As many of my email correspondents are aware, my personal Gmail account was recently hacked. I still have no idea how this happened. I am not in the habit of clicking on email attachments or browsing strange websites, and I use an extremely strong, long and hard-to-crack password. Yet despite practicing an almost paranoid level of online personal security, my account was still hacked.
I felt sick to my stomach when I realized what had happened: My Gmail account had been used to send out a poisoned link email, not to just everyone in my contact list, but to everyone I had ever emailed (since Gmail remembers and keeps a list of these contacts, also). The hacker was smart enough to send in batches, so as not to trigger recipients’ spam filters, and also smart enough to send a link, rather than an attachment, to avoid antivirus detection.
Because I blog from my Gmail account, the poisoned link was also posted to my blog. And because my blog auto posts to my Twitter and LinkedIn accounts, status updates containing a link to the poisoned blog post were distributed to my social network contacts. It was a nightmare.
Luckily, I was made aware almost immediately. Unluckily, I was sitting in a taxi at the time, heading toward a four-hour train ride, followed by a two-hour car ride, and panicking that I couldn’t do much about it. Back to the luck side—the train had Internet access, so as soon as I settled in, I set out to minimize the damage and maximize the apologies. I think I did a pretty good job at both, but the embarrassment continues and my security paranoia has increased dramatically.
I’ve spent a lot of time thinking about how my account got hacked but haven’t come up with any answers. The bottom line is this: You can’t let your guard down online, no matter what. I was lucky my account wasn’t taken over completely—I could still log into it, change my password and ensure that none of my settings were changed. Other people haven’t been so lucky. But the stress level of being hacked was so high that I feel like a year was taken off my life.
I’ve changed a few of my habits since that day and have considerably beefed up my approach to password safety. In addition to basic password safety—sufficiently secure passwords, not shared with others or written down and stored in obvious places—here are some additional steps you can take to increase your online safety, too.
- Don’t login to any non-secure online accounts from public Internet hotspots, unless you really aren’t at all concerned about your security.
- Don’t stay logged in to your web-based email while browsing the Internet, especially if using an unknown Internet connection.
- Never put your password in an email.
- Create secure challenge questions—your mother’s birth name or your pet’s name or similar are never sufficiently secure challenge questions and answers.
- Ensure your password recovery email address is current.
- Don’t use the same password for multiple accounts. If one account password becomes known, all your online accounts will be vulnerable.
- Check sent email for unusual activity.
- Periodically change the password for your most sensitive accounts.
- Never, ever use your network logon password outside the office network.
- If you use Gmail, use their two-step authentication process.
Because you can never have too much information or too many warnings, below are links to two stories that will stop you and make you think (and then make you update and strengthen your passwords). The first shows how easy it was for the Hollywood Hacker to take over celebrity email accounts. The second is a sobering account by journalist James Fallows about the hacking of his wife’s Gmail account, and the fallout.
And for a bit of fun and a lot more security, let Wolfram Alpha generate some random passwords for you (but first change the default 8 characters to 10 for extra security).
Vivian Manning is the IT Manager at Barriston Law LLP in Barrie, Bracebridge and Cookstown, Ontario. Prior to moving into IT, Vivian practiced law at Barriston LLP (formerly Burgar Rowe PC) primarily in the area of Municipal Land Development, with a total of 17 years in private practice before switching to the IT side of the law office. She currently indulges her love of teaching tech through her blog Small City Law Firm Tech, where she provides “tips of the day.”