account to attach malware or send phishing emails to your contacts (e.g., “Dear Mom and Dad, I’m stranded in a foreign country and got robbed. Please send money.”) If your email has been hacked, warn your contacts not to click on any links from that account.

5. Set up credit monitoring. If the hacked account has any financial information (credit card or bank account, for example) tied to it, keep a close eye on your statements. Often, companies whose user databases have been hacked will offer customers free credit monitoring. If not, sites like Credit Karma and Credit Sesame can monitor your credit profile, so you’ll know if someone tries to open a new account in your name.

6. Revoke access to third-party applications. A hacker could possibly link your account to malicious third-party apps without your knowledge, so even if you regain control over your account, the hacker could still continue stealing your information. Take the time to review your permissions for these connected apps and remove any unknown or suspicious ones. MyPermissions is a useful landing page for seeing what apps have permissions on a variety of services, including Facebook, Twitter, Google, and Dropbox.

7. Protect your account. If two-factor authentication is an option, make sure you set that up on your account as soon as possible. Two-factor authentication is the best protection we have right now; it requires additional verification when anyone tries to log into your account from a new device. You should also sign up for alerts in Google, your bank accounts, and wherever possible for any suspicious activity in your account.

Photo by IntelFreePress Read more of Melanie Pinola’s Tech IT Out blog and follow the latest IT news at ITworld. Follow Melanie on Twitter at @melaniepinola. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon