Don't hack me bro
September 3, 2018 2:12 PM Subscribe
After receiving some verification emails, notices from my CC company that my email and a password were "posted on the dark web", it seems like someone - or multiple people - are trying to steal my identity/hack me and it's insanely stressful. What is the step by step process to ensure I am completely buttoned up and protected?
So far:
- I received a notice from my credit card company that my email was found "on the dark web" and an old password was posted that I've used in so many sign-ups that I can't even remember. Yes this is dumb, I'm trying to change here.
- I've received a phishing scam email where they sent me a template message that contained one of my old passwords - that is likely connected to a few different apps/sites - and tried to extort me into paying them bitcoin. I called the FBI and they said it's a common scam and to submit the email to their web portal so they can investigate.
- I've received various verification code emails from Uber and Netflix "someone in another country is trying to log into your account" etc types of notices
So obviously my email address and one of my passwords (not connected to my bank account or email) was posted up somewhere and either a person or various people have their grubby hands on it and are trying all kinds of shit. I can not tell if it is to just use my Netflix account and watch Better Call Saul and to get some free Uber rides, or if it is part of some wider connect-the-dots project to steal my identity through various sites, eventually get my SS somehow...which is paranoid but seems legit? Identity theft is a thing and I imagine it starts with one password.
My question is, I really don't know where to start cleaning house. I have a small handful of passwords that I use across, I don't know, 40 or 50 different apps and sites? Yes, idiotic, but I'm ready to start being serious about security I promise. I've enabled phone authentication for stuff like google and my bank but really this seems like a giant-ass, hours long project of going one by one through everything I've ever bought or connected my ID to and a) determining where I've made any kind of account that connects my email, address, password etc and b) updating it and keeping inventory somewhere like a password manager tool to keep track of what my 50 different passwords are. Are there any tips/tricks that make this seemingly massive overhaul easier? Am I worrying too much?
So far:
- I received a notice from my credit card company that my email was found "on the dark web" and an old password was posted that I've used in so many sign-ups that I can't even remember. Yes this is dumb, I'm trying to change here.
- I've received a phishing scam email where they sent me a template message that contained one of my old passwords - that is likely connected to a few different apps/sites - and tried to extort me into paying them bitcoin. I called the FBI and they said it's a common scam and to submit the email to their web portal so they can investigate.
- I've received various verification code emails from Uber and Netflix "someone in another country is trying to log into your account" etc types of notices
So obviously my email address and one of my passwords (not connected to my bank account or email) was posted up somewhere and either a person or various people have their grubby hands on it and are trying all kinds of shit. I can not tell if it is to just use my Netflix account and watch Better Call Saul and to get some free Uber rides, or if it is part of some wider connect-the-dots project to steal my identity through various sites, eventually get my SS somehow...which is paranoid but seems legit? Identity theft is a thing and I imagine it starts with one password.
My question is, I really don't know where to start cleaning house. I have a small handful of passwords that I use across, I don't know, 40 or 50 different apps and sites? Yes, idiotic, but I'm ready to start being serious about security I promise. I've enabled phone authentication for stuff like google and my bank but really this seems like a giant-ass, hours long project of going one by one through everything I've ever bought or connected my ID to and a) determining where I've made any kind of account that connects my email, address, password etc and b) updating it and keeping inventory somewhere like a password manager tool to keep track of what my 50 different passwords are. Are there any tips/tricks that make this seemingly massive overhaul easier? Am I worrying too much?
As long as you've put new, unique passwords on critical accounts like banks, you're off to a good start. Next, get a password manager like Dashlane and start using it religiously. It will create new, strong passwords for you anyplace you go. Stop using the old standby password entirely, of course. Work through the next tier of sites (not critical but used often, like Netflix, your phone account, cable account, etc.) changing each to a unique PW. The rest are not likely to yield much info to a hacker, but over time, get each of them into the password manager.
posted by beagle at 2:22 PM on September 3, 2018 [1 favorite]
posted by beagle at 2:22 PM on September 3, 2018 [1 favorite]
I'm assuming you've already changed your passwords for anything critical and financial, such as your bank accounts and credit cards, even if you haven't gotten notifications from them. If not, do that now. Those would be my main worries.
Then I'd request that new debit card / credit cards be issued to you. If nothing else, this will put up a road block every time you try to do something online until you enter in the new debit or CC info, and will make it easier-ish to figure out what you've got associated with what. And it will hopefully stop any identity thieves from making use of something if they have access to an account with that info in it.
Next, get something like 1Password. I use its Password Generator feature whenever I sign up for a new service - I couldn't even tell you what my password is for 99% of the places I visit online, including MetaFilter. 1Password has a browser extension that lets me auto-fill my login info for websites that I've stored in it (after I have to enter a master password, of course). There are also 1Password apps for your mobile devices and tablets. It's not cheap, but it saves me a lot of time and worry.
