How to check if you've been hacked

Find out how to check if your account has been hacked

Another week, another major hack. It seems like cybercriminals are dumping our account details faster than we can keep up this week's victim is Yahoo, but there's few online services that haven't been hit.

That's worrisome for those of us using these online services, especially those of us with a bad habit of reusing passwords (we'll get to that).

Advertisement - Article continues below

Here, we'll reveal how to find out if your account logins are up for sale online and what to do about it if they are.

Why is it worth checking?

In the past year alone, hundreds of millions of account details have been leaked online.

Back in May, MySpace remember them? admitted as many as 360 million accounts were at risk after a breach of emails, passwords and usernames, with LinkedIn losing details of 117 million accounts to the same hacker. Peace, as he or she or they charmingly goes by, is also thought to be behind the dump of hundreds of millions of Yahoo credentials. Busy little bee, is Peace.

Tumblr also took a tumble, leaking 65.5 million account details, and though Twitter claimed in June it wasn't hacked, it still managed to expose 32 million passwords. And another hacker sold nearly 300 million logins from Gmail, Hotmail, Yahoo and Mail.ru, though many were out of date.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The list goes on and on. Hackers are paying attention to your login credentials, and that means so should you.

How to check if you've been hit

There's several websites that let you enter in your username or email address to see if there's any leaked login details matching them.

A warning, though: these sites check data that's been dumped online or been bought by clever researchers. If a hacker has your credentials and intends to use them, they won't immediately be revealed online, so such sites can only help so much.

That said, it's a start and often quite the wake-up call.

One to try is Have I Been Pwned, from security researcher Troy Hunt. Simply drop your email address or login name into the box and hit enter to see if your details are listed from breaches of 142 websites.

If your details are found in the data dumps, you'll get a terrifying red message detailing exactly what was taken in each hack. You'll want to change your password if you haven't already, and change any where you used the same password across multiple accounts.

Advertisement - Article continues below

If you're not listed, you'll get a green message with the good news. That doesn't mean your account hasn't been hacked, however it only means you weren't hit by the hacks that Hunt lists.

There's also an option to subscribe to get a warning if your details turn up in future breaches and in "sensitive" data dumps. To search those, Hunt requires verification that you're the owner of the email, otherwise you could enter your partner's email address and find out that they were hit by the Ashley Madison or YouPorn attacks. That could be awkward for some.

That means signing up for notifications not only gives you a warning system in case your accounts are hacked in the future, but also means your details are also run through the "sensitive" data dumps so it's worth taking the extra step.

Advertisement
Advertisement - Article continues below

There are other sites that do a similar job. Hacked Emails is similar to Have I Been Pwned, though it isn't quite as thorough as Hunt's site (it missed one of the leaked lots one of my emails is in). Handily, it has a Chrome Extension that alerts you if anyone sending you email has been hacked, and may be compromised.

Advertisement - Article continues below

BreachAlarm is similar to Have I Been Pwned, but doesn't tell you the specific account that's been hacked, which isn't very useful. That means you need to change any account associated with that email address, which may well be a lot.

Pay attention

There's another way to spot if your accounts have been hacked: pay attention. If a web service or site sends you an email begging you to change your password or nags you with a pop up to do the same, then listen and obey.

Others will warn you of odd behaviour, with Gmail and Chrome showing a notification of a new login. If that wasn't you, assume you've been hacked.

Of course, not all companies are keen to let you know when they've been hacked. Sony, eBay, we're looking at you. Sometimes that leaves the rest of us out of the loop, but other times such breaches make the headlines before the company is willing to own up or can even confirm the attack themselves -- that appears to be what's happened with Yahoo. In that case, the hacker leaked 200 million credentials in August, but Yahoo is only expected to confirm the incident this week, a month later.

Advertisement - Article continues below

In short, if you read about the Yahoo leak in August, you should have refreshed your password in August. Don't wait for official confirmation first.

How to stay secure

Whenever there's a big security breach, researchers and experts pipe up with their advice for staying secure online, and it normally runs the same.

Every now and then, change your passwords. Much of the leaked data is years' old more often than not, a twice-annual refresh means you'd be secure even if you password was on the list.

Have different passwords for different sites, so hackers can't try one leaked credential against another site and get access.

Turn on two-step (or two-factor) authentication. Good web services offer this extra layer of security for a reason, so use it.

None of this guarantees your credentials won't be swiped or that access to your account won't be gained by criminals, but it does help make it less likely. And that's really the best we can hope for.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/security/phishing/355936/inky-announces-20m-series-b-funding-round
phishing

INKY announces $20M Series B funding round

4 Jun 2020
Visit/security/ransomware/355909/microsoft-issues-warning-about-new-ponyfinal-ransomware-attacks
ransomware

Microsoft issues warning about new PonyFinal ransomware attacks

3 Jun 2020
Visit/security/data-breaches/355908/amtrak-guest-reward-suffers-a-data-breach
data breaches

Amtrak Guest Reward suffers a data breach

3 Jun 2020
Visit/security/cyber-security/355903/brand-impersonation-and-form-based-attacks-are-rising
cyber security

Brand-impersonation and form-based attacks are rising

3 Jun 2020

Most Popular

Visit/operating-systems/ios/355935/apple-confirms-serious-bugs-in-ios-135
iOS

Apple confirms serious bugs in iOS 13.5

4 Jun 2020
Visit/mobile/5g/355911/the-uk-pivots-to-japan-for-5g-equipment
5G

The UK looks to Japan and South Korea for 5G equipment

4 Jun 2020
Visit/server-storage/high-performance-computing-hpc/355916/inside-the-hawk-supercomputer
high-performance computing (HPC)

AMD virtual tour takes us inside Europe's Hawk supercomputer

4 Jun 2020