IT-wise:
* before any of the below, seriously consider how compromised your pc could be already. Is your ex- IT savvy enough to have installed malicious software (keyloggers, etc) on your pc? You could consider getting a new pc if possible for you.
* starting with the most critical accounts, change all your passwords. Make sure that they are very strong. I use the free service of Bitwarden to generate and store all my passwords.
* where possible, activate 2-factor / multi-factor authentication. Since this will, most likely, be via your mobile phone, activate (or change) your authentication to your phone screen.
* once you change your passwords make sure to log out of the webpages and, if needed, like in Netflix, use the "log out everywhere" function usually found under "settings" or "security"
* if you have stored your passwords in your browser make sure to erase them. Afterwards, do not let the browser store the password for you.
* activate (or change) the authentication method to your pc (if you use one)
* if you have used "share my location" remember to turn it off, also consider this if you have a "find my phone" option
posted by alchemist at 10:31 PM on June 19, 2021 [10 favorites]

Hi. These answers are going to suck, and I'm so sorry, but ultimately they'll help:

Depending on how deeply to the.. root, this situation bothers you, you may have to switch up a lot* of information.

Basics: eff.org (an analogy for this is icing on a very thick cake, it's a great primer)

If you lived with this person, ditch your equipment by wiping it and reselling. If this personal had physical access, it's likely no longer useable (for your* uses). Sorry! Thankfully for resale, the person's interests are probably you,* not random other users.

I understand a lot of people will reflexively say, "well this person wouldn't.." or immediately refer to benefit of the doubt: actually, they probably would. Unfortunately many people are jerks. Many people are also good natured. Consider all situations. It's technology, so hopefully you can troubleshoot.

Btw, work is a great substitute, if you'd like something independent and secure, PO boxes aren't crazy unaffordable ($40/3mos, depending on the city).

Switch up all necessities mentioned above (accounts/etc).

Contact a skilled IT technician, pronto. Explain the situation without making them double as a therapist, if possible. Be certain to mention what this person did and didn't have access to.

Don't hesitate about considering the situation very critically, troubleshooting or brainstorming all possible means of compromise/entry/connectivity. You're a pen-tester now. (I'm so sorry) Remember pen-testing is not limited to technical concerns but can be navigated socially (not ideal, but it's sometimes a fast way to notice compromise)

I'm so sorry, this is exceedingly common and truly a bummer, but you caught it!
posted by firstdaffodils at 10:56 PM on June 19, 2021 [7 favorites]

coming back to add:
* for websites that use "security questions" to recover account information, please change the questions and answers you have previously chosen if the information is known by your ex-. Realise that the answer to any specific security question does not even need to be related to the question itself, it is just a memory trigger for the correct information. For example, "Q: name of your elementary school?" could very well be answered by the title of your favorite movie.
posted by alchemist at 11:21 PM on June 19, 2021 [15 favorites]

Can you change your passwords from a friend's computer? Safest assumption is he's got a keylogger on yours. :-/
posted by away for regrooving at 12:01 AM on June 20, 2021 [4 favorites]

For tech stuff, any chance you have a techy friend who can come over and help you? If you don't want to/can't replace your computer/phone/etc., you should at least wipe them clean and reinstall the OS on all of them. Which isn't hard (just a pain), but it's definitely easier if you're familiar with the process.

Do change your passwords on everything, and make sure you don't use the same password on different sites. (Also make sure you won't forget these new passwords, and consider using a password manager.) For email and any other service with similar options, go through the settings and make sure it isn't set up to, for example, forward a copy of your email to their address or anything like that.

Don't post pictures or status posts online, and probably let your friends and anyone else your ex might ask know that they need to not talk with them.
posted by trig at 12:12 AM on June 20, 2021 [2 favorites]

In addition to all of the above, think about all of the social media and public-facing accounts of yours that they know about. You'll want to not only change your passwords on them, but also seriously consider whether you want to change them entirely. My ex stalked me via social media for a long time and it caused me a significant amount of anxiety, even though I knew they didn't have my passwords or anything. I knew they were being set off by even innocuous things I did and that perpetuated the same toxic dynamics that were there in our relationship, where I walked on eggshells for fear of their response (e.g., smearing me to other people, committing fraud against me, etc).

