I was hacked just like Mark Zuckerberg. Learn from my mistakes
Mark Zuckerberg and I have at least one thing in common: We鈥檝e both been hacked thanks to bad password security. Sure, he鈥檚 a Silicon Valley tycoon and I鈥檓 a tech writer, but we both made it possible for someone to break into our social media accounts by using the same password more than once. He used 鈥渄adada鈥 on his Twitter and Pinterest, while I used 鈥渂1rthd4yg1rl,鈥 well, 671 times.
The most frustrating part is that all of this could have been avoided.
After all, it鈥檚 not difficult to protect yourself online: create unique, tough-to-guess passwords for every account, change your passwords whenever a site gets hacked, and use two-factor authentication whenever possible. Also, don鈥檛 forget to use a password manager to generate, encrypt, store and update passwords for you. I used 1Password, an app that听makes it possible to see which passwords I used for all my digital identities.
But it鈥檚 not enough only to know all the best practices. You also have to follow them.
I learned the hard way last week. When I logged into Skype for the first time in a month, I discovered that my account sent out hundreds of links to a celebrity weight-loss solution. Mr. Zuckerberg had the same bad luck after his password was one of the more than 100 million made public as part of the data dump of LinkedIn usernames and passwords stolen as part of a 2012 breach.
So what do you do when you get the wake-up call of an actual security breach, and realize it鈥檚 time to clean up your act? Here are the steps I followed.
1. Figure out the source of the leak, and the password associated with that account.
It鈥檚 still not clear how the attackers broke into my account. But that leaked LinkedIn database included my credentials, and I have a feeling someone tried the same username and password on my Skype account. Open sesame.听
Luckily, whoever busted into my Skype didn鈥檛 change the password. The problem is I used that password 鈥 I鈥檒l call it 鈥渂1rthd4yg1rl,鈥 in case there is hacker out there who听doesn鈥檛听yet have the actual password 鈥 听as a favorite 鈥渁ll purpose鈥 password for accounts that didn鈥檛 include any sensitive information.听Most of the places I used that password, I also used my primary email address as my login -- so anyone who had both my email address and that password now had access to hundreds of my accounts.
In fact, I could use my 1Password database to search for every account using b1rthd4yg1rl. The grand total? 671 potential breaches. Time to get to work.
2. Prioritize your vulnerabilities.
I knew I wouldn鈥檛 be able to change 671 passwords in a single evening, so I had to decide which accounts were the most important to protect. I printed the list and went through it with a highlighter, marking my top priorities based on whether they used the b1rthd4yg1rl password, or the email address associated with my Skype account.
I also made a note of the accounts that contained any kind of financial or personal information, like my Visa number, photos of my kids, or听where I had any other personal information that might let a hacker get access to even more of my accounts.听
3. Log in to each vulnerable account, and change your password.
This is the boring part. Using 1Password, I logged into each of my high-priority accounts, and then went hunting for the 鈥渃hange password鈥 option. On some sites it was very hard to find the 鈥渃hange password鈥 page, and on one site, I couldn鈥檛 find an option anywhere. I鈥檓 talking to you, .
If I were smart, or paranoid, I could have spent a week working my way through the list of all the sites where I鈥檇 used my stolen password. But I just don鈥檛 have that kind of time, so many of low-priority sites are still theoretically hackable. That鈥檚 right, hackers: you have open access to my account on LibraryThing 鈥 enjoy!
4. Generate and store new passwords in your password manager.
As I changed my passwords, I finally did what I should have always done: create a unique password for each site. I used 1Password鈥檚 password generator to create almost all of these passwords. In a couple of cases, I had to add special symbols because some websites require special characters in any password, and 1Password doesn鈥檛 automatically include them.
What I learned:
I should have started changing my passwords the minute LinkedIn鈥檚 hacked collection of passwords went on sale 鈥 or at least, before publishing a story about the hacker selling the credentials.
I鈥檒l have to give the new site permission to access some of your social media activity but less accounts on fewer websites drastically reduces the chances I鈥檒l be victimized again.
From now on I鈥檓 going to rely on my Facebook, Twitter or Gmail account to register for any site that gives me the option. This method, called OAuth, makes it possible for social media users to use their trusted accounts to automatically log-in to third-party websites. While I鈥檝e already used OAuth for some site registrations, I鈥檝e hesitated to connect a new site to my social media identity, out of concern for my privacy. Now I realize that the biggest threat to my privacy is actually having a password stolen, so the fewer passwords, the better.
When OAuth isn鈥檛 an option, I鈥檓 going to use a totally unique password on every site I visit. 听That鈥檚 going to mean using 1Password to formulate a long, random password for me. In other cases, I鈥檓 going to use long song lyrics, which are harder to guess than single words, that only I would associate with the site in question. Even then, I鈥檓 still storing those in 1Password.
This experience has made me more conscious of my security shortcomings and motivated to do better in the future. But it鈥檚 also reminded me why it鈥檚 so hard to follow the recommendations of security professionals. I knew what those recommendations were, but following good security practices can be inconvenient. It took actually being breached to make the hassle feel worthwhile.
It鈥檚 tempting to want to shake our fingers at people who fail to take basic security measures online. But we should also recognize there鈥檚 a need to make those measures easier. Even Mark Zuckerberg would probably agree.
听
