Here is what you need to do if your online accounts are being hacked.
- Install and run Malwarebytes. You don’t need to pay for it, but you do need to run it to make sure you don’t have any malware on your computer that is stealing your passwords.
- Use a different web browser. If you use Chrome download FireFox. If you use FireFox get Chrome, Opera, or Vivaldi. The web browser could be to blame due to rogue plugins, exploits, or cookies.
- Change your email password. If you have more than one email account, then change them all. The password needs to be something you never used before!
- Change your banking passwords or any account that deals with money. This could be PayPal, Venmo, or other related services. The password needs to be something you never used before!
- Change the password to the account(s) that were hacked. The password needs to be something you never used before!
- Get a password manager. From now on use your password manager to generate and store your passwords.
- Write down the master password to your password manager. There is no reset password for password managers. Write it down and keep it somewhere safe!
Need Help Creating Passwords? Use this to generate a random password. Right now the best thing you can do is use a password you’ve never used before.
The reason we change your email password first is that it can be used to reset other accounts passwords. You must gain control over the email account to “stop the bleeding”.
Why Were You Hacked?
The biggest reason people get hacked is because of password reuse.
A website you used in the past got breached and the passwords leaked. These leaked passwords are tried all over the internet with bots. These bots move quickly checking 1,000’s of websites in seconds to see what other accounts they can steal of yours.
They want these accounts so they can either sell them, steal something, or manipulate. There is a huge market for stolen Netflix, Chipotle, Crunchyroll, Uber, and even Reddit accounts.
If all your passwords are unique, one account getting breached won’t affect the others. The problem is that most people don’t do this, and this is why this attack is so effective. Also, many people think no one will hack them or why would anyone want my account? The truth is that if someone can make money from it, they want it.
To see how bad it is you can enter your email at https://haveibeenpwned.com/ to see what breaches you’re in. Keep in mind this only shows you KNOWN breaches.
How To Keep From Getting Hacked Ever Again?
I can’t make a promise you won’t ever get hacked again but if you stop reusing passwords the odds go way down.
To lower the odds of getting hacked you need to get yourself a password manager and use that to generate and store all unique passwords.
Here is a beginner’s guide to using password managers.
Write down your master password to your password manager because if you forget it, there is no reset option – this is a good thing. Only you know the key to unlock the vault, and a reset option could be used to get around that, and you don’t want that.
What Password Manager Should I Get?
I’ve tested several password managers and have listed off the ones I recommend and who they best fit.
1Password – The best all-around password manager. Out of all the online password managers, I find they take security the most serious.
Bitwarden – The best free password manager. It’s open-source and has a lot going for it.
KeePassXC – This is for the super paranoid person. This is a local password manager; this means you can put your encrypted database anywhere you want. But this also means you’re responsible for backing up your database.
How Do I Make A Strong Password?
Online accounts – Uniqueness is the most important factor.
Offline Accounts – Length is the most important factor.
For when it comes to online accounts, you need to think of passwords as being disposable. Once you use it, you can never use it again.
The best solution is to let the password manager generate something random. Anything 12 or more characters is fine. Anything over 15 characters is not being cracked in anyone’s lifetime.
For when it comes to offline accounts, the length of the password matters more. To keep it simple, you can use diceware words or create a random sentence that doesn’t make sense like “Empty toasters drive over 23%“. The longer the password, the longer it will take to crack.
How Do I Find All The Accounts I Have?
I’ve been using a password manager for years, and I still find accounts I’ve forgotten about.
But I’ve also learned some tricks to help you find these accounts.
I Don’t Trust Password Managers!
If you don’t trust password managers look into peppering the most important passwords. I’ve yet to find someone who would not give a password manager a try after learning about peppering.
If you’re worried about keeping all your eggs in one basket, I have a post that goes over this here.
If those don’t convince you, then use a notebook. The goal is that you never reuse a password again. Think of passwords as being disposable.
Here is a video showing you how online password managers like Bitwarden work and how your data is uploaded and protected.
But I Already Use Unique Passwords!
Your password might not be as unique as you think.
The most common response I get is from people who pick a phrase that they use for every site along with the sites name.
An example would be “Password123Facebook” or “Password123FB”.
The problem is that all it takes is one website to leaked the password and your password scheme is figured out. Clearly, your Paypal password would be “Password123Paypal” or “Password123PP”.
I also have a super in-depth post about password algorithms people create and answer all negatives about password managers that these people tend to have.
What About 2FA?
Two Factor Authentication (2FA) is excellent, but you need to fix your 1FA (password) problem first.
Once you have mastered 1FA, then you can start to mess with 2FA.
SMS is better than not having 2FA, but it’s not that great. You want TOTP style 2FA where you use an app and tells you a code that changes every 30 seconds.
Keep in mind that many 2FA apps like Google Authenticator don’t back up your codes. So if you lose or break your phone, you could be without 2FA and locked out of accounts that require it.
The best 2FA is a security key like what Yubikey sells. Just be warned that if you lose your Yubikey and didn’t set up a backup, you can be locked out of your account too.
Since there is a lot to take in with 2FA I don’t recommend it right off the bat to someone new to it. You must fix your 1FA problem first, and then you can move to 2FA options. It’s not something you should take lightly.