Obviously, changing your password to a site that has been breached can go a long way to safeguarding your cybersecurity . . . on that site. Because, consider this: Hackers aggregate their breach data, and every bit of data from each breach—even if it’s just your username and your password (which you have subsequently changed)—helps hackers create a more complete profile of you. All of this information, when aggregated, is your digital footprint.
Like a mosaic–in which separate, individual tiles have little value but in the aggregate form a complete picture–individual bits of data may have limited value, but taken together pose a very real threat to your cybersecurity. And when that data is breached from online accounts and corporate databases and made available to bad actors (hackers) . . . you’ve been pwned.
How Did You Get Pwned?
For everyone without a video gamer in the household, “pwned” means “owned,” meaning soundly beaten. Thumped. Thrashed. In this sense, if your login credentials or sensitive information (like social security number, work history, date of birth, etc.) has been breached and now resides on the dark web, accessible to hackers and other bad actors, you have indeed been pwned.
It’s not exactly daily affirmation material, but if you want to say it out loud, it’s pronounced “poned.” If you’re feeling more like keening like a banshee to mark the death of your privacy, it could reasonably be drawn out to “pooooned!” Either way, it’s not good.
The Pwning Problem
Most folks understand why getting sensitive data like their social security number put up on the dark web opens up issues of identity theft and fraud. But, while obviously very important, your social security number is not the only piece of data you need to worry about.
Because many people tend to use the same password across accounts, hackers can use that password to access other online accounts you might have. It’s called credential stuffing—using that username/password combination on other sites—and it’s incredibly effective because it’s automated. The automation of the credential-stuffing process allows hackers to efficiently test your password (and variations of your password, say “p@ssword”) on thousands of websites in mere minutes, making your data only marginally more time consuming for them to steal, raising the value of the eventual reward.
If you think you are too small a target for a hacker to sit around inputting your username and password into sites until they get a hit, you’re probably right. But you’re not too small a target for them to get your data as part of a large database that they feed into an algorithm that does all the work for them.
And that’s where your problem begins. Depending on the site, hackers can access extremely sensitive information, such as your credit card information, work history, or social security number, which could lead to identity theft.
The “Not Me” Fallacy
It’s no surprise that many people believe their information is secure with the companies they trust, but this couldn’t be farther from the truth. [Monster.com says a third party exposed user data but didn’t tell anyone via TechCrunch] Assuming all sites report their breaches, your information could still be on sites you’re unaware of.
Ever heard of popular data conglomerate Verifications.io? Well, they’ve likely heard of you and 2 billion more of us, and they have our data, as do hackers now that Verifications.io has been breached. As CEO of nCipher Security, Cindy Provin, summed it up for Digital Journal:
“A leak of 763 million* records is massive. Not only were emails publicly accessible for anyone with an internet connection, but phone numbers, birth dates, mortgage amounts, interest rates and social media accounts were also exposed.”
*It’s now known it was 2 billion records. Either way, big.
[Why is your mobile number getting hacked a big deal? When 2FA Isn’t Enough: The High Profile Cybersecurity Threat Targeting Business Owners & Investors]
Small Business Vulnerabilities
Small businesses of all types–freelancers, lean startups, consultants, etc.–have become lucrative cyber targets for hackers, fraudsters, and bad actors since mid-size and large businesses began getting their cybersecurity act together a few years ago. And yet, too often I hear, “I’m too small to be of interest to a hacker.” It’s simply not true.
Phishing and business email compromise (BEC) account for a lot of the fraud perpetrated against small businesses, and they get a lot of press. But it’s worth remembering that many small business owners use tools meant for home use, leaving their data vulnerable. The breach of a personal fitness account that results in stolen credentials may result in the hack of the business owner’s cloud storage or bookkeeping app on which s/he stores customer and client data.
What Do Hackers Already Know about You ?
Now are you convinced that this is A Thing? Want to know not if but what data of yours has been breached? Pour yourself a stiff drink (especially if you think you won’t need to) and sit down, then visit ‘;–have i been pwned? (it’s safe—it’s the go-to site for this sort of information on the Clearnet).
The site, also referred to as HIBP, lists data breaches in which your data has been involved and is floating around the dark side of cyberspace. You may already know of some of the breaches, like the breach of customers’ sensitive financial data by the credit rating giant Equifax. Other breaches may have happened without your knowledge of your data’s involvment–like Verifications.io.
It may be a bit of a shock to see all the accounts from which your data has been breached, but realize that denial of the problem is not an existential threat to the problem itself. After you’ve taken it all in, be proactive in protecting your cybersecurity moving forward.
[Want tools for staying cybersecure online? Freelancer’s Guide to Cybersecurity]
How You Can Protect Yourself
You can’t unring a bell–the information about you that has been hacked is out there and persistent. What you can do is safeguard your privacy moving forward and limit your digital footprint. These 5 easy steps will get you started.
- If you haven’t already, change your password on each of the breached accounts. Practice good password hygiene (different passwords for every site; each at least 8 characters long; each a mixture of digits, special characters, upper and lowercase letters; password changed frequently).
- Change the credentials for every site on which you used that credential (username + password) or a version of it (different username but same password or same username with similar password). Optimally, refresh your passwords on all your online accounts using the guidelines for good password hygiene in #1.
- Close accounts you don’t use. Read more about the threat from zombie accounts.
- Note what other data has been stolen, then decide to limit the data set you will willingly share with rando sites and Facebook “quizzes” moving forward. Your date of birth, your first pet’s name, the city in which you met your spouse—just stop! Those are common security questions for online accounts, so keep these things, as much as possible, private.
- Sign up for data breach alerts. Mozilla Firefox Monitor will automatically alert you when you appear in HIBP.
Go out. Live life. Be safe.
Updated 10 September 2019, 24 September 2019