Finding out if your Online Username and Password have been Hacked

How would you know if your username and password have been hacked?

In recent times there have been a rash of email phishing scams that go something like this:

  • They claim they have hacked you personally and have your username and password
  • They show you the password to add validity to the claim and get your attention (which it certainly does)
  • They say they have used your computer to record some form of bad behavior (adult or illegal websites, etc,)
  • They threaten that they will make this behavior public if your don’t pay them
  • They ask for some large amount of money in Bitcoins

Let me be clear – this is a scam.  Don’t pay them or even bother to communicate with them.  Throw out the emails.

But how did they get your username and password?

The simple truth is that Hackers are getting smarter.  Rather than hacking a million users like you individually, they focus their efforts to hack online companies to steal their large databases of users, that will include your information including your username AND your password.   Maybe even credit card numbers.  You may have heard of the breaches to Target, Home Depot, Dropbox, LinkedIn and others.

The hackers then sell these large lists on the “Dark Web” to anyone willing to pay.  The email phishing scam above is one of the results.  They bought the list of usernames and passwords off the dark web, then try and monetize it by sending out extortion emails to everyone on the list (and are getting rich doing it).

How can you know if your information has been released in these attacks?

It’s tough to really know.  I don’t think you can trust the companies to notify you.  It’s in their best interests NOT to advertise the hack.  In fact they may not even know that they were hacked.

Troy Hunt is a security expert and a ‘white hat’ hacker.  One of the good guys.  He had the great idea of buying copies of as many of the ‘lists’ on the dark web.  He then created www.HaveIBeenPwned.com where you can enter your email and he will tell you if it turns up on any lists of breached companies (learn more about it here on Wikipedia).  Currently his list contains information from over 300 breaches and has over 5 BILLION usernames.

“Pwned”  is a gamer slang term roughly meaning “I own you”.  In this context the hacker owns you.

Here’s how you can check your information:

  • Open a web browser and go to www.haveIbeenpwnd.com
  • Enter your email address into the field and then click on ‘pwned?’
  • It will return either good news or bad.  If you one a list it will tell you you’ve been pwned, and how many times.

It will list which breaches you were part of.  In my case, my email was pwned three times, including Adobe, Dropbox and others.  You can assume that the username and password you used on any of these companies sites is now in the hands of hackers.

If you have more than one email address (many people have a work and a personal email), you should check them all.

Another check is to test is to see if the password you use is on a list of well known password.  His list currently has over 500 Million passwords on it.  Even if the password you use wasn’t hacked in combination with your username, what if another user on the Internet happened to come up with the same password and they were hacked?   Essentially you are left using a password this is on the list anyways, and this is not a good situation.

CAUTION – I probably wouldn’t enter my current super secret and complex banking passwords if I don’t think are hacked.  Can we 100% trust that someone isn’t monitoring the passwords entered into the website?  But, if you just changed it, you could check your old password out to see if it was on the list.

To check your password:

It will tell you how many times (if any) that password turns up on a list.  Remember if it does, this isn’t necessarily because they hacked you specifically, other people that have been hacked may have had the same password.  But, this means your password is on a list that a hacker will use before they start trying to randomly generate a password.  In the example about I entered ‘StarWars’ as the password, and it reported back that password had been seen over 160,000 times!  Not a good password to use.

If you’ve found you’ve been Pwned, what should you do?

Unfortunately, people are creatures of habit.  Remembering usernames and passwords is a hassle, so often people reuse the same information on multiple sites.  If this describes you, imagine that there are hackers out there right now trying that same username/password combination of yours at all the various banks and retail sites.  Eventually they will find another one you actually use.

If you’ve been Pwned you should immediately go and change your password on ANY website where you used the same username and password combination.

In addition, if you found that any of your passwords were on the known passwords list, change all those accounts too.

This may be a daunting task as most people today have dozens of online accounts.  YOU NEED TO DO THIS!  Start with the ones that have money associated with them such as:

  • Banks like Citibank, Wells Fargo, etc.
  • Investment Banks like Fidelity, Mass Mutual, UBS, Charles Schwab, etc.
  • Healthcare providers
  • Retail sites where credit info is stored like Amazon, Starbucks, etc.
  • Email accounts like Google, iCloud, etc.

While you are changing all your passwords, now would be a great time to start using good passwords up to today’s challenges.   Check out our other article on what makes a great password (read it here).

If you need a little help with this or any other IT issue at your Practice give us a call.
MME is here to help.  Give us a call at 866-419-1102


For more information please check out our YouTube Video of this article as well.