Ultimately I had to lock them out of the social media accounts I wasn't willing to give up (not just block, because you can get around blocks, and I could tell they were doing so, but actually lock the accounts). I also abandoned a few and started new ones - which is the case for this Metafilter account. It was all unfortunate, but turned out to be a price that was well worth paying because I feel so much freer now.
posted by sir jective at 12:42 AM on June 20, 2021 [9 favorites]

One thing to consider with email accounts in particular is whether you're vulnerable to a password-recovery attack. If your ex ever had access to any of your email accounts, or you suspect that they are currently able to access them, they could use information about emails received or the accounts themselves to potentially gain/regain control of the account. It may be advisable to create a new email account on a trusted device, enable multi-factor authentication on that account, and switch important accounts to use that email address. (You should still absolutely change the password and enable multi-factor auth on the existing account as well, since it will take time to update things and you'll still receive email to the old account in the meantime.)

This kind of attack has gotten somewhat harder to do these days as companies have gotten more savvy to it, but I wouldn't rule it out.
posted by Aleyn at 1:25 AM on June 20, 2021 [1 favorite]

I'd make sure to secure your phone first, maybe even get a new one so that anything using text authentication is safe and as a bonus you can use it as a wifi hot spot because I would absolutely not use the wifi they control.
posted by oneear at 1:34 AM on June 20, 2021 [4 favorites]

One thing you might appreciate about a password manager like LastPass is that it eases the process of changing all of your passwords. Specifically it helps you keep track of which ones are duplicates.
posted by johngoren at 1:38 AM on June 20, 2021

Depending on the level of threat, you *may* want to consider some or all of the following:

* change your bank altogether (so ex can't use "I need to see my partner's account")

* close ALL of your old accounts and start new ones, Amazon, Walmart, Safeway / Aldi / Costco, etc. If they press you for a reason, say you are afraid of identity compromised / theft. Even "club cards" and "rewards cards". Anything associated with your old phone number, address, need to go.

* get rid of all electronics (buy new ones, sell or give away old ones) as many have already suggested. Mobile phones, tablets, laptops, PCs, can all have "location tracing".

* do the same with all your online footprint... close your old accounts and register new ones. And if allowed, display a pseudonym instead of your real name

* open a PO Box and use that for your mail, instead of your physical address. Some PO Boxes may even offer "scan and shred" service (where they scan the original, email you the scan, and shred the original) so you never have to show up physically, even if they found the actual office the POBox is located.

* Google your original name and/or username and see what sort of footprint you left behind, and try to negate it. Close the account if you don't need it.

* New devices should use something like Yubikey for authentication in addition to password / fingerprint / pin if possible. As many suggested, Lastpass or similar password managers can simplify your life and let you use a different password per site. Lastpass works well with authentication methods such as Yubikey and/or OTC authenticators such as Google Authenticator or Authy (with ever changing codes).

* Consider getting your credit "frozen" for a period so nobody (including you) can open new credit account in your name. Link. or if you really need it, put as fraud alert on your own credit report (which lasts 1 year)

* And one last thing: learn what tracers like Apple AirTag and Tile beacons look like... And make sure none were added to your belongings. A Tile tracker dropped into a stuffed purse can go unnoticed...
posted by kschang at 2:02 AM on June 20, 2021 [11 favorites]

One extra thing: if you do get a new phone, let the company turn on "port validation", which makes sure that nobody can hijack your phone by going to a different provider and claim you're moving providers and steal your phone number (and thus, all of your phone service including authentication SMS messages and so on).

This is known as a port-out scam, and can be devastating if you receive all your authentication via SMS.

Link
posted by kschang at 2:10 AM on June 20, 2021 [5 favorites]

If you live in the US, you can get a daily image scan and summary of your arriving mail. This can help you see if anything has gone missing.

Also if you use social media, please let your friends know how off the grid you want to be. Your stuff may be secure but if they are posting images of you/tagging you…
posted by raccoon409 at 3:41 AM on June 20, 2021 [6 favorites]

(Reminder:The OP didn't say in the post whether their ex is a man or a woman.)

OnlineSOS is a US nonprofit that develops guides, how-tos, and content to support journalists who are facing online harassment. But at least 99% of this material applies to anyone, like you, whose privacy is currently at risk because of someone else's actions.

You sound overwhelmed, because you're in an overwhelming, confusing, and traumatizing situation, and it's hard to know what to do next. What OnlineSOS offers that I think might help you are their Action Plans, which [words in brackets added by me]

combine two types of checklists, as described by Dr. Atul Gawande in The Checklist Manifesto: one that provides very clear steps and another that allows for flexibility and choice. Combined, journalists [and anyone else] facing online harassment can see a clear path to action while accounting for their personal case.

