Sadly, this happens all the time. When a Russian blog posted stolen LinkedIn passwords in June, it represented a breach of as many as one in 25 member profiles. That's one hack. And a Sophos survey from 2009 suggests that about a third of us use the same password for every single site. Hacked once might be hacked everywhere.
READ: Why online security is taxing our brains
If you've just started getting phone calls from friends who are wondering if you've just started a new and slightly-suspicious shoe business through Facebook or email, here's what you need to do.
- Is your email account hacked, or merely spoofed? When your email is hacked, a thief has taken control of your actual account and using it to send email and read your messages. Spoofing is sending mail with your information in the return address. When spam sent with your name on it bounces as undeliverable, you may see it in your inbox and suspect your account has been hacked. In this case, your own accounts haven't been compromised, but there's not much you can do about this.
- Find another computer and log into your email account, if you can. If you have been hacked, you don't know how yet. Occasionally, passwords are stolen with a computer worm that logs your keystrokes. Resetting your password from an infected computer would just send your new password to the thief, so find a friend's secure, private computer to log in … if the thief hasn't reset your password.
- If your password itself is stolen and has been changed, contact your email system administrator. You may have to fax over actual ID. A note: the processes for confirming your identity with email providers are under review after the recent epic social engineering hack of Wired News reporter Matt Honan.
- Use a strong new password. Good passwords are at least 15 characters long, use a mixture of symbols, numbers and changes in case … and are memorable. I_Hate_Hackers!86! or 36*Chambers*of*Death are examples of cryptologically-strong, memorable passwords. But pick a different one, please.
- Review your other accounts. If you use your password for email in other places … you need to reset it everywhere damage could be done — online banking, social media, game accounts, news sites, shopping sites, work accounts, online document storage. This would be a good time to kill off old unused email accounts.
- Get your computer up to code. Install antivirus software and make sure your computer's operating system is fully-patched. If you run Windows, click the Start button, click All Programs, and then click Windows Update and follow the directions.
Facebook and Twitter
- Secure your Facebook account. Facebook will ask you to “secure” the account here. www.facebook.com/hacked. You'll be asked to sign in with your old password, then establish a new one. Then send a note to your friends apologizing and re-asserting control of your account.
- Check your apps. Malicious code shows up from time to time in third-party applications running on Facebook.
- Twitter's a little different. You'll have to reset your password by asking Twitter to send you a reset link by email. (Of course, if your email is toast too, you need to get that under control first.)
- Disable Tweetdeck, Hootsuite and other widgets. Your add-ons are going to keep trying to access your account using the old password. And when they fail often enough, they'll lock up Twitter. While you're at it, check your other application access. If you don't recognize an application enjoying access to your account, revoke it.