In my last post, I shared the account of my recent email and Facebook hack attack. Now, it’s time to get to the nitty gritty—the relevant details that might help you and me prevent future digital identity theft and account invasions.
The most common question I’ve gotten since the hack attack is “how did this happen?.” That one simple inquiry has a hundred potential answers. The reality is I will likely never know how this happened to me with any certainty, especially since my online activity is extensive, my travels have taken me far and wide, and I’ve been lax on security issues for some time.
Of course, everyone who’s asked how this happened is ultimately looking for real answers about how to avoid it ever happening to them. Though I can’t pinpoint the answer, I can share with you some possible, plausible scenarios that carry very useful lessons for all of us.
Change your passwords regularly. Dare I admit that I hadn’t changed my password in—um, well, er, uh—YEARS?!? It’s so “Online Security 101.” I’ve traveled internationally, logged onto countless wireless connections—even unsecured free Wi-Fi, been on public and borrowed computers, you name it. Yet I never changed my password in all those years.
(Hey—don’t judge; you know you hadn’t changed yours for years either until you saw all my post-hacking status updates imploring you to change your password! Just sayin’.)
Use difficult passwords with no reference to anything logical or personal. Though the email password I had in place for years wasn’t woefully obvious, it was ultimately quite crackable, as it incorporated some words relating to things about my life. A tour around my Facebook profile (before I changed my privacy settings) could have revealed a series of testable guess-phrases. With advanced ‘dictionary attack’ methods, hackers can input potential elements of passwords and autogenerate thousands of combinations until the right one strikes.
The rule of thumb: Use a nonsensical combination of letters, numbers and special characters (if the system allows), including random use of capital letters in the mix. Go at least 9 characters long for maximum security. Studies have proven longer passwords exponentially decrease the likelihood of deciphering.
Since I’ve purveyed this tidbit post-hack, I’ve had so many friends respond with lamentations about not wanting to create something “too hard to remember.” To those friends I say, nothing motivates one to lock and load a crazy-hard password into the memory bank than living through the upheaval of a hack attack.
Vary your password usage. If you’re using the same password on all your major accounts—email, Facebook, Twitter, LinkedIn, etc.—you’re making it really easy for hackers to trounce all over your online identity. Over the years, I’ve relied on a pretty steady collection of emails, intermingling the same few amidst my various accounts.
Variations on a theme are not safe enough. After the hack attack, I went into all my online accounts and changed every password to something totally disjointed, individual and difficult. There’s now no theme or thread of similarity to any of my passwords.
Be VERY careful about what you ‘click.’ I fancy myself cautious about click throughs. Those inspirational PowerPoints and video clips that you got from your friend who got it from her cousin who got it from her husband’s former boss’ secretary? I don’t open them. That flashy ad with the bug-eyed cartoon on the sidebar of that blog I visited last month and that “guess how many jelly beans” brain teaser that loads when I refresh my free email account? I resist clicking every time.
Still, I do click things on occasion, including some videos through Facebook or links to articles from people I don’t know on Twitter. Though I usually use a Mac which is less susceptible to spyware, viruses and the like, I have clicked through on my unprotected little, Windows-running Netbook. One bad click could’ve led to hackers tracking my password inputs with ease.
PC users are more likely to succumb to viruses, spyware and malware. Proper scanning programs are musts for anyone who regularly searches the Internet.
Don’t be phishable. Phishing is the illegal process of obtaining sensitive information (logins, passwords, account numbers) through electronic communications presented as trustworthy. Rack my brain as I might, I can’t recall ever falling for the bait of a phisher. I have identified and deleted probably hundreds of phishing emails over the years, and if I ever fell victim to such a scam, the phishers were so effective I still have no knowledge of the scam.
The moral of this point is fundamental. Don’t divulge your details outside the confines of a known, fully identified entity with built-in security and privacy settings that provide the utmost assurance of trustworthiness. Stay vigilant lest you fall for a scam hook, line and sinker.
Rely on a trustworthy email service provider. My email is hosted entirely in the clouds through Yahoo!. While all emails that are sent and received must travel to and through ‘the clouds’ at some point, I could find an alternative service that hosts more securely, with layers of additional protection, firewalls and such. There’s no denying that services such as Hotmail, Yahoo! and Gmail are just more vulnerable to hackers. Long term, I will be finding more secure solutions for my email hosting needs.
For anyone who’s dismissed my saga as one that was bound to happen because of my extreme online activity and visibility, I implore you to think otherwise. Sure, it could well be that the hackers pinpointed me based on what was abundantly findable through my digital breadcrumb trail. Yet, as the above points make plain, there are any number of ways any of us could be hacked regardless of the amount or frequency of online activity.
Also, being visible doesn’t have to equate with being vulnerable. By heeding the aforementioned key points (as well as more to come in my next blog post), I can maintain my online profile and still protect myself.
Have you survived a hack attack? Please share your stories with other Small Biz Big Time readers. Post your two cents’ worth over on the Facebook group.
My next post will feature some eye-opening information and wonderfully practical tips from Identity Theft Expert and Speaker John Sileo. It’s seriously good stuff, so stay tuned…
Thanks for reading!
I’ve found the best way to remember a really long password is to use a mnemonic phrase, e.g. “My cats and dogs are crazy to fight so very often” equals “Mcadac2fsVo,” which is a strong password.
Thanks for sharing. I’ve changed all my passwords for the first time in (honestly) years also.
Thanks so much for posting this – very helpful stuff!
You didn’t mention one of the easiest ways is to use an identity theft protection service like Lifelock. http://www.lifelock.com/landing/real/safe . It costs about $10/month, and they are currently offering 10% off if you use promo code SAFEID1. Hope this helps.
I ‘m also a contracted representative of LifeLock, so if you have any questions about their identity theft protection services, let me know.