It is important to follow certain rules when you store your passwords or when you create a password. Recently I have seen a lot of spam in my junk box about my account being hacked. The hackers just send you an email saying “hey you’ve been hacked, this is the email address and this is your password”. And sometimes it is one of the passwords you’ve used in the past and it’s quite alarming. You are thinking “What?! I’ve been hacked!” It is important to understand what is going on so you can keep yourself secure.
//Password Security
First, we will look at password security and how people steal password databases in the first place.
Let us say you register for an account with Facebook. You sign-in to your Facebook account and when you sign in you choose a name, email and password. What happens with this data is it’s passed to the Facebook website and is stored in a database. A database is just a system to store information online. Before storing your password they will encrypt it, meaning they will use a small piece of code to make your password unreadable. Anyone trying to hack the password is just going to see jibberish or a series of numbers or letters stored in the database. It is not going to make sense and nobody will be able to read it.
The reason this is so important is that sometimes the database is stolen and leaked by hackers. We’ve seen this happen in the past with Dropbox who had their accounts stolen and client emails were leaked. Yahoo also had a major, major leak. If the security and encryption is not strong, the hackers will be able to get the information. There has been a bunch of these database leaks and it is going to continue to happen as hackers find security flaws and holes to get into the systems and steal data. They’re downloading it on their computer and not all these systems are as secure as Facebook or Google.
I will give you an example. In Quebec there’s a major website for advertising products for sale called “LesPAC”. Let us say you go on “LesPAC” and sign up for an account. We don’t know if “LesPAC” is using a good encryption system. They might not have one and be simply storing your information as what we call “clear text” (immediately understandable text). With “clear text” it means they are storing your password unencrypted in their database. So, someone who steals this database is able to view the passwords.
Also, a lot of people are using the same password for all their various websites. You don’t think about it when you use the same password for everything because it is easy to remember, but it is not secure. When a hacker steals that one password they can then try multiple websites with your email and password to try to get into your accounts. This is how hacking works, basically, with passwords.
//How to Check if You’ve Been Hacked
Now you may be wondering “have I been hacked?” There is a really great online tool you can use to find out if you’ve been hacked and if your password has been leaked. Even if it is an encrypted password you can use this website to find out if you’ve been hacked.
The website is called “haveibeenpwned.com” (pwned is just a web hacking term that means you’ve been defeated; owned). Simply go to the website and enter your email address and click on the button. They will analyze your information against all the databases that have been stolen and they will tell you if your email address and password have been leaked.
//What to do if you have been hacked
If you have been hacked, then you need to change your password right away! Also, if you haven’t changed your passwords in a long time you need to go in and change your passwords. That’s really, really important. If you don’t then you are putting yourself at risk to have your email hacked and once they get into your email it can get nasty. However, if you use a Gmail account or some of these bigger names, getting into an email is a lot tougher than it used to be.
I want to show you something that I received from these hackers. I received an email that said:
“I’m a programmer who cracked your email account and device about half a year ago. You entered a password on one of the insecure sites you visited and I cached it. Your password from XYZ on the moment of the crack was: your password”
Then they show you “your password” and sometimes it could match one of your current passwords. If you’ve been hacked on an unsecure site they would have been able to access your password. It can be very intense but before you freak out do your homework. If you continue reading you will see they’re just trying to blackmail you with false information. So in this case they said to me:
“Oh you’ve visited these adult sites and we know about your dirty secrets, da da da…” Then they say “Please send $860 to my bitcoin wallet.” So they will take a wild guess at what they could possibly extort you with and then they will say if you don’t do it within two days they will release this information. But is there any proof of that? They didn’t show a picture of me, I didn’t receive any alerts from my email account that I’ve been breached or something like that. When you do your homework you will find the only thing they have is your email and some old password they grabbed from an old database.
But you have to worry if the password you see is one of the passwords you are using right now. So just go ahead and change your password as fast as possible before it’s too late.
Guillaume Bourdages
Vice President at Graphem Solutions
