What to do if someone is trying to break into your online accounts
I’ve woken up the last two mornings to this in my inbox.
Someone has gone to LinkedIn and entered my email address. Since they couldn’t guess my password, they clicked “use a sign-in link.”
Which means they were likely trying to break into my email as well.
This happens to me on one service or another every six months or so — particularly, my social media accounts.
So if you’re under online attack, what do you do?
Firm up the fundamentals
Hopefully you’ve already done the fundamentals of good online security. If you haven’t, take the time and fix it this weekend.
- Use a password manager. There are many great ones like 1Password or LastPass. Your phone OS likely has this built in as well, but I prefer an independent service that goes across all devices. DM me if you want to know which one I prefer.
- Use different passwords for each service. A good password manager allows you to have different passwords for each individual service you use — this is absolutely critical to thwarting an online attack. If hackers somehow brute force one password, don’t give them the skeleton key to unlock everything else — make it stop there.
- Use the strongest passwords you can. For me, this means my default is a 25-character randomized password with capital letters, lowercase letters, numbers and a symbol or two. The password manager generates them and they look like this: RDZ94ag3#QVjTY4NPJLUo
- Use real 2FA on every service that allows it. Two factor authentication means that you need a password and a rotating code to log into your account. Good password managers can manage this as well — you scan a QR code on your computer screen and now you have a six digit code that changes every 30 seconds that adds another layer of security.
If you’re not doing these things and you’re the target of hackers, unfortunately, you don’t have much of a shot.
Harden the defenses
When I got the first message that someone was trying to get into LinkedIn, I followed their advice and changed that password. But this morning when I saw the second attempt, I realized that wasn’t enough. If this is a really determined hacker, I need to harden my defenses for how they get around the LinkedIn password obstacle.
I’ve done the fundamentals and these services are very secure, but this is about taking an extra ten minutes to avoid massive inconvenience.
- Change the password on your email. I hadn’t changed this password since 2020. It’s a very secure password, but it’s not that hard to rotate it. It took me about 5 minutes to do that and then sign in again on my devices.
- Change the password on your cell phone account. Many people use a code texted to their mobile phone as their 2FA. This means hackers target breaking into your mobile phone account, porting your phone number to a burner phone, stealing your 2FA code and breaking into your account.
- Change the password on your mobile cloud account. Hackers may assume your Apple ID or Google account are your email. If they aren’t and you didn’t change this password in step one, it’s probably worth cycling this one too just to be safe.
It’s a brave new world
Online security is at once simple and really hard.
Hard because our devices and services are plugged into a worldwide network allowing the convenience of access from anywhere, and well-resourced nation states like North Korea have turned hacking into a major source of income — some sources say 8% of their GDP is online theft.
Simple because there are a few fundamental things you can do to make yourself a difficult target, and get the hackers to move on to people who don’t take good precautions.
Stay safe.
