Hacked! Now What?!

Skjold
edited December 1969 in Lounge
Hi,

I'm not sure if this is the correct spot to post this, but I'm writing to say that 1password saved me BIG TIME! I randomly plugged my email address into google yesterday and to my utter dismay the first thing that popped up was my main email address and one of the passwords I used to use quite a bit. It turns out it's part of a huge list of email addresses and passwords on some German forum for trading stolen credit card and financial information! I about soiled myself! Obviously some place I visited got hacked.

The only good thing is that about two years ago I bought 1password (when I first got an iPhone 3G), and, at that time, I decided to beef up the passwords on all my major accounts (email, banking, etc.). As a result, most of the important sites were safe. After seeing that last night, I went through everything using that password and changed them using very strong, unique passwords for every one of the sites. I will NEVER use the same password on two websites ever again! I hope to God nothing important ended up in those S.O.B's hands. The only thing I have noticed is that for nearly the past year that email address has been getting spammed like crazy!

Here is my question. What do I do from here?

I'm thinking my next steps will be:

1) Delete any accounts in my real name on all non-essential sites, and if they are places I want to continue subscribing (like forums), I will setup new accounts using a pseudonym and unique, strong passwords.

2) For the remaining essential sites that I need to keep in my real name, I will ensure that I have strong, unique passwords.

3) Cancel that Yahoo address ASAP. Does anyone know if it's possible to download my email off of Yahoo into a useable format. I'm on a Mac. I think I have a couple of gigs worth of email.

4) Send a link to that German site to the FBI's online fraud task force. I forget the name of the task force. Probably won't help, but it's worth reporting.

Also, since I plan to do some major password overhauling, I'm even more concerned than before about losing this info. My last computer died and I lost a lot of important stuff. Is it pretty easy to save a copy of all of my passwords on 1password into an encrypted file? I've never done this before. I'd like to store this info online somewhere, just in case.

Am I missing anything?

Man I feel violated.

Thanks to all especially the 1password guys. I have to admit, I was weary of the price at first, now I realize it is invaluable software.

PS: You might want to put together a list of things that people like myself should do on your website. I bet there are lots of people that start looking into a product like this AFTER something like this happens. It would not only be a good service, but might help people realize how essential this type of product is.

Comments

  • macpug
    macpug
    Community Member
    edited December 1969
    Hi Skjold. Welcome to the forums! Thanks so much for the kind comments...I'm really glad we were able to help.

    I'm really sorry this happened to you, but I'm also glad that you had already taken precautions to strengthen your security awhile back and to use strong passwords when possible. I've had my account hacked in the past, and to a lesser extent recently, so I understand the utter panic that sets in.

    As for the things you've posted, all sound like reasonable steps to take.

    Regarding having a copy of your passwords backed up, we have a helpful document on our site that talks about backing up your data file. It tells you what files you should back up and where they're located. It also talks about remote backups. I keep an updated copy of my data on a flash drive as well. You can also print a hard copy of your data by viewing 1Password > File and selecting the print options at the bottom.

    Any suggestions from other forum members?
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited December 1969
    Skjold wrote:
    I'm not sure if this is the correct spot to post this,


    This is a fine place to post this, and as Cindy said, welcome to the forums Skjold.

    I'm writing to say that 1password saved me BIG TIME!


    I'm pleased to hear that, though of course not happy that at least one of your passwords has been compromised.

    I randomly plugged my email address into google yesterday and to my utter dismay the first thing that popped up was my main email address and one of the passwords I used to use quite a bit.


    Millions of usernames and passwords get stolen each year from low security sites. A bit more than a month ago, there was a breach at Skyrock.com, a big French social networking site, with possibly 37 million usernames and passwords stolen. More often, these breaches go undetected or unreported.

    I will NEVER use the same password on two websites ever again!


    That is probably the single most important lesson. Sites do get compromised, and if your passwords for more important sites are predictable from the ones you use on "low security" sites you are vulnerable. Passwords need to be unique and unpredictable.


    Here is my question. What do I do from here?

    I'm thinking my next steps will be:

    1) Delete any accounts in my real name on all non-essential sites, and if they are places I want to continue subscribing (like forums), I will setup new accounts using a pseudonym and unique, strong passwords.


    People have different opinions about the value of trying to keep usernames secret and or pseudo-anonymous. My personal opinion is that it is fine for usernames to be public. But plenty of other people feel otherwise. So certainly there is no harm in changing your usernames on various sites, but don't expect too much security from that. Because usernames were never designed to be secret, they can become public in many different ways.


    2) For the remaining essential sites that I need to keep in my real name, I will ensure that I have strong, unique passwords.


    This is the important one. Yes make sure that you have good, unique passwords for each site. When I did this a few years back for all of my pre-1Password passwords, I sorted my list of Logins by password strength, so I could see which ones I needed to work on.

