What to Do When You Discover Your Password Was Stolen

The internet was born with openness and speed at its core, not security. This means there is a level playing field for hackers as more and more services, infrastructure, and personal information is published online. All that data becomes a target for opportunistic people who are constantly scanning the internet for easy access – and will enter as soon as they find one.

The result is what is seen constantly in headlines on news outlets and security blogs: security breach reports on an almost daily basis. Troy Hunt, a Microsoft Regional Director and the founder of the Have I Been Pwned (HIBP) website, has a record of more than half a billion exposed passwords and five billion hacked accounts.

HIBP provides a simple user interface through which you can discover whether your account is among the breaches that he has tracked down. We tested it, in fact, and it showed that the details of one of our personal accounts have been accessed as part of one of the biggest data breaches.

So, what’s the best thing to do if you find out that your email account (or other account) password has been stolen? Below is some practical advice to help you get your digital life back, but first let’s have a look at the signs that you’ve been hacked:

• Friends, family, business partners, and others are receiving emails that you didn’t send.
• The sent folder is empty or contains messages that you didn’t send.
• You notice unusual activity on your social media accounts, for example posts you didn’t make or friends being tagged and urged to view and share a post.
• You can’t access your email or social media accounts.
• You received a text message from your carrier or online account stating that your password has been reset.

What’s next?

1. The first thing we recommend is to perform a system-wide scan using antivirus software and delete any malware. Also, make sure that whichever OS you are using is up to date.
2. If you are still able to log into your email account, then change the password immediately using a long, unique, and cryptographically secure password. It’s wise to sign up for a free account with a password manager such as Dashlane or 1Password to do the heavy lifting on this for you.
3. Leaving security questions blank or answering truthfully will expose you to cyber criminals that are better at data collection than yourself, so it’s always safer to use a lie – so long as you remember what that lie is when needed.
4. If you can’t access your email or social media account, then contact the service provider and ask them to restore your account. The process may take a while and you’ll likely be required to fill out some forms, but it is worth it.
5. Activate two-factor authentication if you haven’t already done so. If possible, avoid messages sent via SMS because they are still vulnerable to hacking, but if SMS or phone calls are the only available options then they are still better than only using a password.
6. Use a password manager such as Dashlane, 1Password, or LastPass to store all your passwords. These services come with a handful of benefits:
   • They store all your passwords with encryption so no one can access them except you.
   • The passwords are available across all your devices with a single click.
   • Password managers notify users if they need to change their passwords because of a security breach or because they are not strong, secure passwords.
   • They allow you to forget about memorizing passwords because the password generator creates unique and cryptographically secure passwords for every account that you create online.