My Personal Information Was Stolen

1.4 What Do We Do if We’ve Been Hacked?

Transcript

Davis: In our first episode, I mentioned that I bought one tiny measly tote bag online, and then literally three days later got a message saying that my password had been leaked as well as my email address. I know it’s super common, so I wanted to talk about what should we do if our information is already out there. So, Erin, first and foremost, is there any way that our viewers can tell if their information’s been leaked at all?

Erin: Yeah, for sure. Thanks, Davis. I also had bought a t-shirt on that same site so we right there with you on having that exposed. Luckily, I use a unique password for everything so I wasn’t worried about my email address being linked to the same password that I use to access my email, so that was good. Now, most of us have probably had our data leaked out there. If you’ve been online at all in the last, you know, five to ten years, you’ve probably had it leaked, so I recommend going and checking the website haveibeenpwned.com. And that site will actually tell you if your email and your phone number have been found in a known breach.

Most of us have probably had our data leaked out there. If you’ve been online at all in the last, you know, five to ten years, you’ve probably had it leaked.

There are also several dark web scanners out there that you could look up. And you can again check to see if your information has been found in a known data dump file associated with the breach.

Now, with GDPR and with a lot of the state privacy laws, companies are now required to notify you if your information been breached. So that way at least you’ll at the very least know what information of yours has been compromised.

Davis: Thank you. So let’s say, like with your t-shirt and my tote bag, that we know that our information is out there. What’s the first step that someone should take if they find themselves in a similar situation?

Erin: For sure, and I think that’s why that website’s really helpful or those emails from the companies letting you know what information, because it’s important to understand what was leaked. In this case our emails were exposed so we should both be on higher alert for those phishing schemes. If your phone number was part of that breach, then be on the lookout for a fraudulent text message or even a phone call.

You know, phishing can happen through text as well, it’s called smishing and I actually had that happen to me recently. I got a text message from Bank of America saying that my EDD prepaid debit card was suspended and that I needed to click on this link to reactivate it.

Well, I don’t have a Bank of America prepaid debit card, so that was a pretty big hint to me. The second was that the link was actually from a tiny URL, and that’s probably not used by a major corporation. So I did a quick internet search just typed in “Bank of America text message scam” and it led me to a news article from 2021 that explained exactly what I had experienced.

Davis: Yeah, sadly that sounds like a perfect phishing scheme for someone who’s a part of a vulnerable population, so that’s a real bummer. So I think it’s important for us as library staff to understand these things. So what if in fact your credit card had been lost in a leak? That, you know, you happen to know that your Visa card or whatever was compromised?

If your email’s been hacked, then, again, the first thing you want to do is change your password.

Erin: Yeah, if your credit card’s part of the part of the leak, then I think the best path would be to actually just close that account right away. So call your credit card company let them know that your credit card number has been compromised and get a new card issued to you. If your password was also exposed to your bank, so it’s like your credit card number and your bank account or something along that, make sure to go in change your password. And if you don’t have that multi-factor authentication set up yet, turn that on for any of your accounts where your credit card is linked, and you’re able to do that as well.

Davis: Thank you. We’re talking about multi-factor, so maybe we can talk about some common internet services so what about email? How do you know your email has been hacked, and what should you do if you find it has been?

Erin: Yeah if your email’s been hacked, then, again, the first thing you want to do is change your password. And if you don’t have that multi-factor authentication set up, do it now. I know I’ve said that several times in this series, but it is really important to set up multi-factor authentication.

And it’s possible that your email’s been cloned, so you might not see sent messages coming from it, but you may be notified because people that you have in your contacts list have gotten phishing emails. I’ve had this happen to me before. And they just send out basically spam messages or phishing messages to everybody on your contacts list. It sucks, it’s embarrassing, but it’s okay, just make sure you check in with people let them know that you’ve been hacked, and tell them not to respond to any of the messages that they receive from you.

If you don’t have that multi-factor authentication set up, do it now. It is really important to set up multi-factor authentication.

Davis: Thank you. What about social media accounts?

