The News‎ > ‎

So what should you do?

posted Dec 14, 2018, 12:31 PM by Leigh Williams   [ updated Dec 14, 2018, 12:46 PM ]

1.) If you're technical, plug in a bootable flash drive with a clean Linux install that you have stashed away in your "just in case I need this" drawer (Linux because its quick and easy) and change that password, ASAP. Why a clean bootable USB? Because you don't know where they got your password from. Is it a keylogger, spyware, trojan, other site that got hacked, did you perhaps reuse that password, etc. You can't take risks. If you're not technical, use a device with anitivirus, run a scan, and make sure its clean (yes, your AV might be compromised, yes you might have a rootkit, but this might be your best option).

Go to accounts.google.com to change your password.


2.) Do you have any accounts, apps, etc linked to that Gmail account? Do you have any devices that are "trusted" that the hacker might have gotten remote access to? Go to accounts.google.com and review any trusted applications and devices, and revoke access. where needed. Best is, revoke all access because its probably from like 5 years ago in any case. 

Also, review the currently signed in devices and revoke access if those devices are unfamiliar.


3.) Do you use that Gmail password anywhere else? If you do, shame on you; you should never ever reuse a password.


4.) Any banking or investment accounts with no 2FA or variations of your Google password? Change them and enable 2FA. If they dont offer 2FA, shame on them.


5.) Go to all your social media accounts (twitter, facebook, linkedin, instagram, etc), paypal, eBay, Azure, Outlook.com etc, and enable 2FA. They all support 2FA. And change your password on all these sites (yes, it is tedious, but it must be done). Why should you change passwords here? Well, you dont know what else the bad guys managed to get access to. Also, you might have forgotten to enable 2FA on some of these sites, or the option might not have been available when you signed up 10 years ago.


6.) If these sites present you with 2FA over SMS or an Authentication App, don't choose SMS. 2FA over SMS is dead and should be considered insecure. Choose the App option. If they only have the SMS option, well, its better than nothing.


7.) Make sure you have proper password recovery options set up on all these accounts. Why? Well, you just changed 10+ passwords. If you dont use a password manager (like Google Chrome's built-in one or Keeper or Lastpass) you will probably forget those passwords. Dont write them down. For all you know, your cat might be able to read and she's the one doing all this because of world domination and all that.


8.) Be vigilant. Keep an eye on your credit cards, keep an eye on any account alter emails or sudden 2FA SMS or popups.


9.) Go to https://haveibeenpwned.com/ and check if your email address appeared in any breaches. If it did, follow the steps above for those websites.


10.) Relax. This can be stressful especially this time of year and if you followed these steps you did whatever you could. You did your best. But stay vigilant.

Comments