Learn Internet Grow

Tech Skills

Did Your Email Get Hacked Due to a Data Breach?

By

Find out if your email has been compromised, like NOW!

data breach is when previously secure information gets released into an unsecure environment. You may have heard about the recent Target and Sony data leaks, but that’s just the tip of the iceberg.

When someone finds out your email and password, they can do some significant damage. Think about all the accounts associated with one of your email address.

View of Email Address Text Box

Now, go to HaveIBeenPwned and enter your email. If you are in the all clear, great, but don’t stop reading yet, because this information is essential for your digital security.

REMEMBER: All they have to do is pick a website from your inbox, enter your email address, and click the forgot password to gain access. This process isn’t very complicated, and people program bots for this purpose.

At any rate, it’s a good idea to use 2-factor authentication on financial/sensitive accounts. If your email is compromised, there are specific steps you should take immediately.

  1. Go to a different computer because the hacker could be watching your activity (keystrokes, monitor, webcam, mouse clicks, microphone) – i.e. your entire machine could be compromised.
  2. If you can still log in, change your password immediately, set up two-factor authentication, and change your security questions. Overall, do everything that you can to make sure the hacker is out for good.
  3. By the time you realize your email is compromised, they could’ve taken control of some of your other accounts. Prioritize accounts tied to credit cards, and other financial/sensitive info.
  4. Log into that account and change your profile to another non-compromised email address, change your password, and enable enhanced security when available.
  5. Check your email forwarding list and make sure you don’t see anything you don’t recognize.
  6. Get a good Anti-Virus program and run a full scan to make sure any malware the hacker left is removed. More on this in the section on securing your digital devices.
  7. Check your signature block because hackers could have inserted malicious links there.

 Cool Trick: Save this URL in your bookmarks to quickly check your email status – https://haveibeenpwned.com/account/youremail@address.com

Don’t Get Hooked By a Phishing Scam

What is phishing? Phishing is a form of social engineering where you receive a seemingly legitimate email and get prompted to divulge sensitive information. An example of a phishing attack – An email from eBay stating that your account will be suspended unless you click a link and update credit card information.

You may say, “I wouldn’t fall for that” and that applies to most people. However, these types of emails get sent out automatically to millions of recipients and at that point it’s a numbers game. Another term for phishing is brand spoofing and carding. A way to remember and understand the term – they hope that you swallow the bait.

How to Pinpoint a Legitimate Email Versus a Scam

First of all, stop clicking on links from senders you don’t recognize. That’s rule #1. Here are some red flags to watch out for:

  • The email message is attempting to upset you or get you to react quickly without thinking.
  • Asks you to confirm or enter personal information.
  • Yes, even if it looks like it’s coming from an authentic source, don’t provide financial information via email or email links, PERIOD.
  • Don’t click links in chat rooms, instant messages, or emails from unknown senders.
  • Don’t download attachments.

Practice Smart Internet Usage

Here is a list of intelligent practices for future internet usage:

  1. Don’t click links inside pop-ups.
  2. Enable a pop-up blocker if your browser has one.
    1. For Chrome try Poper Blocker
    2. For Mozilla go to Menu – Options – Content – Check the Box Labeled Block pop-up windows
    3. Or try the Epic browser – Private and Secure Browser – It blocks popups by default.
  3. Start Using Web of Trust Chrome Extension, which will identify dangerous links to avoid.
  4. Check your Credit Report for unauthorized transactions – Most people don’t do this, and it’s free. Be proactive and check the accounts you have on your free credit report.
  5. Start checking the URL bar for the HTTPs protocol instead of the HTTP. HTTPs isn’t 100% secure, but it’s a heck of a lot better than an unprotected connection.

 

Protecting Your Devices from Hackers

As of now the best internet speeds in Chicagoland are provided by Comcast. I hope Google Fiber moves in soon, but it’s likely that we’ll be one of the last.

Thankfully, Comcast’s exorbitant prices include digital protection. Bundled with their service is a subscription to Symantec Norton Anti-Virus. This software actively scans your computer for any suspicious activity and will block attempts to penetrate your digital castle.

You can get Symantec’s Norton Anti-Virus and apply it to multiple devices. The subscription provides support for five devices.

 

Compromised Companies

Here is a list of the compromised companies made available by HaveIBeenPwned. I captured this list via Windows Snipping Tool in September 2015.

List of Hacked Companies

This list gets regularly updated, and you can sign up to get an RSS feed. Go to the RSS feed options for HaveIBeenPwned? To sign up you will need to create an account with one of the following RSS feed services:

  1. Feedly
  2. NetVibes
  3. My Yahoo
  4. SubToMe
  5. FeedDemon
  6. NetNewsWire
  7. NewsGator Outlook Edition
  8. RSSOwl
  9. Shrook
  10. Universal Subscription Mechanism

My current preference for viewing RSS feeds is Feedly, and I am experimenting with NetVibes. Whatever you choose for your feed service, checking this list every so often is a good idea.

 

Search Your Domain for Hacked Accounts

Go to the Domain Security feature on the site, and pick one of the authentication methods to verify ownership of your domain. Options include:

  1. Verify by Email
  2. Verify by Meta Tag
  3. Verify by File Upload
  4. Verify by TXT record

If you are a webmaster concerned about your company’s domain security, and you don’t want your team to worry, this is the feature for you. Instead of sending out an email prompting everyone to check their own email or manually checking each one yourself, you can use this feature to make sure your domain is in the clear.

 

Get Notified If Email Account Gets Pwned

If you followed the link at the beginning of the article and checked your email, hopefully, you got the following message.

Image of Good Result on Email Scan

By clicking on Notify me when I get pwned, you can feel assured that you will receive an email if your account becomes compromised. If or when you get pwned, this is the type of message you will see.

Image of my pwned account

Along with the date of breach, and the organization’s information, you are alerted to what kind of data was made available. In this case, I quickly changed my password, security questions, and enabled two-factor authentication. It was a second-hand email account, but troubling nonetheless.

HaveIBeenPwned Doesn’t Have All The Data

Remember, just because your email account came up clean doesn’t mean that it truly is. Don’t let your guard down and stay vigilant when it comes to your internet security. To understand this in detail, we’ll review how HaveIBeenPwned gets their data.

 

Where Does Information on Breached Email Accounts Come From

Troy Hunt is an internet security expert who is behind this service. The motivating force behind Troy’s decision to fund this service out of pocket was the Adobe breach. It was and remains the largest single breach of customer accounts EVER!

The data made available via HaveIBeenPwned.com is in the public domain. It was released by hackers who illegally accessed it. To fully understand this, we will want to define what a “breach” is. Essentially, all breaches occur when someone exploits a weakness in software or employs social engineering to obtain sensitive information.

What is a Paste?

A paste occurs when a hacker obtains data and then “pastes” it onto a public site such as PasteBin. If you’ve been watching the show Mr.Robot you might have caught this reference.

 

How Complete and Up-To-Date is The Data?

After a paste is published, HaveIBeenPwned indexes it within 40 seconds. However, it is important to remember that HaveIBeenPwned only contains a small subset of all the past breached records.

 

Support This Useful Security Service

Troy is currently funding this project out of pocket, and you can help to keep it going and support potential improvements by visiting his secure email donation page. Troy explains that hosting on the Azure Cloud isn’t very expensive but instead the significant cost for this project is his time.

Bookmark this page, add it to Feedly, or sign up for our newsletter to get stay up to date with internet technology. Also, please share with your social networks by using the Tweet button below.