We all have a bunch of online accounts. There are your social media accounts, online banking, online gaming, shopping, that random account for an online textbook that you had to create in college, the list goes on. There are a few things they all have in common, and hopefully one of those things isn't your password. They are all online, they are all a potential target for hackers, and at least some of those credentials have been exposed as part of a data breach. What is a data breach? In general, it is an event where a malicious entity steals data from someone else. In our particular case, we are discussing data breaches involving customer login credentials that have been published or sold online.
So, you are telling me that my login data for Facebook might be available somewhere for someone to use to take over my account? Yes, it might be. And I am going to show you a way to find out if it has been. There is a wonderful site called haveibeenpwned.com which allows you to type in your email address and find out if it is found in any of the data breaches in their database. The same data set used by this site is used by other tools such as my password manager 1Password to help users determine if their accounts have been compromised. Have I Been Pwned, was created by a security researcher who recognized that there are a lot of data breaches that are accessible to malicious entities, but that a normal internet user would never know about. So he has worked to try to get his hands on as many released data breaches as he can find to create a service where people like you and me can check if our accounts are compromised.
So let's look at what Have I Been Pwned has to say about a few of my email addresses. Let's first look at one of my newest email addresses. You didn't think I was going to actually include my email address in the picture, did you? We can see from the results that this particular email address hasn't been included in any data breaches. But I want to make sure I know if this address is part of a data breach in the future so, I am going to click on the subscribe link and verify my email address.
Now we will check one of my older email addresses. So we can see from the picture that this address has been associated with one breached site. So what do we see when we scroll down? We see that there was a breach involving some Chegg data that my email address was found in. I get a brief summary about the circumstances surrounding the breach and some specific details about what was exposed. In this case, the breach included my email address, name, password, and username. Basically, everything you need to know to rent, sell, or buy a textbook as me.
So now that I know this account has been compromised, what do I do? Well, there are a couple options. I could just delete the account, which is probably what I will do in this case since I don't need a Chegg account anymore. But I do realize deleting your account isn't always an option. In that case you are going to want to at the very least reset your password and ideally enable other security measures such as 2-factor authentication. If you use a password manager (which you should) go ahead and log into your account and reset your password to one generated by your password manager. If you don't use a password manager, you should start using one (I'll do a separate blog post on password managers later), but in case you aren't using one you will want to change your password to a unique long password. I might write a short post another time about creating good passwords, but for now just read this comic for the short version.
Oh! I almost forgot, if you use that same username/email and password anywhere else you also need to go change the password on all of those accounts to new unique passwords.
Hopefully, this post will help you make your online accounts more secure and will allow you to be a little more confident that your account hasn't been hacked. Now I am off to go delete my Chegg account before I publish this post.