So your data has been leaked. Now what?
So you've entered your email into haveibeenpwned.com and your information has been compromised.
How do you fix the problem?
Let's be clear - there is now nothing you can do to prevent your already leaked personal data being used by others.
There is no way to prevent already leaked data from being used.
Your intention should now be to reduce the impact of the data that has been released, and prevent future leaks.
haveibeenpwned.com helpfully shows you what types of data has already been leaked.
Below are some useful notes for certain types of data leak!
This breakdown aims to give you more context on each type of breached data means for you.
- Banking data
Your finances are at major risk. You should immediately close your bank account and open a new one. If this is impossible, at the very least you should change all your banking logins and replace your leaked cards.
Dates of birth
This can help hackers try and prove they are you on password reset forms and telephone customer support. There's not much you can do with this retroactively, but using fake birthdays on services that won't compare it to banking and government records is a wise thing to do in future.
Email addresses, Phone numbers
Email addresses are the most frustrating thing to have exposed, as in addition to the massive security issues (if you use the same password for your email as other things, they might be able to even verify unusual logins!).
With emails, it is easy (but inconvenient) to fix - new emails can be created quickly and for free, and you can use email forwarding during the transition period to a new email address.
With phone numbers, you may want to get a new number. Make sure to keep the old SIM card (for login verification using your old phone number) and update everyone in your contacts with your new one.
- Geographic locations, Physical addresses
If you are an individual who doesn't want to be found by someone in particular (witness/victim of a crime, for example) and this gets leaked, you should relocate. The information is available to anyone determined enough.
- IP addresses
Your public IP address is your houses' unique internet address. A hacker can use this to access devices on your local network, like CCTV or smart devices (creepy!). If this is leaked, make sure that your home router (i.e. the magic WiFi box!) has received the latest security updates! The process is quite technical, so find the most technical person in your family and show them this link: https://www.hellotech.com/guide/for/how-to-update-router-firmware
Most passwords these days are leaked as hashes - so hackers cant immediately use them to access your account, or see your password.
Even so, hackers can use these hashes to guess your password - depending on many factors they can check billions of guesses per second.
For context, 8.4 billion passwords is the largest list of passwords on the dark web so unless your password is unique to that account AND randomly generated AND longer than 14 characters, you can consider it leaked. Time to change all of your accounts that used the same password to new ones!
To check if your password has been leaked and decoded, check it here: https://haveibeenpwned.com/Passwords
If it hasn't been leaked and decoded, enter it here to find out how long it would take a computer to decode it if it were leaked: https://www.security.org/how-secure-is-my-password/
- Social media profiles
If this is leaked, hackers can log into other websites where you used that account to sign in (i.e. accounts that you registered using Sign Up With Facebook/Google etc)
How to proactively prevent leaking important data
Websites will be hacked. It is hard to protect a website from all possible hacks, and there are thousands of websites that can contain our sensitive data. It should be expected that some websites containing our data to be hacked.
The best protection we can have therefore is to ensure that any data we have on a hacked website cannot be used to hack us on other websites.
The way to do this is, in highest priority to lowest priority, is to:
Ensure that services holding the most important data use strong passwords not used elsewhere.
At minimum, update the following:
- Financial services (banks, electronic payment services (e.g. PayPal))
- Google (contains your entire location history, your address, your work address, your current location, plus much more)
- Facebook (payments, impersonation, identity fraud)
- Phone network service provider (incl. any PINs) (to ensure the effectiveness of 2 Factor Authentication, i.e. when you get a text to confirm a login)
An example of a strong password is 4 random dictionary words.
You should check your password's strength at howsecureismypassword.net.
Use a password manager to store and change all passwords to randomly generated passwords. This will help keep logging into things a straightforward process, and remember all your weird random passwords for you.
My personal recommendation is Bitwarden (free) and Bitwarden Premium (pretty cheap) tells you when a password has been leaked. https://bitwarden.com
Dashlane is probably the best money-no-object option, but is very expensive. https://www.dashlane.com