Protect Your Online Accounts

3 min read

It's only a matter of time before we see another major online entity in the news stating that user data has been hacked, leaked, or exposed. What does that mean for you? That means the information that was accessed is now immortal. It's been duplicated, packed up along with other users' info, and is now living in the sketchy parts of the internet, being sold for less than a cup of coffee.

Change your password

If you reuse the same password elsewhere, you need to change it right away. Since humans are lazy and habit prone, we tend to reuse our passwords for convenience.

The first thing hackers would do is use the same email and password combination on as many services as possible. So even though your data was leaked on Telephone Company's website, your account at your bank or other social media accounts could be in danger if you used the same email and password that was leaked.

I highly recommend that you use a password manager. It assists you in generating a unique password for all your accounts. That way, on the next data leak, since your password isn't being reused, you'll have one less thing to worry about.

I will be having a write-up about password managers in the future and link it here.

Setup Two-Factor Authentication

Two-factor authentication is basically another password that you have to provide when you try to log in your account. Typically, this password is always changing, so you will be given this passcode on a device you own, like a phone or a special USB device, which you will then put in the website/application you are trying to log into.

So you type your username and password on website. Hit login. Then login shows another input asking for a code. You check for your code on your device. Type in the code on the website, and then you are logged in! It's one more step, but it definitely helps to mitigate the chances that someone could take over your account. Definitely set it up for places that are important to you, or have a lot of data about you.

Most online services have some sort of two-factor authentication in your account settings, most likely in the same area where you would change your password. There, you should be presented with hopefully at least one of these methods.

Phone — You could get your code by connecting a phone number. You would then receive a text with a code that you would submit. Some might even have the option to get a phone call, and a robotic voice would then tell you your code.

Email — You may have the option to receive your code via email. Just be sure your email account isn't easily accessible by other people, like a shared computer or device.

Authentication Application — Websites may offer a QR code that you can scan for your code. You would scan these with an authentication app such as Authy (free, available for most of your devices).

To set up this type of two-factor authentication, Authy has instructions for the more popular web apps. Here is an example for how to set up Facebook: https://authy.com/?s=facebook&post_type=guides. Follow the instructions for a few, and you'll get the hang of it really quickly.

Security Key — These are physical devices, most commonly in the form of USB, that you would connect to your phone/computer to verify your login. Often times, they have a button on them that you would press to trigger the login. This is the most secure method, and more services are supporting them. If you're interested, a quick search would bring up Yubico, one of the more popular security keys available.

Push Notifications — After you enter your username and password on the website, you could get a prompt on your mobile device if you have that website's app installed. You would then open up the app (often times verifying you are who you are by fingerprint), and then you will see a prompt asking you if you were trying to log in just now on a certain device. You would then approve it by pressing a button, or deny it if it wasn't you!

Important: Only use SMS or Email if there are no other options available

SMS can easily be spoofed/cloned, so it is not as secure as we would like if we are using it to log in. The same goes for email. Unfortunately, sometimes we have no other choice, as it may be the only method a website offers. Enable it anyway, as it is better than nothing.

Lock/Freeze Your Credit

If the data that was leaked contains your SSN, you should definitely freeze your credit, so no new accounts are created. I have instructions on how to do that in this post: https://faq.giyo.us/protect-your-credit/