Three months ago, I woke up in the middle of the night and turned on my phone to check the time. I usually ignore notifications at night, but in a zombie-like state I saw I had some new emails and swiped down on the notification bar. The minute I read the subject lines, my heart dropped. I had two emails from Netflix. One telling me that my password had changed, the other that my email address had changed.
I felt sick when I tried logging in and couldn’t. The first thing on my mind was my credit card information. Could they access it? Were the digits or my address visible? Thankfully, they weren’t but I didn’t know that and before I could even think about restoring my Netflix account, I called my bank and instantly blocked my card.
Thankfully, Netflix’s customer support was really helpful and they quickly got me my account back from someone in Puerto Rico. Logging back into that account was an awful feeling. It felt insecure. I was uneasy and felt like the intruders were still lurking and watching me.
I hoped that that was the last time, but nope it happened again. Last week, I had a repeat of the incident when a new Instagram account I had created for my website got hacked. Thankfully, there were no calls to the bank this time nor information to worry about, but I still felt violated. I got the account back without much trouble. Just had to click a link in one of the emails Instagram sent me.
Somebody from Russia had taken over. Other than getting me locked out, they did nothing to it but delete my bio. I still don’t understand why they hacked into an account with only 5 followers. At least with the Netflix hacker, I could understand they might want to watch something — maybe Stranger Things? (they didn’t) — but why hack an Instagram account with nothing?
Both incidents have made me rethink passwords. For one, I blame password leaks.
In both accounts, the password that was hacked was the same. It was also the same I had used on sites like LinkedIn, Dropbox and MyFitnessPal. Sites which had suffered major security breaches in the past. Passwords of millions of users from those sites are available for anybody to steal and try on other websites because there are a lot of dumb people like me who use the same password.
Lesson learned: Don’t use the same password for everything
Considering hackers are mostly getting passwords from these leaks, it would be smart to change yours frequently. Security attacks aren’t announced instantly. Dropbox got a lot of flak for not announcing the breach until a week after. Just imagine the amount of time, hackers had to penetrate into accounts without anybody knowing.
Second lesson learned: Change passwords quickly
Those hackers in Russia and Puerto Rico did have my password, but they didn’t have my phone. If only I had enabled 2-factor authorization on my Instagram, it wouldn’t have been so easy. There are some tricks online to bypass entering that code you get by SMS or from an authenticator app, but all of them require some action from the account owner. It may be a phishing link or a fake email asking for that code urgently, but I wouldn’t worry about that as most scream “scam” in your head straight away. Also, having that extra layer of protection will thwart many who aren’t as tech savvy.
Third lesson learned: Turn on 2-factor authorization
In almost every kind of recovery attempt, access to your email is important. Which is why you need to keep your email secure. Add a backup email address which has a different password and add multiple phone numbers and emails if possible. Outlook and Yahoo have some pretty great options for adding extra layers of security. One option that I really like is where you can unlock your account with a physical device like a USB flash drive. Unless your hacker is a secret agent on a mission to steal Netflix accounts, that’s going to be pretty hard to crack.
If you’re worried that it’ll take forever to log in and it’s not worth the hassle, you’re wrong. On the devices you use regularly, you only need to log in once. And with your phone by your side, the whole process is pretty quick.
Fourth lesson learned: Turn on all security features for email
In the end, I learned it’s not so much about the long and complicated passwords with a symbol and whatnot, it’s about having different passwords for every account and changing them frequently.
Note: This advice might work for protection against any asshole who stumbles across a password leak, but it won’t help you if somebody with Mr. Robot level hacking skills wants to break in. For that, get off the internet.
Originally published at www.thiscodeworks.com.
