Maybe you opened an email that, upon reflection, seems suspicious. Maybe you used someone else’s device, such as a friend or colleague’s mobile phone, to log into your bank website or email provider. Or maybe you haven’t done anything out of the ordinary. But one day, you go to access your bank’s website or email provider — or, worse, your work email or employee portal — only to be prompted with an “Incorrect User ID and/or Password” message. Does this mean you have been hacked? Or did you simply mistype your password or forget the correct user ID for this site?
It’s becoming harder and harder to know whether your credentials have been compromised until it’s too late. Even if you use a password manager such as LastPass or 1Password and still can’t authenticate, you still can’t conclude for certain that you’ve been hacked (but it sure is a good indicator that something suspicious is going on with your credentials). But then more evidence starts to pile up. Perhaps you start getting lots of unsolicited phone calls for services you’ve never heard of. Maybe there’s a sudden uptake in spam emails from services, or even an email informing you of a new service you signed up for. Finally, you conclude that your credentials, and very possibly your identity, have been stolen.
You’re not alone. Multiple sources, from the Verizon 2017 Data Breach Investigations Report to Shape Security’s 2017 Credential Spill Report, report that some 1.1 billion to 3.3 billion credentials were stolen, leaked, or otherwise compromised in 2016 alone!
But what do you do now? Experts recommend that you take the following steps:
Change your passwords
If you still have access to your account but are seeing any of the suspicious behavior mentioned above, change your passwords immediately. If you no longer have access to the account in question, you can attempt to use the password reset functionality of the affected services. But remember that password reset functions often rely on sending you an email with reset instructions; if your email is compromised, this may well expose more services to the attacker.
Also make sure that you are using strong, distinct passwords for each service and site you sign up for. Reusing the same password for multiple sites make an attacker’s life much easier! Here are some good guidelines on how to create, maintain, and use strong passwords.
In the case of your work credentials, reach out to your managers, IT support, and information security team (if your organization has one). If your credentials have been compromised, they need to know immediately! If you’re worried about getting in trouble or reprimanded for this, don’t be. Trust me, your IT and information security teams would much rather hear the news from you than find out through their tools — or because of an incident using your credentials. Moreover, if your personal accounts are compromised, think about whether you used the same or similar passwords for work resources; if so, consider reporting the personal identity theft at work so IT can be on the lookout for attempts to misuse your accounts. And even if you used completely different passwords at work, change them anyway!
Use Multi-Factor Authentication
More and more services are offering, at a minimum, two-factor authentication. Make this a requirement for signing up for new sites and services — if a service doesn’t offer the option of at least two-factor authentication, they don’t treat your information security with the respect it deserves! Optimally, the services you are using would be using some form of multi-factor authentication (such as, oh, I don’t know, SecureAuth), and allow you to sleep much more comfortably at night about your personal information stored in their systems. If a critical service that you use doesn’t support any of the above, demand it! If the company refuses to implement multi-factor or two-factor authentication, start using a product like LastPass or Password1 that allows you to place two-factor authentication in front of your stored passwords in their system.
If the organization you work for does not have multi-factor authentication on critical systems, bring it up with your IT team. Your company’s valuable information is at risk. While we can assume you, who are reading this, have now done a better job of securing your passwords and credentials, what about your colleagues?
Review your credit report
If you have reason to believe that your identity (full name, address, date of birth, Social Security number, etc.) may have been compromised, pull a credit report — it will show any new financial accounts opened in your name and any inquiries performed against your credit recently. There are a number of ways to get your credit report, but AnnualCreditReport.com is sponsored by all three credit bureaus (Equifax, Experian, and TransUnion) and is in verified by the Consumer Financial Protection Bureau. You are entitled to only one free credit report per year, so if you have already requested a credit report for 2017, you will need to go to a new credit bureau or use a service to pay for a new report.
The information you find in the credit report will help you define your next steps. If you see new accounts or inquiries that you did not request, you need to take action immediately. And even if you don’t see any of these indications in your credit report, you should sign up for a credit monitoring service to watch for anything unusual. Keep in mind that even if your identity has been compromised, the thief may not attempt to leverage it right away. They could be auctioning it off to the highest bidder, or maybe it is part of a large hack and they have yet to get to misusing your identity.
Consider freezing your credit
If you do see new accounts and new inquiries you did not authorize against your credit report, it is in your best interest to freeze your credit. This is a rather drastic step that can have a large impact — you’ll have to take extra steps if you need to get a loan for a new car, buy a house, or open a new credit or bank account, for example — but it will save you headaches down the road as you deal with reclaiming your identity. A credit freeze does not affect your credit score.
To request a credit freeze, contact the three credit bureaus (Equifax, Experian, and TransUnion) directly to request a freeze. Note that no matter how much you may trust the source you are reading this blog post from, it is always best practice to go to these websites by typing in their URL in your browser, instead of taking the easy route of clicking on links.
- Equifax: https://www.experian.com/freeze/center.html
- Experian: https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
- TransUnion: https://www.transunion.com/credit-freeze/place-credit-freeze
Report the theft at IdentityTheft.gov
As I mentioned earlier, you’re not alone in the world of stolen credentials and identity theft. In fact, the federal government has set up a site — identitytheft.gov — specifically to help victims of identity theft. They give you a step-by-step process to follow and an affidavit to fill out to swear that someone has stolen your identity. This is an important step if someone has opened credit accounts in your name; the police will want to see this affidavit to help you!
File a police report
Contact your local police department’s non-emergency number and tell them the details of the situation. You will likely have to present the affidavit from the preceding step in person, and tell the officers everything you know about the incident. This police report is extremely important for getting accounts that you did not sign up for removed from your credit and removing your financial responsibility for those accounts.
Contact any creditors for unauthorized accounts
If new credit accounts were opened under your identity, contact the creditors and provide them with a copy of the police report. They will not budge on removing the credit account unless provided with proof of identity theft in the form of a police report. Typically, once the creditor has the police report, they will remove the account from your credit. If they do not, you may have to get the local police involved.
Sign up for a credit monitoring service
Your identity is now out in the wild. Nothing about you is now private. Just because you shut down one attacker doesn’t mean that others may not have your information as well. I highly suggest that you sign up for a credit monitoring service. There are a number of free services, such as Credit Sesame and Credit Karma, that provide this service, and your bank or credit card company may provide it as well, so there is really no good objection to signing up. If your identity was stolen as part of a large breach, the company that was breached may also offer you free credit monitoring for a year or more.
Wouldn't it be nice to not have to worry about passwords at all? Learn how SecureAuth is making passwordless possible today!