It's the social media sites that do you in. A Close Friend—capital C, capital F—posts a link to a video that piques your interest. Click. Suddenly you're asked to sign back into Facebook. What happens next? You give some hacker or spambot your password, and your whole digital life is at risk.
We're making a push to make February 1st Change Your Password Day. And if these real-life tales of password sadness don't convince you to join in, nothing will:
The Web Producer Who Clicked on the Wrong Link
Bill* is not sure how his AIM and Twitter account were hacked. As a web producer based out of New York, he deals with a large number of links and emails. He probably just clicked on something he shouldn't have.
The hacks happened at different times. Both times he realized something was wrong when his accounts sent messages he didn't write. And while Twitter hacks are deeply annoying, an AIM hack is a phisher's dream. We trust links we get from friends via AIM messages, sometimes to a fault. If Bill's account sends dubious links to his contacts, the chances are high that someone else clicks on something they shouldn't. In this case, his friends would receive friendly messages from his account ("Hi!") then start sending links to porn. If someone was unlucky enough to click one of those links, browser windows suddenly popped up with naughty bits taking over their screen. Not exactly what you want happening when you're at work.
Fortunately, it was an easy fix: "I do have sort of a generic password I use a lot, but in both of those cases, it wasn't that one." If it had been Bill's go-to password, he would've spent hours or days tracking down and changing the log-ins for dozens of accounts.
The Executive Who Had to Torch Her Hotmail Account
Julia* wasn't quite so lucky; she subscribed to the one-password-for-everything school that so many of us do. Julia, who's been part of a few media companies in top positions, knows it's dumb. She's also aware just how lucky she is that she didn't have every single account hacked when her Hotmail account was compromised last year.
After receiving text and Twitter messages from friends that her email account had been hacked, Julia logged into Hotmail to change her password. But her account wasn't just sending out the usual Viagra and porn links. Nope, the contents of the email was actual porn. Her 100 contacts had received a video of hardcore porn with the subject line, "hey, check this out." According to Julia, that is the subject line for a lot of the emails she sends. Unfortunately, by the time she had wrangled her account back from the hackers, her entire contact list had been deleted. Presumably whisked away to the land of porn.
The frightening part was that Julia was using the same password for all of her accounts. Everything had the same password as her hacked Hotmail account. And instead of changing her password on these accounts, she shut down the Hotmail account and moved to Gmail. To make matters worse, she confessed that her passwords are still pretty lame, low-security affairs.
The Writer Who Was Not Actually Mugged in London
"I had friends calling me just to make sure I was ok." After losing her phone during a bike ride, Susan* a writer/producer based in Brooklyn noticed some odd behavior on her Facebook page the next day.
"I was on my laptop doing my thing the night before. Went to bed. Got up the next morning and it had started 3 Facebook chats with 3 different people. Realistic enough conversations that people I never chat with were engaging with the chat."
The hacker was posting status updates and messages on Facebook that she had been mugged in London and needed money to get home. Of course, she was never mugged. Or in London. Hackers were using her account to play on the sympathies of her friends and try to extort money from them. The odd thing was that the hacker was asking for the exact amount of money the Susan paid in rent. She still has no idea where they got that information.
She's not sure if the phone gave up her secrets or if she was phished. Like the others she logged in and changed her password when she realized what was happening. She contacted Facebook and the FBI cyber unit. (The FBI actually wants you to contact them when you're hacked! It helps them adjust their tactics to the ever changing world of phishing and hacking.)
At some point, we've all been, or will be the victim of password hacking. It could something as simple as a link on a social network or an email sent by a friend. Or something as complex as your account with a company being hacked and shared on Pastebin. Updating your password with something that's difficult to decipher not only protects you, it protects others. All a hacker needs is an email account and a person's hometown or mother's maiden name to breaking into a bank account. That information is readily available on Facebook.
Secure your accounts with different passwords and make sure they're difficult to guess. In fact, make them impossible to guess. And don't forget your phone. Increasingly, more and more information is being stored on our phones. Not just your information, but the personal details of our friends and family. We're walking around with everything a hacker needs to steal the identity of our friends and we've become blasé about protecting it. Come next week—or better yet now—let's smarten up.
*Names changed to protect identities.