What should I do after an account has been hacked?
I am by no means a security professional. Well.. technically I am, but, this isn’t advice. This is just written for entertainment purposes. Don’t sue me. Also, pictures of our Australian native bees to break up the wall of text.
I recently had a friend of mine get his discord account hacked, I helped guide him through what process he should take to resolve and more importantly prevent this in the future. I thought this would be a great topic to go through and write up so in future I can just send over this blog post, so here we are.
Two Factor Authentication (2FA) - the prompt you get on your phone after putting in your password, it’s often 6 digits, normally banks/paypal force this by default.
Password Manager - a manager for your passwords! It’s a program that stores the passwords conveniently for all of the programs and websites you access. This allows you to have different randomly generated passwords for every account you access. All you need to do is remember one password.
Keeping something secure is difficult as you need to balance both useability and security. I’m making a few assumptions based on my experience with most people.
- Most people use one or two passwords across the board when required for things like websites. Whilst this isn’t great for many security reasons, the reality is that people do this because it’s easier than remembering multiple.
- People don’t use Two Factor Authentication (2FA) unless it’s forced upon them (eg. by banks). Two Factor Authentication is
You’ve noticed your account has been breached, now what?
Alright, so you’ve noticed that your account is doing something funny, maybe your email is sending out weird emails on its own, or your facebook is posting things on its own. Great, someone is accessing your account. What do?
First thing is to change the password of the breached account. If this is your email, change your email password, if it is your Facebook, change that. At this point I would look into getting a Password Manager, there are so many out there and it’s constantly debaited what’s best.
Which password manager?
Password managers are a hot topic in the space, often the recommendations change as companies get acquired or they alter their service. I personally use KeePass, but it’s not as easy to use as a lot of the others. I’d recommend any of the following:
Lots of people have their preference and could debate this topic for hours on why one is better than the other. The reality is, if you don’t have a password manager and use the same password for everything, you’re immediately better off with any of these instead of keeping a singular password for everything.
I have a password manager, now what?
Well, this is the tedious part. You now have to change all of your passwords of every account you have from the old one to a randomly generated password generated by what ever password manager you have. This part sucks and takes a lot of time, I’d recommend getting the main few accounts you can think of, things like email, bank passwords, paypal, social media. Slowly over time, as you go about accessing those obscure sites you only access once a year you add that to your password manager. It’s kinda like collecting pokemon? Except they’re passwords.
As much as this part sucks, in the future if another account is breached, you’ll know that you only need to change that one password as every password you have is unique.
I’ve changed most of my passwords
Awesome, now you’ve changed most of your passwords you’re now in a better position then most. I’d recommend now enabling 2FA on all accounts that allow it. This step means that if an attacker had your password to your account they wouldn’t be able to access it without access to your phone. This will increase the security on your accounts substantially. If you don’t want to enable it on all of your accounts, definitely enable it on the important ones.
When an account gets breached or “hacked”, it can lead to some pretty bad things, however, I think if you implement these measures afterwards, you end up in a much better position before hand. I’d recommend implementing these things before something bad happens but I think most people go off the mindset of “it won’t happen to me” until it does happen. Fortunately for my friend, it was just a discord account that was hacked so no money was lost, however, due to this incident he is now in a much more secure position because of it.