2010-08-09

Someone stole your password on facebook or your email account? What to do about it -- and why it's worse than you think

I get emails or facebook messages "from friends" every couple of weeks that are spam, and that the friend clearly did not intend to send.  It is obvious that the password on the friend's email account or facebook account got stolen.  This is potentially a lot more serious than it seems -- this can make old-school identity theft look like childplay:  If somebody steals your email password they have everything about you.  They can not only trawl through all your email to gather information about your life for impersonating you, blackmailing you or other nefarious purposes, but they can also send password reset requests to any other website you have registered with, and steal your passwords on all those sites too.

For this reason, your email password is gold, and you should protect it more than any other password: it should be harder to guess than other passwords, longer, not be based on dictionary words etc., and you shouldn't use your email account password on any other website!  Why?  Because when you register on another site XYZ.com, and XYZ.com asks you to register with your email address and a password, and if you use your email account password as your password on XYZ.com too, then if that website's owners are evil or if somebody hacks their site, they have both your email address and your email account password.

There are three main way people steal your email passwords:

(1) Dictionary attack. I had access to a database of thousands of user login credentials in one job I worked at, and more than 60% of passwords were just a first name!  Scammers/spammers just go through a dictionary and submit every word in the dictionary to a website as passwords with common or publicly-visible usernames until they get in.  This is becoming less common because of security precautions like having to type in a Captcha when you get the password wrong, but still -- if you have a simple name or word as your password, fix it!  Use letters, numbers, upper and lowercase, and punctuation.  Make it at least 8 characters long.  Write down passwords somewhere secure and memorize your main email account password.

(2) Keylogging.  This is becoming the most common method for stealing passwords today: most viruses that infect your computer will install a keylogger that sends every keystroke you type -- login names, passwords, credit card numbers, love letters -- to a computer in China or Russia.  And a substantial number of computers you have probably used in the last few years have had one of these viruses on them.  No I'm not kidding.  See below for how to clean up your computer if it's infected, and general guidelines of how to avoid this issue.

(3) You used your email account password on other sites too, and those sites were either malicious or got hacked. It was recently revealed that around 75% of people reuse their email password on social networking sites like Facebook.  Don't ever, ever use your email account password to register anywhere else.

Q: My password got stolen.  What do I do?

Step 1: If you can log into your email account and the spammers literally just started sending out messages from it, log in immediately and change the password.  You might have to change the password again later, because your computer may still be infected with a keylogger (see point (2) above) and they might be able to watch you change your password.  But change it now to halt them in their tracks.  If you can't log into your email account because they changed your password on you (it does happen), then try sending a password reset request, if your account is connected with another email account that you can access, or contact your email provider (or facebook, if it's your facebook account) to notify them of the problem.

Step 2: Assess the damage.  Look in your Sent folder to see what they sent and to whom.  Send out a "Sorry -- don't click on this link, I didn't send it" message or something -- lots of the links sent out by spammers go to sites that try to infect more people's computers with viruses.

Step 3: Get all the critical updates for your computer and update your antivirus software.  Follow all the steps in my other blog post about speeding up your computer.  Following those steps will not only speed up your computer but should guarantee that any viruses on your computer are killed and that you are safe from viruses in the future.  In the end you should (a) have all the critical Microsoft updates on your computer, (b) have replaced your antivirus software (Norton/Symantec/McAfee/Kapersky/ClamAV/etc.) with Microsoft Security Essentials (it's a lot better at catching viruses than the others, and it's free forever so you don't have to pay to stay up to date so your computer catches the latest viruses), and (c) you should have Google Chrome installed as your browser and you should never use Internet Explorer again, it is one of the biggest reasons computers get infected with viruses, because it is so insecure.

Step 4: With your new bulletproof computer, go to any other site that you used the same password on as the email password that was stolen, and change your passwords there too.  Then probably go back and change your main email account password again, just in case you had a keylogger on your computer that got eliminated in Step 3.  Here's a general strategy for selecting passwords:
  • Password Level 1: Have a throwaway, "don't care" password that you can use for all those sites that ask you to register that you wouldn't mind someone stealing your password for -- like when you have to register on a bulletin board to ask a question about your car, and you never plan to go back there again.  Reuse this password on other sites only when you don't care if somebody who has access to one of those sites with a stolen password has access to all of them -- because if your account gets hacked on that site, it can get hacked on other sites too.
  • Password Level 2: Have a second level of password that you use for sites that you do care about somebody breaking into -- for example any e-commerce site like Amazon.com that saves your credit card details.  Use a different password for each site that stores credit card details!  Remember that sites that save credit card details are especially targeted by hackers/crackers.  Ways of generating unique passwords for these sites include just writing each password down, coming up with a tricky way of taking a base password and combining some letters from the domain name of the site into the password to make a non-predictable unique password for each site, or using something like LastPass to generate and save the passwords for you.
  • Password Level 3: You should have a more secure password for your bank and your bank only.  Each bank should have its own password.  You should also request extra authentication methods from your bank if it is available -- e.g. PayPal has a keyfob that generates a pseudo-random number when you push a button (a new number every minute) that you have to type in right after your password.  This verifies you have the physical device, and protects you from password attacks.
  • Password level 4: Your main email account password on gmail, yahoo, hotmail etc.  This must be secure, unique, and unguessable.  Note that I put the security requirements for this password even higher than the requirements for your bank password.  Don't underestimate what somebody can do with your email account password.

    Step 5: In future, don't log into your main email account on any computer that is *not* running Microsoft Security Essentials, and don't ever use Internet Explorer to do it -- no matter how badly you need the Internet.  I never, under any circumstances, ever log into my email account on a Windows computer that is not my own (but I'm more paranoid than most, I just deal with the fallout all the time when people come to me to fix their virus-ridden computers, and I know that most people have not followed the steps above for guaranteeing their computers are virus-free).  Getting a cellphone that you can read your email on helps with this, it lets you check email and reply even when you're away from the safety haven of your own computer.  In particular, avoid Internet cafes especially while traveling -- a large majority of computers in Internet cafes are infected with some sort of spyware that will send your passwords and credit card numbers who-knows-where.

    Good luck :-)

    4 comments:

    1. scary ... everyone must be made aware of how vulnerable passwords are...and how easily security can be breached.

      I like ur posts Luke ... as always - impressed !! :)

      ReplyDelete
    2. I like this statement the most: and don't ever use Internet Explorer to do it -- no matter how badly you need the Internet

      although I am a Microsoft Guy, but I totally agree that IE is really bad
      I prefer Google Chrome :D

      ReplyDelete
    3. My best friend's facebook account has been stolen...
      The hackers changed the e-mail of the facebook and the facebook hadn't sent a message to the last e-mail to warn the user that the e-mail of his/her facebook account had changed...
      Is there a possibility to take his/her facebook account back?
      Shall I report the profile?
      What we have to do?

      ReplyDelete
    4. Hi A.N.T.,

      Yes, if somebody breaks into your account and changes your password, and password recovery methods fail, then you will have to contact the company that runs the website and somehow prove your identity so they can reset the password for you.

      ReplyDelete