Here are the Action Plans for the following situations and/or concerns. Each link takes you to a web page that is downloadable as a PDF:

WHAT TYPE OF HARASSMENT YOU'RE FACING:

Doxxing. Online sexual harassment. Online threats of violence. Distribution of intimate images. Distribution of false information.

WHAT YOU WANT TO PROTECT:

Digital Security. Two-Factor Authentication. Proper Documentation. Communicating With Your Boss and Colleagues. Your Emotional Health. Threat Modeling (adapted from the Electronic Frontier Foundation's Surveillance Self-Defense Guide).

Finally, there is the Account Safety Cheat Sheet.

Again, it's targeted at journalists. But it's of use to any adult who has lived a years-long digital life and who needs to start securing their digital footprint.

Here is the link to the Account Safety Cheat, along with a couple of other questions to think about while you're looking it over.
posted by virago at 4:29 AM on June 20, 2021 [8 favorites]

Addendum:

If you choose an it tech, highly suggest approaching a brand new person/tech you've never met before.

No friend references, work acquaintances (even if you think they're nice or mature- you can never know, and you don't want crossover), just a new human being: no one who knows of the person, who will completely listen to you,* in reference to your* situation.


This is gross and it sucks. I truly hope the situation heals itself for you.
posted by firstdaffodils at 5:51 AM on June 20, 2021 [3 favorites]

I'm sorry this sucks.
One more thing to check: If you use email services like gmail/yahoo, make sure there isn't a rule that forwards all received messages to another email.
posted by Arthur Dent at 7:08 AM on June 20, 2021 [2 favorites]

Pay to have a computer service back up your data, wipe the computer and reinstall Windows and apps.
Back up your phone, wipe and reinstall.


Do not be abusive in return, but if you do have access, I'd consider going in to his computer and looking for any pictures you might not want made public. If you have a tech-competent pal to help, that would be good.
posted by theora55 at 7:20 AM on June 20, 2021

While the advice above isn't wrong, it's also important to match your response to what your believe is a realistic threat. Guessing your passwords or having a logged-in browser instance that you've used in the past on one of their machines is pretty likely. Putting a software logger on someone's computer or phone isn't too hard. Putting a hardware keylogger that can be accessed remotely in a laptop is the job of a full-time spy or a very passionate hacker, not something a typical asshole can pull off the night they find out about a breakup. Getting rid of hardware is fine if it makes your feel safer, but unless you know for a fact your ex is really into security-related hacking or does such work for a living, it strikes me as a bit excessive.

Make backups of everything to an offline portable harddrive. Consider a computer operating system reinstall. Check that your phone isn't rooted/jailbroken (unless you expect it to be) and that it doesn't have installed software you don't recognize. (Or, make backups of data and reset to factory defaults.) Change every password. Change every security question answer. Change every pin number. If you're in the US, initiate a credit bureau fraud alert.

The thing that I failed to do when I was stalked (fortunately without any real fear of physical harm), was alert my friends, family, and co-workers that they might get strange phone calls and messages from my ex. I'd recommend not going into any detail, but saying something like, "if this person calls you, assume that they are lying and trying to hurt me. Please don't tell them anything about me," would have been useful for me. Sympathy and best wishes.
posted by eotvos at 7:35 AM on June 20, 2021 [4 favorites]

Edit last, "ditching hardware:" sometimes people passionate with tech do things a little more culturally common than many are cued to believe.

Could depend on the city of occupation: It's better to take precautions than find out the hard way, later.
posted by firstdaffodils at 11:06 AM on June 20, 2021 [2 favorites]

I recently went to connect with a new coworker on LinkedIn and noticed that they had their company name as "undisclosed," which I thought was odd but wasn't sure why. Then they Slacked me to tell me that they don't connect with current coworkers on LinkedIn. I put two and two together and assume that they had had some stalking or other privacy issue, so don't want to let that person know where they work. So it might be a good idea to follow that type of protocol on LinkedIn so they don't come to your work.
posted by radioamy at 11:18 AM on June 20, 2021 [5 favorites]

If you choose an it tech, highly suggest approaching a brand new person/tech you've never met before.

And - if you are using a new email/telephone number - only contact them from the new number/name intially, not from a potentially compromised existing email account.
posted by rozcakj at 9:50 AM on June 21, 2021 [1 favorite]

This thread is closed to new comments.