How to check if you've been hacked

Find out how to check if your account has been hacked

Another week, another major hack. It seems like cybercriminals are dumping our account details faster than we can keep up this week's victim is Yahoo, but there's few online services that haven't been hit.

That's worrisome for those of us using these online services, especially those of us with a bad habit of reusing passwords (we'll get to that).

Here, we'll reveal how to find out if your account logins are up for sale online and what to do about it if they are.

Why is it worth checking?

In the past year alone, hundreds of millions of account details have been leaked online.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Back in May, MySpace remember them? admitted as many as 360 million accounts were at risk after a breach of emails, passwords and usernames, with LinkedIn losing details of 117 million accounts to the same hacker. Peace, as he or she or they charmingly goes by, is also thought to be behind the dump of hundreds of millions of Yahoo credentials. Busy little bee, is Peace.

Tumblr also took a tumble, leaking 65.5 million account details, and though Twitter claimed in June it wasn't hacked, it still managed to expose 32 million passwords. And another hacker sold nearly 300 million logins from Gmail, Hotmail, Yahoo and Mail.ru, though many were out of date.

The list goes on and on. Hackers are paying attention to your login credentials, and that means so should you.

How to check if you've been hit

There's several websites that let you enter in your username or email address to see if there's any leaked login details matching them.

A warning, though: these sites check data that's been dumped online or been bought by clever researchers. If a hacker has your credentials and intends to use them, they won't immediately be revealed online, so such sites can only help so much.

That said, it's a start and often quite the wake-up call.

Advertisement - Article continues below

One to try is Have I Been Pwned, from security researcher Troy Hunt. Simply drop your email address or login name into the box and hit enter to see if your details are listed from breaches of 142 websites.

If your details are found in the data dumps, you'll get a terrifying red message detailing exactly what was taken in each hack. You'll want to change your password if you haven't already, and change any where you used the same password across multiple accounts.

If you're not listed, you'll get a green message with the good news. That doesn't mean your account hasn't been hacked, however it only means you weren't hit by the hacks that Hunt lists.

There's also an option to subscribe to get a warning if your details turn up in future breaches and in "sensitive" data dumps. To search those, Hunt requires verification that you're the owner of the email, otherwise you could enter your partner's email address and find out that they were hit by the Ashley Madison or YouPorn attacks. That could be awkward for some.

Advertisement
Advertisement - Article continues below

That means signing up for notifications not only gives you a warning system in case your accounts are hacked in the future, but also means your details are also run through the "sensitive" data dumps so it's worth taking the extra step.

There are other sites that do a similar job. Hacked Emails is similar to Have I Been Pwned, though it isn't quite as thorough as Hunt's site (it missed one of the leaked lots one of my emails is in). Handily, it has a Chrome Extension that alerts you if anyone sending you email has been hacked, and may be compromised.

Advertisement - Article continues below

BreachAlarm is similar to Have I Been Pwned, but doesn't tell you the specific account that's been hacked, which isn't very useful. That means you need to change any account associated with that email address, which may well be a lot.

Pay attention

There's another way to spot if your accounts have been hacked: pay attention. If a web service or site sends you an email begging you to change your password or nags you with a pop up to do the same, then listen and obey.

Others will warn you of odd behaviour, with Gmail and Chrome showing a notification of a new login. If that wasn't you, assume you've been hacked.

Of course, not all companies are keen to let you know when they've been hacked. Sony, eBay, we're looking at you. Sometimes that leaves the rest of us out of the loop, but other times such breaches make the headlines before the company is willing to own up or can even confirm the attack themselves -- that appears to be what's happened with Yahoo. In that case, the hacker leaked 200 million credentials in August, but Yahoo is only expected to confirm the incident this week, a month later.

In short, if you read about the Yahoo leak in August, you should have refreshed your password in August. Don't wait for official confirmation first.

How to stay secure

Whenever there's a big security breach, researchers and experts pipe up with their advice for staying secure online, and it normally runs the same.

Advertisement - Article continues below

Every now and then, change your passwords. Much of the leaked data is years' old more often than not, a twice-annual refresh means you'd be secure even if you password was on the list.

Have different passwords for different sites, so hackers can't try one leaked credential against another site and get access.

Advertisement
Advertisement - Article continues below

Turn on two-step (or two-factor) authentication. Good web services offer this extra layer of security for a reason, so use it.

None of this guarantees your credentials won't be swiped or that access to your account won't be gained by criminals, but it does help make it less likely. And that's really the best we can hope for.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/data-protection/354492/currys-pc-world-parent-firm-hit-with-ps500k-fine-over
data protection

Currys PC World parent firm hit with £500k fine over historic data breach

9 Jan 2020
Visit/security/ransomware/354483/travelex-disruption-caused-by-devastating-ransomware-attack
ransomware

Travelex disruption caused by devastating ransomware attack

8 Jan 2020