*No, not really. It’s just that when you say “I have been hacked!” you’re handing off responsibility. People think these things “just happen” – hackers hack, right?

Wrong

In the present day, people use the word “hacked” as if they were being targeted by hackers, then getting their accounts broken into by some sort of voodoo computer magic. The reality is: this couldn’t be further from the truth.

This is *not* how someone got into your Facebook account 🤦‍♂️

There are many forms of hacking. In this post, we’re going to focus on modern day account security since this is where most people will tell you they get “hacked”. When I say account security, think Facebook, Twitter, Apple, Netflix, Instagram, Email, etc.

What is “hacking” ?

The early days of the internet were basically the wild west. As a result, account penetration was a much simpler process. Passwords could be guessed over and over by programs until it guessed the right one (computers can do this really fast) and direct p2p connections were extremely common as well since IPs were more exposed to the (relatively) few folks online. When I first started using the internet in the late 90s, it was a common practice to open a direct client-to-client connection with a stranger in IRC to share a file. You would never do that today, and modern communication platforms like discord abstract things in a way where you’d never actually know the IP of a person you were sharing a file with.

Nowadays, there isn’t a service with over 20 active users out there that doesn’t have rudimentary security in place like brute force protection. Your larger platforms with millions of users will have much more sophisticated protection. For example, if you live in Chicago and log into Facebook, then try and log in from Bangladesh 5 minutes later, the system is going to block that attempt. In short, it’s nearly impossible for someone who has never met you to hack you without you handing them the keys to do it.

So how does it happen, then?

Here are the most common ways an account gets compromised:

  1. Clicking phishing links in emails or on websites which redirect to false pages reconstructed to look like a service you use: Facebook, Apple, Amazon, Chase banking, etc. You’ve clicked this link because it said in the email that you had an urgent notice that needed to be resolved, then you willingly entered your account information, which someone now has.
  2. You have a ridiculously easy password. 123456, qwerty, password, hunter02, your name, your kid’s name, your pet… the list goes on. Don’t do it.
  3. You use a universal password. A universal password means you use the same password or a variation of it for multiple accounts. This is literally the worst thing you can do. Why? Because if an entity legitimately gets hacked, like Equifax in 2017 for example, whoever gets that data is going to try to login to every other service they can with the account credentials they gained. Fun fact: Equifax got “hacked” because their database username was admin and the password was….. admin! Yes, really.
  4. YOU PROVIDE answers to password security questions, sometimes freely. These are questions you often set up when creating an account: What is your birth date? What is your Mother’s Maiden Name? When is your anniversary? I can find out 90% of the answers to these questions just by being friends with the average person on Facebook. People that answer Facebook “quizzes”? *Shudders* 😬.
  5. This brings us into what modern day hacking usually comes down to: social engineering. People trick you into revealing information that help them hack you. Whether it’s over a social media DM, a video game, or on the phone. Modern day hackers are experts at piecing together seemingly innocuous information… until it’s too late.

What can I do about it?

Here’s are some extremely easy ways to significantly reduce your odds of getting an account compromised:

  1. Don’t click links in emails. If you get an account notice, log in directly through the organization’s portal and see what’s up. Reach out to the organization directly. If you get an email saying your Netflix account is frozen, try logging into Netflix at https://netflix.com – if you can login, the account obviously isn’t frozen.
  2. Use long, strong, unguessable passwords. Zhwg(=B)wMNOd(m1l;1BHl/-O?Z:kVko#aMaclcd is an example of a strong password (230 bits) combining numbers, letters, case, and special characters. Length is one of the things that make a password tough to hash, but isn’t the only factor.
  3. Even better is to get a password manager and let the password manager generate the passwords for you. The password manager will ensure the password is as difficult as can be for a machine to guess, while allowing you to one-click copy/paste it into the service in most cases.
  4. Never ever use the same password in more than one place. Seriously, don’t do it. This includes if your password is just an alteration of the same thing. For example: packers01, packers1!!, Packers!! might as well be the same password.
  5. Never store username/password credentials in your browser (when you log in to a site, this is the “save password” prompt that you see.) The first thing a “hacker” who gains control of your computer does is check your browser for usernames and passwords which can be viewed as plain text.
  6. Set up two-factor Authentication…. everywhere. There aren’t any mainstream services that don’t offer this. Start with your emails (yes you should have more than one) as they’re the key to most account recoveries. If someone gains access to your email, they can reset your accounts in other places by sending a password recovery link to your email. Your email needs to be the hardest thing to get into. This is like the easiest thing to do, yet 90% of people with a Gmail account do not have 2FA set up. That number is staggering.
  7. Don’t use text-message based 2FA. SIM cards can and do get compromised remotely. Someone can assume your SIM and have 2FA codes sent to them if they care enough. It has happened to people I work with. Instead, use an Authentication app like Google Authenticator or Authy. These apps generate tokens that change every 30 seconds that you’ll need to provide when logging into a 2FA-connected service.

So is it really impossible to get “hacked” then?

No. True security breaches happen every single day. Usually someone discovers and exploits a security vulnerability in a service and figures out a way to query a database or gain access to an administrator’s account. I talked about Equifax a bit, but this has happened to other large organizations as well.

What then happens is now someone has a list of username/email and password combinations used for that service. They then use these lists and throw them at other services until they work, banking on the fact that people can (and do) use the same credentials across multiple services. These attacks are known as credential stuffing. Again, using unique passwords for every service greatly mitigates the impact this has on you.

“Have I been Pwned” is a great site for checking if you have an account that’s been compromised in a data breach somewhere: https://haveibeenpwned.com/

Is it all worth it?

In a word: yes.

Think of how much you value everything on your computer and on web services: photos of your loved ones, correspondence, financial information, your writing. Your computer and web accounts are access points to things you own, things that are yours. The small inconveniences here and there are big inconveniences for hackers. Do you know what more inconvenient than entering a 2FA code? Trying to explain to Facebook that it’s your profile that someone else is using or getting your money back when someone gets into your bank or credit services.

In Summary

These are the basics. As you’ve learned, simply enabling two-factor authentication on your email will make you a harder target than 90% of the 1.5 billion people who have a Gmail account.

Use Two Factor Authentication. Never re-use passwords. Get a password manager.

Questions? More tips? Let me know in the comments 👇