What to do after an online service you use has been hacked


I should be posting the next in my series of MMO security stories, but I thought I would take a moment and peck this little blog out to help the masses of interweb users.  You can buy me a chi tea as a thank-you some time.

Most recently Steam was hacked and accounts were compromised, which kind of got me thinking about writing this very blog post for like the umpteenth time.  Like normal, I saw the news fill my feeds with all manor of people congratulating themselves on resetting their passwords on the Steam service as soon as they heard.  Okay, I guess if it makes you feel better that was a good move.  Now no one can use your account to buy and download a new game… but you missed the mark a little bit and this happens with so many people regardless of what service was hacked.  Be it a bank, an online game service, a social network, etc.  Let’s take a step back for a minute and review some glaring realities that you probably are overlooking in your panic stricken moment. 


Truth – There are three things I need to compromise a service.  The “Holy Trinity” of hacking if you will. 

  1. A login ID
  2. A Password
  3. Something to log into


Truth – People know their own limits, and one of them is they are forgetful.  This means they tend to use the same username and password combos on multiple things.  While the password may, hopefully, be complex in nature… it’s repetitive use actually exponentially weakens it.  The use of the same login ID (username, etc.) on various sites also only weakens your personal information security.  Try using a password retention tool, or a note pad… or formulate some interesting system for the creation of passwords.  Example:  ThisIsMyPasswordForMyOnlineBankAndTheBears!  It’s a killer password, but now everyone knows it and will add it to their password lists for cracking into things, but you get the idea.  Sentences make better passwords than you think, and oddly – they are easier for the human mind to remember.

Truth – Discretion, something we all tend to learn as adults in the real world, doesn’t seem to have a strong hold on our conscious minds while we are online.  We openly share, link, and erect huge virtual neon flashing signs to the things we use and work with.  This isn’t helped much by marketing groups realizing that the more they can get you to “like” “follow” “circle” etc. the better their chances of playing on the social need to be “at the cool kid’s table” and thus we all follow like lemmings and do the same things.  But aside from my digression on our lemming culture, this means it isn’t hard to figure out what other online services you are using.  E.g. “I like Wells Fargo Bank.”  Great… um, I think I now know which banking portal to use. 

This means you are now realizing my amazing wisdom and are starting to read this blog much faster because you know I am not only going to just show you how vulnerable you are, but I am also going to tell you how to fortify your online self.  Yes, I said it; the truth hurts.

Truth – The service you read about today, which you use, that was compromised yesterday or last week has already been compromised.  In the time between when it happened, when it was noticed, and when it was told to the public your information is being sold, resold, researched, and utilized.  The LAST place you want to go running to change your passwords is the site that was just hacked!

So here is a check-list of what you should be doing if a service you use has already been hacked –

  1. Discern what other online services you use where the following are true:
    1. You use the same username / password combo.
    2. You use the same password and the username is your email address, first name, last name, etc. that might have been captured from the information on the account for the site that was already compromised.
  2. Realize that your username, and potentially sites that you use, are more valuable than knowing your password.  Why?  Because your password is probably one of the top use passwords to begin with.
    1. I am not saying to go change your usernames… but you are going to have to avoid passwords that look like the top most used ones, AND you shouldn't do things like use your current favorite password and just add “1” or “2” or something to the end.  E.g. Don't take "monkeys" and make it "monkeys2"  Acutally, never make a password a simple word like that an put a number after it.
  3. Write down your most critical sites.
    1. Login to each of them, check to see if anything looks wrong.
    2. Change the passwords (again don’t just add a new letter or number to the end, actually make it new.)
  4. Take note of what credit / debit card you used on the site that was compromised.
    1. Make a list of all the services that auto bill that card, chances are you will be contacting them with a new card once your bank or credit company cancels this card… so it’s a little pre-work that will help when you get that new card in the mail telling you your old one is about to be turned off.
  5. Did you have your Social Security number in their data?
    1. If so, run a credit report on yourself repeatedly for the next few months.  Any new accounts opened in your name?
    2. If not, run a credit report on yourself repeatedly for the next few months… yea, you get it now don’t ya?
  6. Finally – Write a strongly worded letter to the company that was compromised.  Let them know that you do not appreciate that your PII (Personally Identifiable Information) was not protected better and that you will only do business with companies that invest in headcount and technologies to keep their customer’s safe.  Honestly, you would do this if you were not happy with the service of any other company… this is the pinnacle of horrible customer service. 

Now that all of that is done, go change the password on the site that was already hacked.  Keep in mind, they probably haven’t fixed the issue that allowed the hackers to get into their servers, and if they did they probably haven’t found all the new back-doors the hackers left to get back in via other means.  So use your new lesson and make the password there, just as you did with your other services, completely different.