My friend Sally received an urgent message from her free email provider, Google Gmail, saying she needed to immediately change her password. Sally had no idea why, but she followed the instructions and changed her password. I cannot know for sure why Google thought it necessary for Sally to change her password, but I have a good idea as to what the reason could be.
Sally’s email account had not been hacked, so why did Google insist she needed to change her password? The reason is most likely found in the fact that while Sally was not hacked (yet), it seems that several organizations with which Sally had trusted her credentials had been hacked.
At one time or another, Sally had used the social networking site LinkedIn.com. She gave LinkedIn her email address and a password. Then LinkedIn was hacked, causing the private information for 164 million customers to be stolen, and that data ended up for sale on a dark market site. Sally was not hacked, but because LinkedIn was, Sally’s email address and password were up for sale to criminals on the dark web.
The reason Google told Sally to change her password might not be because of that. She had also signed up for the social website Evite.com, which was also hacked. Evite.com discovered there had been unauthorized access to their database of 101 million customers’ data, including dates of birth, email addresses, genders, names, passwords, phone numbers, and physical addresses… including Sally’s information.
And I could go on because several other websites Sally had trusted to keep her information secure had also failed to do so. Through no fault of Sally’s, entirely because those companies were hacked, Sally’s personal data is now floating around on the dark web, where cybercriminals are undoubtedly trying to make nefarious use of it.
The reason Sally was probably warned to change her email password, even though she had NOT been hacked, is because companies like Apple, Google, Microsoft, Mozilla, and others are proactively watching the same dark web the crooks use. When Google saw Sally’s address there, that triggered a warning that she should change her password. Google knows, and the crooks know, that people are lazy. Many lazy people foolishly use the same password over and over again, so frequently the crooks find the password someone used for LinkedIn just happens to be the same one that unlocks a bank account.
Sally’s stolen data is available out there on the dark web, and there is really no way to undo that. The best defense is for her to change her passwords and not use the same one on multiple websites. In case you are wondering how I could know that Sally had used the websites LinkedIn.com, Evite.com, ShareThis.com, etc., you will need to read next week’s column for the answer.
Charles Miller is a freelance computer consultant, a frequent visitor to San Miguel since 1981 and now practically a full-time resident. He may be contacted at 044 415 101 8528 or email FAQ8@SMAguru.com.