    In 1Password, go to View in the menubar and select View > Layout > Traditional. You should see a column that lists password strength. If not, you can add it in View > Columns. This makes it easy to identify which passwords need the most attention.


    3) Cancel that Yahoo address ASAP. Does anyone know if it's possible to download my email off of Yahoo into a useable format. I'm on a Mac. I think I have a couple of gigs worth of email.


    It appears that Mail.app can be used to read Yahoo Mail via the POP3 mail access protocol. Here is a link I found for configuring Outlook to do this, but that should work with Mail.app as well.

    This will allow you to fetch your mail in Mail.app and you can move the messages to some local folder. If you later set up an IMAP account on some other service, you can move the mail from your local folder in Mail.app to that IMAP server.

    Note that most webmail systems use HTTP (unencrypted) instead of HTTPS (encrypted) connections, so usernames and passwords are easy to capture in any Starbucks. Personally speaking, I use fastmail.fm for my email, but I understand that gmail has recently enabled HTTPS.


    4) Send a link to that German site to the FBI's online fraud task force. I forget the name of the task force. Probably won't help, but it's worth reporting.


    You are probably thinking of the Internet Crime Complaint Center



    Also, since I plan to do some major password overhauling, I'm even more concerned than before about losing this info. My last computer died and I lost a lot of important stuff. Is it pretty easy to save a copy of all of my passwords on 1password into an encrypted file? I've never done this before. I'd like to store this info online somewhere, just in case.


    Cindy has already pointed you to some great advice about this. One thing that I'll add about my own practice is that I occasionally burn an unencrypted copy of all of this stuff (I export my 1Password data to 1Password Interchange Format) to a CD which goes into a safety deposit box at my bank.

    Am I missing anything?


    I don't think so. As you've noted and I've repeated, the most important thing is to have good, unique passwords for all sites. That is the essential bit; everything else is just icing on the cake.

    Man I feel violated.


    If it makes you feel any better, your use of 1Password has limited the damage, and this kind of thing is actually going on all the time. You were just alert enough to note that it had happened to you.

    Thanks to all especially the 1password guys. I have to admit, I was weary of the price at first, now I realize it is invaluable software.


    I think that until people really use 1Password it is hard to imagine how much it does for them. One thing I noticed was that I have become more active on-line with 1Password. Before using it, signing up at yet another website was such a chore that I very rarely did it. Now I never even have to see the password that gets created, so instead of having just a few score logins, I can have hundreds. So having the protection that 1Password provides allows us to make fuller use of the web on a day to day basis. 1Password isn't just "insurance" against an attack; it makes life easier every time you log on to a site.


    PS: You might want to put together a list of things that people like myself should do on your website. I bet there are lots of people that start looking into a product like this AFTER something like this happens. It would not only be a good service, but might help people realize how essential this type of product is.


    This is a very good idea. I hope, at some point, to re-craft some of this discussion into a more permanent document.
  • Skjold
    edited December 1969
    Thanks so much for the feedback. I feel a bit better now! It's a crazy world we live in these days though. My mother just found out her debit card number was stolen and crooks were able to run up about $500 before the bank shut the account down. With the global economy the way it is, I think it's just going to get worse and worse...

    By the way, do you guys use the firewall function on the mac. I never felt the need, but now I'm not so sure.
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited December 1969
    Skjold wrote:
    Thanks so much for the feedback. I feel a bit better now! It's a crazy world we live in these days though.


    You are very welcome, Skjold.

    My mother just found out her debit card number was stolen and crooks were able to run up about $500 before the bank shut the account down.


    Oh dear. How much of that cost is her loss and how much will the bank cover? If the bank doesn't cover most of it, I would suggest that she moves to a different bank.

    I should also point out that the vast majority of credit/debit card number thefts don't come from online activity, but instead are stolen from the merchants directly. The on-line component is with the use and resale of the stolen numbers.

    With the global economy the way it is, I think it's just going to get worse and worse.


    Much to the surprise of many sociologists, the crime rate has not spiked during the current recession. But something has changed over the past 15 years regarding computer crime. In the "old" days, we had this image of a lone hacker breaking into systems for the fun of it. What we have now is organized crime.

    By the way, do you guys use the firewall function on the mac. I never felt the need, but now I'm not so sure.


    For a typical household set-up the bulk of the firewalling is done by your router. The standard, out-of-the-box, configuration for routers means that the only incoming connections that will be passed through are those that are "answers" to out bound requests from your systems. But in addition to that, I do also do turn on the firewall in System Preferences > Security > Firewall. One thing to keep in mind is that if you do wifi syncing between 1Password on your Mac and 1Password on iOS devices, you will need to make sure that 1Password has permission to accept incoming connections.

    The more complicated and diverse your home network, the more useful it is turn on the firewalls on individuals machines. For example, when one of my daughter's friends brings over his Windows laptop and connects it to our network, malware on that tries to spread in my home network.

    I hope that this is of some help. I wish you and your mother the best with over coming these various incidents.
This discussion has been closed.