Home

My Password Has Been Hacked at Least 27 Times

March 2019

Do this right away. Go to the website Have I Been Pwned (haveibeenpwned.com), enter your email address, and click “pwned.” The site will show you whether the bad guys got access to your personal data when they hacked into the computer systems of companies such as Target, Adobe, LinkedIn, and 337 others.

When I entered the email address that was my primary email for 15 years, it showed there have been nine occasions when the criminals got access to my email and password. This included data breaches at the websites Dailymotion, Dropbox, LinkedIn, and MySpace.

My Yahoo and Gmail email addresses and my university email address have each been exposed in six breaches.

In short, there are databases out there that any criminal can access in order to get my email address and password. In some cases, the breaches also include address and phone number.

Perhaps the most damaging breach was in June 2018 when the bad guys broke into Exactis, a company that collects consumer data to sell to political organizations, marketers, and anyone else wanting to know everything about you. In this instance, the breach revealed:

credit status information, date of birth, education level, email addresses, ethnicity, family structure, financial investments, gender, home ownership status, Income level, IP addresses, marital status, names, net worth, occupation, personal interests, phone numbers, physical addresses, religion, and spoken languages.

Yikes.

What can you do? Yep, change your password.

Criminals who access these databases of email addresses and passwords use that information to see if you have accounts they can break into. Maybe you don’t really care if they got the email address and password you used with your old MySpace account, but if you used that same email and password for your credit card account or Amazon or banking website, you could be at risk of having them access that account.

In many of the breaches above, I’ve since changed the passwords associated with those email addresses. I’m especially careful about using a unique password on accounts related to my finances. But I could do better.

Experts these days tend to recommend using a password manager. The ones I often see recommended are 1Password and LastPass. When a website asks you to create a password, these password managers automatically generate a strong password – and a different password for each website.

In addition, the next time you go to that website, the password manager will automatically fill in the password for you. You need not remember anything.

My Mac has a password manager built into the operating system. Not only does it automate creating and inserting passwords, and also inserting my username or email address, it also automatically shares those passwords across my devices. If I create an account on my computer and then access that website via my iPad, the password is automatically available to be inserted via my iPad. I need only touch my iPad’s Home button, and it uses fingerprint recognition to verify my identity, then inserts the password.

Of course, a question arises: if all my passwords are stored in one place on my computer, and in the cloud (in the case of password managers that share information across devices), what happens if the bad guys access my collected passwords?

Experts say the risk is small because password companies use strong encryption for their vault of customers’ passwords. And password managers typically use multifactor authentication, which would make it very difficult for someone to access passwords stored on your computer.

The greater risk, of course, is using weak passwords or using the same password on multiple sites.

One interesting side note to these data breaches: security experts have examined the data to determine the most popular passwords. The most common passwords of 2018 included 123456, password, 111111, qwerty, and iloveyou. Don’t ever use these.

If you decide not to use a password manager, be sure your password is at least eight characters and a combination of letters, numbers, and special characters, such as # and ^.

A better option may be to use a passphrase, such as “A stitch in time saves nine.” Experts say that password-cracking tools are limited to about 10 characters and that a phrase is easier to remember. Plus, a phrase will likely entail upper and lower case, as well as punctuation, making it even stronger.

Fortunately, so far the stealing of my passwords hasn’t affected me, other than the emails I’ve been receiving in recent months that appear to come from my own email account and claiming the sender has compromised my computer. To prove it, the sender includes my original password from years ago. He makes threats and demands that I transfer bitcoin to his account.

But I know it’s a scam – because I changed that password years ago.

© 2019 by Jim Karpen, Ph.D.

E-mail Jim Karpen