I got lazy. I didn’t update my password for 18 months, and then one night… my phone started to blow up with emails, text messages, Facebook Messenger messages.
“Ugh… Richard, did you mean to send this to me?”
It wasn’t your average spam. This was special. Someone hacked my account and sent out an email to a partial list of my contacts including clients… dick pics. Not mine, just a good old random assortment in various shapes, sizes, and well, you get the point.
Just a quick sidebar: if that isn’t enough to convince you to change your password periodically, then you’re likely going to gloss over the rest of this post, so I would, at a minimum, encourage you to have a Crisis PR strategy for explaining why this happened. Especially when you realize that on that short list was the pastor at your church (true story).
One line that has stuck with me from a cameo shot with exiting interns on The Office:
“What did I learn? That most people’s password is ‘password’.”
Password security is something that most folks roll their eyes at. There are too many password configurations and remembering which configuration you used for which account can be tricky. The problem is that weak passwords are not terribly tricky to hack, while a few additional characters can improve your security dramatically.
Your standard 6 to 8 character password can be broken in as little as a few hours, while a 9-character password takes up to five days to break, 10-character words take four months, while an 11-character password can take nearly 10 years. Add one more letter to create a 12-character password, and you’re looking at 200 years of security.
Like most people (especially my mom, who is still trying to figure out the DVD player), you’re probably thinking that a 12-character phrase is impossible to remember. Here’s some advice from someone who knows a few things about security:
Use special characters and numbers
Use upper and lower case letters
Make login passwords easy to remember by creating a phrase as illustrated in the video, but if you didn’t watch, here is the provided example:
Create your own version, and change it two or three times a year to save yourself some headaches.
It’s Too Late
What if you’re reading this because you think someone has already hacked your email or spoofed your email? If the problem is poor password hygiene, that means your account was hacked. Or your account has been spoofed, in which case, someone has made it appear as if it’s been hacked.
How do I tell if my email account was spoofed?
- Are you’re receiving bounce messages from a bunch of email addresses for people you’ve never heard of.. you’re likely being spoofed and not hacked.
- Get a copy of the email, including headers, and check the originating IP address to see if it was not one you could have been using
If your account was spoofed, they simply create an email that had fake details (usually the “From” or “Reply-to” address), and there is very little you can do to stop this and most of what you can do is likely ineffective (happy Monday); however here is what you can try:
- Take the IP address from the email header
- Contact the ISP for that address
- Ask them to block it*
* Why this can be ineffective: The spammer could be using a different IP address the next day OR the ISP could simply ignore your request; especially if the ISP is one of the notoriously shady ones… you know, the kind that a spammer would use.
How do I tell if my email has been hacked?
- The recipients of the spam include a whole bunch of people in your contact list
- Your Sent Items folder contains spammy emails you never sent
- Worst case scenario: you try to access your account, your password doesn’t work, and the “Forgot Password” link does not send the email to your recovery email address
How does your email get hacked?
- Your password was weak
- You entered your credentials into a phishing site
- The website where you had your account had a security breach
- Your hacked account used the same password as a different, breached site (I assume this is what happened to me)
- There is spyware on your computer
What to do if my email has been hacked?
- IMMEDIATELY change your password on the hacked site, any other sites where you used the same username and password, and any sites whose information you stored in the hacked account
- If you have been affected by spyware, once it’s removed, you will need to change all your passwords for ALL of your online accounts. ALL OF THEM. EVERY SINGLE FLIPPING ONE. Then, as if that wasn’t painful enough, you also need to follow procedures for recovering from identity theft
- If you cannot follow any of these steps because your account details have been changed, you will need to contact customer support for the website that provides your account so that you can regain control.
I highly recommend having a bottle of wine close by, because not a single one of these options is a fun process.