Erin: So, again, I think the most common indicator of the social media hack is that your messenger app has been sending those phishing or spam messages to all your contacts. Actually, my friend on Facebook had — his dog had a Facebook account, and his dog was sending messages to to all of our friends saying like, “Hi, how are you? I need some money,” and so it was a little humorous to watch the dog engaging in these spam conversations.

But, you know, it’s kind of similar to your email when your social media account’s been hacked. And you want to go in change your password, set up multi-factor authentication, notify all your friends not to respond to messages.

There is a possibility, though, in those instances if your account’s been taken over, you may lose access to that, and it may be a real pain to gain access again. It’s possible you may have to contact customer support. You may have to show your photo identification to show that you are the real user of that account, because sometimes when you do get hacked on your social media accounts it’ll trigger or your friends will report, you know, people it’s contacted will report spam and it may lock down your access to that account.

Davis: Yeah, that sounds like a pain. So protecting our passwords might be one way to sort of avoid this from jump. So I wondered, what is a tip you have for writing a good password?

Erin: So I actually think, you know, again, using that password manager is your best way to write a good password because you can create randomized passwords and those are the hardest to guess. Now, if you’re not going to do that, there’s some accounts we can’t use a password manager. The example I have for myself on that is, actually, my work account. In order to log into my computer, in order to log into my VPN, and all of that, I have to have a good strong password. And that’s when I really want to be strong. I don’t want anybody to be able to access that account. I’m traveling with my laptop oftentimes, you know, you don’t want to get stolen or something like that. So instead of thinking about passwords, I would think about pass phrases.

Using that password manager is your best way to write a good password because you can create randomized passwords and those are the hardest to guess

So think about, you know, some words that have some kind of meaning to you that you’ll remember. But that don’t have anything to do with you personally so don’t use names or birthdays or street addresses or any kind of personally identifiable information. But you know, string together a set of words, add some numbers, add some symbols into there, and that’ll kind of give you a good set. You want it to be long, so think about something that’s maybe 12 to 16 to 18 characters long. I know that’s a lot, but if you think about it, it’s like typing a sentence.

So think about that, type it out, make it, you know, unique for you. And you can also — there’s some websites out there where you can check to see what. It doesn’t store your password or anything like that, but you can kind of see how long it would take to get your password cracked by a brute force attack.

And the other thing is that, you know, when passwords are originally being created, we were told to, like, “oh we’ll replace an i for a one and an o for a zero and that’ll really make it stronger.” That doesn’t actually make a difference anymore when you’ve got those brute force attacks. Those are common enough, you know, switching around that. They take that into account. So, you know, add some some numbers or symbols into that passphrase and you should have something that’s pretty strong and hard to break.

Davis: Yeah, thank you. I remember going to an art exhibit once where someone had bound this master list of all the LinkedIn passwords that had been breached, and I was like I wonder if mine’s in here. And sure enough it was. I had done that thing where I swapped letters for symbols, and it was pages and pages and pages of my same password with that same thing. And then I realized, for real, that that swap does not work at all, and that my password was actually extremely weak. So, yeah, let, that be a lesson to me for the future.

Thank you so much for those excellent tips, Erin, and we’ll see you in our next video where we talk about libraries. That’ll be fun. So we’ll see you then.

Further Reading

Relevant Terms

  • GDPR

    GDPR stands for the General Data Protection Regulation. The GDPR was created in 2016 by the European Union to establish laws on data protection and privacy in the European Union and the European Economic Area.

    The GDPR is an important component of EU privacy law and of human rights law. It is pursuant to Article 8 of the Charter of Fundamental Rights of the European Union.

  • Phishing

    The fraudulent practice of sending emails purporting to be from reputable companies in order to persuade individuals to reveal personal information like passwords and credit card numbers

  • Smishing

    the fraudulent practice of sending text messages purporting to be from a reputable company with the purpose of inducing individuals to reveal personal information like passwords or credit card numbers

  • Multi-factor Authentication

    A method used by online services in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. These systems often rely on an item that is known (e.g. a password) and something the user has (e.g. their phone).

Go to Glossary

Contributor Bios

  • This project is funded by the Mayor’s Office of the Chief Technology Officer, and produced in collaboration with Brooklyn Public Library, The New York Public Library, and Queens Public Library.