And then yeah, it's going to be a slog going through various accounts and changing passwords and turning on 2FA where you can. Once you have a decent password manager in place you'll have a better idea of what all is out there and can have better control over it.
posted by ralan at 2:29 PM on September 3, 2018 [5 favorites]
Then I'd request that new debit card / credit cards be issued to you. If nothing else, this will put up a road block every time you try to do something online until you enter in the new debit or CC info, and will make it easier-ish to figure out what you've got associated with what. And it will hopefully stop any identity thieves from making use of something if they have access to an account with that info in it.
Next, get something like 1Password. I use its Password Generator feature whenever I sign up for a new service - I couldn't even tell you what my password is for 99% of the places I visit online, including MetaFilter. 1Password has a browser extension that lets me auto-fill my login info for websites that I've stored in it (after I have to enter a master password, of course). There are also 1Password apps for your mobile devices and tablets. It's not cheap, but it saves me a lot of time and worry.
And then yeah, it's going to be a slog going through various accounts and changing passwords and turning on 2FA where you can. Once you have a decent password manager in place you'll have a better idea of what all is out there and can have better control over it.
posted by ralan at 2:29 PM on September 3, 2018 [5 favorites]
I use 1Password in conjunction with iCloud Keychain, and I just want to say that once you get past that initial project of changing all your passwords, they make things super-easy for making sure every new service you sign up for will have a unique, hard-to-crack, and easily recalled password.
posted by ejs at 3:14 PM on September 3, 2018 [1 favorite]
posted by ejs at 3:14 PM on September 3, 2018 [1 favorite]
Because you think they might have or are trying to get your social: Put a flag on your account with each of the three credit bureaus (Experian, TransUnion, and Equifax). This is a free service; it will require you to jump through extra hoops if you want to open a new credit account somewhere. It's worth it. Request your free credit report (AnnualCreditReport.com) while you're at it, to make sure no one has already opened an account in your name.
In addition to using a password manager, set up two factor authentication on every account that has it. It's not perfect, but it's one more step that can help protect you.
I don't know of any way to do this besides plowing through them, one by one.
posted by peanut_mcgillicuty at 3:39 PM on September 3, 2018 [3 favorites]
In addition to using a password manager, set up two factor authentication on every account that has it. It's not perfect, but it's one more step that can help protect you.
I don't know of any way to do this besides plowing through them, one by one.
posted by peanut_mcgillicuty at 3:39 PM on September 3, 2018 [3 favorites]
Yep, there's no easy way in general. I use LastPass and it's good for me. Depending on the browser you use, if you've used it to save logins you may be able to export the passwords and logins to some sort of file that can then be imported by LastPass (I assume also any of their competitors). In that case, the password manager can do a security check and can often automatically change passwords on major services.
Obviously your password manager password (ie the one you use to get into it) shouldn't be related to any of your existing stolen passwords or anything about you. I think the best choice here is a multi word pass phrase, ideally one that conjures up a clear mental image; memorable but difficult for someone to guess. My pass phrase includes a geographic place name -- but not one I have ever lived or worked in -- and a piece of technical vocabulary-- but not one related to my profession -- as well as a dumb piece of slang I would never use, spelled incorrectly.
The ones you do have to change, prioritize -- money and identity (eg social media) first, then I'd do anyone you ever did a financial transaction with, particularly one involving shipping to your home address.
posted by Homeboy Trouble at 3:53 PM on September 3, 2018 [1 favorite]
Obviously your password manager password (ie the one you use to get into it) shouldn't be related to any of your existing stolen passwords or anything about you. I think the best choice here is a multi word pass phrase, ideally one that conjures up a clear mental image; memorable but difficult for someone to guess. My pass phrase includes a geographic place name -- but not one I have ever lived or worked in -- and a piece of technical vocabulary-- but not one related to my profession -- as well as a dumb piece of slang I would never use, spelled incorrectly.
The ones you do have to change, prioritize -- money and identity (eg social media) first, then I'd do anyone you ever did a financial transaction with, particularly one involving shipping to your home address.
posted by Homeboy Trouble at 3:53 PM on September 3, 2018 [1 favorite]
Don't forget to change the password of any account that can be used to recover other accounts as well, like email accounts. Nthing to use a password manager and unique passwords on every website.
posted by Aleyn at 3:58 PM on September 3, 2018 [3 favorites]
posted by Aleyn at 3:58 PM on September 3, 2018 [3 favorites]
« Older any way to not see how many "likes" you have on FB... | "Hi, I don't hate you and I'm not pretending that... Newer »
This thread is closed to new comments.
Personally, I like the built-in iCloud keychain. YMMV.
posted by oceanjesse at 2:21 PM on September 3, 2018 [3 favorites]