News of data breaches is all too common. This company apologizes for six million accounts breached. That company acknowledges hackers accessed 35,000 users’ personal identifiable information. But the question that probably matters most: Is your data breached, too?
The company should contact you if your information is in a data leak, but you can’t rely on that. You can also find out if your phone number or email address has been leaked by visiting https://haveibeenpwned.com/.
HaveIBeenPwned has uploaded various breaches and consolidated the information to make searching easy. Enter your address and get a list of breaches that compromised that email. You’ll get a summary paragraph as well as a description of data compromised in each breach.
It is not uplifting reading!
Next, the question is what to do about your breached information.
Steps to Better Security
First, change your passwords for those breached accounts. If you use that same password to access other accounts, change those passwords, as well, even if they are not listed as leaked.
Always avoid reusing passwords. Yes, it can be a hassle to remember many different access credentials, but you risk exposing many accounts if you keep reusing one email address and password combo over and again.
Make using unique passwords for all accounts easier by using a password manager. A manager can store your many passwords in one place and generate strong ones to use. You can often download an app to your mobile device, which gives you the convenience of filling in your credentials when you’re on the go, too.
The next step is to use two-factor authentication (2FA).
Understanding 2FA
This adds a layer of difficulty for hackers trying to access your accounts. Even if they had your username and password, they would need a second way to verify your identity.
Using 2FA requires you to provide one of the following before you can gain access:
- something you know (e.g. the answer to a secret question);
- something you have (e.g. your smartphone);
- something you are (e.g. your fingerprint).
A bad actor would need to have not only your leaked credentials but also your other “something.”
A common approach to 2FA is an SMS text message or voice-based authentication. You enter your credentials, then the site follows up with a text or phone call providing a separate code you must then enter. This is not the best method, however. Scammers can hack the SIM card associated with your device, and then use your number to make and receive calls and texts.
Software tokens for 2FA are a safer solution. You’ll download and install an application on your phone (e.g. Authy or Okta Verify). It can generate a unique verification code that is valid only for 30–60 seconds.
Want to learn more about password management and soft-token 2FA. We’re here to help.