The subject of this week’s column is one about which I have previously written, but it’s a topic of great importance that is worth repeating. Last week I related the story of my friend Sally who, although she was not hacked, had nevertheless received an urgent message from Google warning her to change her Gmail password immediately. If her Gmail account had not been hacked, why then would Google think there was any need to change her password?
The answer to that question was rather obvious after I pointed my web browser to “haveibeenpwned.com” (no www) and entered Sally’s email address. Hackers have perpetrated an unknown number of data breaches through which they have obtained names, addresses, passwords, credit card numbers, and much other personal information. This information is sold in the criminal underground, and, as a service to you, the haveibeenpwned.com site also tracks what information can be found there. So, for my friend Sally, I went to haveibeenpwned.com where I typed in her email address. Immediately I learned Sally’s information had been included in five serious data breaches. None of that was Sally’s fault, but it still means that she should change her passwords, which is probably why Google was warning her to do so.
This situation is much more critical for lazy people—those who use the same password over and over again. When cybercrooks find your name and password that you used for Facebook on one of those darkweb lists, all too often they discover that same password works to get into your bank account. That is the main reason you should always use a different password for each website or, at a minimum, use a different password for each of your banks.
What I also recommend that everyone should do is to visit the haveibeenpwned.com website to see if your email address shows up on any serious data breaches. In my case, one of my email addresses was involved in a data breach at Adobe Systems, Inc., when it lost data on 153 million customers, including my email, password, and password hint; so I went to Adobe.com to change those. Adobe had apparently not lost my mailing address or credit card number, but I erased that information just in case.
If the haveibeenpwned.com site warns that your email address has been found involved in any breaches, then you will see details including “compromised data” detailing what information about you was hacked. Of course, you cannot change things like your name, age, sex, etc., but you do have the option of changing other things, and that should start with your password.
A strategy I highly recommend is setting up a new email account to be used for banking and for banking only. Never use that email address for anything except for communicating with your bank(s). For convenience, you may configure that email to forward to your regular email. Then, hopefully, that email address will never show up on the haveibeenpwned.com site.
Charles Miller is a freelance computer consultant, a frequent visitor to San Miguel since 1981, and now practically a full-time resident. He may be contacted at 415 101 8528 or email FAQ8@SMAguru.com.