What to do when your account might have been compromised

There are so many breaches of personal data now that many users just seem to let it all wash over them.

When the Ashley Madison online dating service was breached in early July 2015, it had around 37 million members. Even though the hackers published details of emails, names, home addresses, sexual fantasies, and credit cards for all its users by the end of August 2015, just a year later the service had grown to 48 million users.

This article presumes that, unlike those whose craving for extramarital sex is greater than their good sense, you want to protect yourself as much as possible, and limit the damage caused by the breach.

Passwords

Before you change your password for that service, which is your most urgent action, make a careful note of your old password. This is so that you can check that the same email address is not associated with that compromised password anywhere else.

As soon as you know that a service which you use has suffered the loss or theft of user data, change your password for that service, and remove any of your personal information which might be damaging, such as your payment card or bank account information. Do not wait to be informed by the operator that your account was compromised: do this as quickly as you can (keeping a record of your old password).

keychainrep6

Don’t use a password which you use anywhere else, or which might be readily guessed. Macs provide a useful password development tool, which can be accessed through Keychain Access, in /Applications/Utilities. Use the menu command to create a new password, then click on the key tool to open the Password Assistant pane. There, work out a secure password which you can use for the website or service. When you’re done, cancel the new password command, then go and set that as your new password for the website or service.

Cards and bank

Then check that any payment card or bank accounts whose details have been stored on those servers have not been used for fraudulent charges or withdrawals. This should be simple with an online banking service. If there is any sign of suspicious activity, including small charges which might have been used to test the card out before trying a larger fraud, inform your card provider or bank immediately, no matter where you are and what time of the day it is.

Consider the service

Now you have completed the most important immediate actions, you have a little time to investigate further, to assess how this may have damaged you, and to decide your future with the website or service. You should by now have received official notification from the operator/provider as to what has happened, and how it affects your account. If you haven’t, contact their support service and ask them. If they are unable to provide clear answers, that is good evidence that you should not trust them, or that the breach is so huge that you should assume that your account has been compromised.

Don’t let them get away with excuses for delay: those only confirm that they do not take the security of your personal data seriously.

In almost every case, once an operator/provider has suffered a major data breach, you should remove yourself from their website or service. They will undoubtedly try to play the whole thing down, and may well obfuscate or even lie. Once they have shown themselves to be so incompetent, you really don’t want to do any further business with them; it will only cause you further problems in the future. In many cases, services which suffer one data breach either suffer another fairly soon afterwards, or the original severity of the breach is wildly underestimated.

Depending on the services which they provide you, it may take you time to arrange for substitutes. Email is a common example, where you will need to set up another mail service with a different provider, and change all your addresses, before closing down the old service. Be resolute: just because it is difficult, do not shy away from doing what you must do. Remember that cancelling payment cards and setting up new ones is no fun either, and that it can still leave you in debt at the end of it.

Cancel and expunge account

If and when you can, your best action following any breach in which your personal data might have been involved is to cancel that account and have all your personal details removed from the servers. In practice, this is usually impossible, even when you have arranged alternatives.

Consult the help information or FAQ on the site, to discover how to close your account and remove all your personal data from its servers. In many cases – Ashley Maddison charged $19 for this, but at the time of its breach had not removed accounts which had paid for removal – your personal data will remain on the servers and will be vulnerable to the next data breach. Keep careful records of what you do in case they are needed in future.

Whatever you do, do not provide any additional information or extend your risk when removing your data. Lynda.com’s insistence that you must link your data to LinkedIn is unwarranted, and in many jurisdictions illegal. Pester help services until they actually do what you want.

Cards and bank 2

If the service kept any financial information about you – card or bank account details – you must now inform your card provider or bank, even if you do not believe that information has been breached, and if there is no evidence of any fraudulent use of your card or bank account. Provide them with full details of your actions, with times and dates. This allows them to make the decision as to whether to cancel your card, or put a special fraud watch on it. If you do not inform them at this stage, they could claim that you did not discharge your duties to keep them fully informed of the risk.

You should also keep a careful watch on your card and bank accounts, and report any suspicious activity immediately.

In most jurisdictions, even if fraud has occurred, there is little point in reporting it to the police, including specialist ‘cybercrime’ units. If you feel happier doing so, fine, but do not expect to hear anything more.

Check your old password

You now need to consider any collateral risks which the breach might have caused. The most obvious here is that you might have another account on a different service with the same or a similar user name and the same password. This should of course never be the case, but unfortunately people often re-use passwords on multiple sites.

This would be much easier if you could search your keychain by password, but that would be a security nightmare in itself, so you cannot. This is when it really pays to have a written list of usernames and passwords which you use. If you do use the same password on any other system or service, you must change that to a secure password as quickly as you can. This ensures that anyone who does now have your username and password for the breached system cannot try to use those to gain access to other accounts of yours.

Check your keychains

It is much easier to review all entries in your keychain(s) to see if any are linked to the compromised site. Assuming that you have now closed that account, delete all existing login details for related entries in all your keychains. This will ensure that, should you visit anywhere connected with the compromised and closed account, you cannot inadvertently re-connect to it.

Complaints and compensation

By all means inform the data protection authority in your jurisdiction of the security breach, but do not expect them to do anything. Even when a service has a local office, which should bring them under your national law for data protection, many breaches by international operators are only investigated in their home market.

If you consider that you have suffered financially, you might consider joining in legal action for compensation. This becomes very complex and expensive for international services, and even when there is no doubt that the breach occurred because of negligence on the part of the operator or provider, the sad fact is that legal moves to obtain compensation are usually unsuccessful. You will need the advice of a good and honest lawyer.

Monitor

A few days or weeks after you have closed your old account and asked for it to be trashed, try to access that website or service in the normal way, entering your old username and the last password (the one to which you changed it before closing your account). Don’t let these be saved in your keychain, though.

If you can still access your account, raise this with its support services. Try to do so in a public place, such as on Twitter, so that it embarrasses them into action.

If you know people who still have access to the service, and it provided any form of linking or befriending, ask them to try to connect to your old account. If they can still see it, then you know that the service has failed to remove your data. Tackle them over this in a public place such as Twitter. If they still don’t address this, make a formal complaint about it to your national body which is responsible for data protection, using the details which you have kept from the above steps.

I wish you success, security, and privacy.