I logged in to the computer this morning to start my work day as usual and as I checked my spam email folder, I saw the strangest thing. I had an email from a random @outlook.com address with one of my actual passwords in the subject line. “What the heck is going on here”, I thought. I’ve had multiple clients ask me about similar emails in the past year, but how could it happen to me?
The basic concept is this: a malicious person gets access to a ton of people’s data through whatever means and they scare you by showing you that they have your username and password already, making you feel like they can get it again any time they want, even if you change it. Now, it’s possible that you have a trojan or something on your machine, but it’s more likely that you’re just part of millions and millions of people that have had their data stolen over the years. This one in particular is filled with lots of foreign characters and threatens to send a bunch of pornography to all of my contacts if I don’t send them over $1,000 in Bitcoin immediately! How humiliating.
Data breaches are real and it’s not that hard to brute force passwords once the hackers have access to your data, even if it’s been encrypted. In some instances, using rainbow tables, they’ll crack it pretty much instantly. The password listed in the email was weak, and old. It also had a username of ‘sean’ listed, which I likely haven’t used in 20 years. So long ago that I didn’t immediately realize that they had my username too. The danger here is that once they have my password from one account, they can start trying it with other accounts using either that old username, or the associated email address, which I still use.
Lucky for me, I currently use a password manager that allows me to see exactly where I’ve been using that particular password. This password is weak on purpose, as the only accounts it’s used with are are non-work related – things like Hulu, Spotify, Pandora, etc. to make it simpler to remember and add to different devices… or just because I was lazy at that time and accounts like MapMyRide didn’t really matter that much to me. The password manager let’s me know that I’ve used it on 16 different sites. Bad Sean, bad!
Since the malicious email was sent to a particular email address of mine, it only lines up with a single account (or maybe my old MySpace account?), but I really think it’s time to retire the password anyway. It’s good practice to not only use strong passwords, but to rotate them from time to time to increase security. That’s where a good password manager comes in handy. It allows you to not only store your passwords, but to use unique, strong passwords on every site you visit, thus ensuring that if one site is hacked, the malicious person doesn’t have your information for any other site. This does introduce a single point of failure with the master password for your manager, so make sure it’s STRONG and rotate it regularly.
So after a few clicks, a few password reset emails and a little coffee, I’ve now reset all of my weak passwords to be strong and unique. The down side – now I need to update Hulu on all my devices 😉
