Every few months website managers see the headlines and get questions from clients who ask the same thing: What to do after getting hacked?
After each hacking news story – including the most recent 4Chan iCloud hack where a hacker leaked a stash of nude photos of celebrities – websites such as Time.com or Mashable.com start their self-righteous calls on the importance of changing your password frequently and effectively. Out-of-touch gossip blogs forget the reality that is practical security precautions for users (especially website managers), failing to realize, for instance, that an iPhone doesn’t allow two-step authentication by default. Most media outlets also fail to mention what to do after you’re hacked. Which, chances are, you will be at some point.
The reality for cloud security is very different than what most people think. Of course, the “Big Tech” companies will defend their services by repeating and enforcing password policies, but the odds are stacked in the favor of criminal elements who have the patience, resources and fortitude to steal data.
The bottom line here is that you should be prepared to have your data stolen, and then be prepared to mitigate the fallout following the event.
Here’s what to do after getting hacked:
- Act quickly when you do get hacked – Resetting your password in the first few minutes will lessen the probability that a hacker continues to mine your account for value.
- Backup all websites, databases and cloud accounts – There may be something that’s worse to come, so get ready.
- Shut down your websites – Stop bad stuff from happening while you find someone to help you mitigate the damage. Google Analytics has a tool for detecting malware on a website.
- Check all your computers for viruses – Assume there is a bigger problem than the one account or device. Run the virus scans on everything.
- Reset all passwords on all accounts – That means calling your banks, ISPs, credit cards and logging into all those crappy websites on which you’ve registered. Assume the hacker has access to them all.
- Watch your credit score – You can pay for identity theft protection from companies such as LifeLock.com or others, but mostly they are going to do the same thing you can do. React to changes in financial records and credit ratings. Be sure to do plenty of research on so-called Free Credit Report Businesses by visiting the FTC.gov website.
We’ve heard and read common security advice hundreds of times – so, why do we keep getting compromised by hackers? Because commonly accepted password security preparations don’t work. Is the cloud safe from hackers? Absolutely not. But here are practical tips for website managers to remember about password security:
- Omit your memorized “core phrase” when documenting a password – By now we all know to use special characters (i.e., !@#$%^&*) and combinations of capital letters and numbers, but these are easy to forget. Develop a password system based around a memorized phrase that will NEVER CHANGE. Then, never document the memorized phrase. Ever. For instance, if your memorized core phrase is “Deso!ationRow”, then all future passwords would include this favorite phrase added on the front or the end of it. Your core favorite phrase never needs to change while the front or back portion will change periodically. It’s this front or back portion you document: (the core phrase is in GREEN):
- $November6autumDeso!ationRow = $November6autum————–
- Choose obscure usernames – Website and email accounts often force users to use their email addresses as usernames. But where FTP is involved website managers can ensure that they use unrelated usernames for their FTP account logins (the username is in GREEN):
- www.MyDomainName.com = OtherName
- Add and update backup “password reset” contact information – Google, Yahoo! and AOL require an alternate email address and phone number for the purpose of resending passwords when a reset is requested. When you find it necessary to change your password, perhaps by no fault of your own as was recently demonstrated by Adobe when their servers got hacked, having an updated profile on these accounts allows for quickly resetting the information.
- Use Facebook logins for Facebook only – Seriously, it is a convenience when signing up for a new service, but there’s a serious conflict of interest presented when Facebook becomes your authenticator for all the websites you visit. The same applies for Google, LinkedIn or other “convenience login” functionality being offered.
- Visit your accounts frequently – Even if you don’t intend to reset the password on an account, you should visit dormant accounts and ensure software upgrades have been made and there’s no funny business going on in your account. Time is the enemy where hackers are involved, and the earlier you discover a problem, then the more likely you’ll be to cover your ass.
- Don’t use unknown wireless networks – Next time you’re in a coffee shop and the name of that business comes up on the list of options to connect to the Internet, be sure to check with the business to authenticate the Wi-Fi address is valid. Real Life Scam recently demonstrated how hackers create phoney wireless networks in so-called “Wi-Fi Hustles”.
- Delete old email – Despite what most people think, the cloud files are not the biggest risk to your security (unless you have nude pictures, of course). The bigger issue with most website managers and Internet users comes down to credit card and social security numbers contained within emails. Somewhere along the line most of us have sent our social security number to a business. Deleting old email will prevent hackers from mining it.
- Don’t give out passwords – And when you do give out a password to a developer, make sure you change after the work is finished.
It sucks, it hurts and it takes time to recover after you’ve been hacked. But you’re not alone in your horrors, and there are many resources available from other website managers who have been through this before. Don’t be afraid to ask for help, and don’t be afraid to act quickly.