Has My Password Been Hacked? A step-by-step guide to securing your data
Thousands of data breaches happen every year, and they happen to all sorts of companies — from LinkedIn to Equifax, from Target to Under Armour, from Capital One to Zynga (looking at you, Farmville and Words with Friends players), and many more.
In these data breaches, your name, emails, passwords, address, phone, credit cards, bank accounts, and other personal information you’ve given to these companies are exposed and resold to hackers in the dark web. These criminals can then use your information to open new accounts, access your assets, or make purchases pretending to be you. It’s terrifying, and these data breaches affect millions of people every year without their knowledge.
This article is a guide on how to stop yourself from being a victim, complete with recommendations for free and safe tools.
Step 1: Figure out if your information has been stolen in a data breach.
Step 2: Secure your passwords and save them in a password manager.
Step 3: Protect your credit and identity.
Depending on the answer to Step 1, you may only need a few minutes, OR you may need 1 or 2 hours to complete all the steps in this guide.
Step 1: How to figure out if your information has been stolen in a data breach
- Go to www.haveibeenpwned.com. Created by cybersecurity expert Troy Hunt, this is a free site for checking if your information has been exposed in any data breaches. “Pwned” is cyber slang for being owned, defeated, or hacked.
- Once you’re on the site, you’ll see the email field. Enter your email address, and then click the “pwned?” button to see if your passwords and accounts were exposed to hackers in historical data breaches. No, this doesn’t sign you up for anything. And yes, you can check all of your email addresses, one at a time.
- You’ll then get one of two results: (a) Good news — no pwnage found! or (b) Bad news — your information has been stolen in X number of breaches. In the latter case, the website will also give you what data was compromised. For example, whether it was just your email address, or also your password, credit card number, and address.
- If you see result (b), move on to Step 2. If you see result (a) but still want extra peace of mind, I recommend carving out time to secure your accounts and passwords as described in Step 2.
Step 2: How to secure your passwords and accounts
Let’s go through a scenario: you went through Step 1 and figured out that your email, usernames, passwords, and credit card were exposed during the 2018 Marriott and 2012 LinkedIn data breaches. So what? You check your credit card statements regularly and you go reset your LinkedIn and Marriott passwords. You’re good now, right? Not quite.
Remember that hackers still have your email address and other identifying information. If you use the same password for multiple accounts (e.g., your LinkedIn and Gmail accounts) or have a weak password, hackers can still access your accounts and make fraudulent transactions. And yes, your dog’s name followed by some numbers like “fluffy203” is considered a weak password and hack-able. (Fun fact: “fluffy203” has been exposed 6 times in past data breaches.)
Here’s how to fix this.
- Change your passwords and don’t share them between accounts. Use a different password for your Facebook account vs. your Bed Bath & Beyond shopping account!
- Make every password of yours unique and strong. Strong passwords have at minimum 14 characters and use a combination of letters (upper case and lower case), digits (0–9), and symbols.
- The easiest way to generate and track strong passwords for your various accounts is to use a password manager. Here are some good and free password managers tested and recommended by the NYTimes: www.nytimes.com/wirecutter/reviews/best-password-managers/. My personal favorite is bitwarden.com — it’s free and encrypted, and it has a Chrome plug-in and app for generating and retrieving your long and secure passwords. And nope, I don’t get a commission from bitwarden; just sharing with you my honest thoughts.
- Enable two-factor or two-step authentication. This enables you to verify your identify using not just (1) your password, but also (2) your phone number or email address. Some more tips to make two-step authentication work smoothly: Don’t lose your phone, or at least make preparations in case of loss (e.g., list an alternate email on top of your phone number). And don’t respond to texts and phone calls that ask you to share your unique codes for 2-factor authentication; these could be hackers pretending to be your account providers!
If you use the same password for multiple accounts or have a weak password, hackers can still access your accounts and put you at risk of identity theft.
Step 3: How to protect your credit and identity
If you suspect your financial information or social security has been exposed, you can take extra precautions to keep yourself safe.
- Check your credit reports and bank statements regularly. In addition to reviewing your bank and credit card statements for suspicious withdrawals and transactions, check your free credit report at least 3 times per year. Why 3? Experian, Equifax, and Transunion are each required by law to give you a free credit report per year. When you stagger them, you get 3 annually— Experian in April, Equifax in August, Transunion in December, and repeat the following year. What should you look for? Review these reports carefully for loan, bank, and credit card accounts you don’t recognize. Then report those you didn’t authorize. Note that annualcreditreport.com is an official site directed by U.S. law to provide these credit reports for free, but be careful of copycat sites out there.
- Freeze your credit. You can go to the Experian, Equifax, and Transunion websites to either (a) place a temporary fraud alert or (b) freeze your credit. What’s the difference? A fraud alert notifies any business that’s requested your credit report (e.g., credit card company where a hacker tried to open an account using your name and social) to provide additional details to confirm your identity. Freezing your credit goes a step further by stopping new businesses from accessing your credit report, preventing hackers from creating new accounts and loans in your name, until you lift the freeze. If you suspect you’ve been the victim of identity theft, freezing your credit can help reduce further damage to your credit history.
- Report identity theft. If someone has your personal information and tried to use it without your permission, you can report it to the proper authorities. https://www.identitytheft.gov/ is a good start for next steps.
Stay safe out there. Comment below if there are other topics you want me to cover in the future.