It often happens that a username or password ends up in the wild after a security breach. But what to do then?
Today, if a password and/or ID is discovered through any vulnerability, you will know about it very quickly: Apple, Google, password managers, browsers, and others will easily tell you about it. Then the question is: what to do? Of course, every situation is different, but here are the basic steps you need to take to keep your accounts safe. Act quickly, and it is quite possible that you will avoid the slightest problem.
Change password
If your password is exposed, you will obviously want to change it before anyone can use it. This is the first step that needs to be taken, and done very quickly. The operation is not complicated, every site, every service makes it very easy.
Just remember the basic rules when choosing a password. It cannot be guessed, and you should not forget about it. The latter is less relevant today as password managers are now very complex. If you use it to manage all your usernames and passwords, and it can suggest strong passwords for you, you’re in safe hands.
And as we always say, if two-factor authentication (2FA) is available, turn it on. Then you will need a temporary code, most often received on your smartphone, in addition to your login and password to connect. This way, even if the password is compromised, access to your account will remain secure, unless a hacker has gained access to your smartphone.
Turn off all your devices
After changing your password, you must disconnect all devices connected to your account. If someone gained access to your account before you changed your password, it is possible that they will remain logged in for a while.
If most web services leave you logged in to make your daily work easier, it also means that scammers can use those sessions for quite some time.
The procedure for disconnecting all your devices from an app or site depends on that app or site, but again these procedures have become very common today. For example, on Netflix, it only takes one click on your account page. On Google, go to the security section in your Google account, select “Manage all devices”to see all the devices associated with your account, and disable the devices in question.
Check third party apps
Your digital accounts are likely associated with a wide range of third party apps and services. All it takes is a hack into one of your accounts, and third-party apps can stay signed in even after you change your password and sign out of all your devices. Attackers can then connect through these utilities to get back into your account.
You can easily disable these apps, but again, the method is different for apps and websites. For example, if it’s Twitter, go to the connected apps page on the web and see who has access to your account. Click on the entry in the list, then “Revoke Application Permissions”.
You can connect one or more apps to your Facebook account: go to the Apps & Sites page on Facebook on the web to view the list. Clicking Remove will disable the app or service. You can also click View and Edit to view the data and permissions available to that linked app.
Preparing for next time
You managed to avoid disaster, your accounts are safe again, but no one says that this will not happen again. In truth, there is an even greater risk than this occurs. And there’s nothing you can do about it.
Choosing strong passwords, activating two-factor authentication, working with a password manager are all good practice, even the reflexes you need to have today.
As stated, most password managers now warn you if your usernames and/or passwords appear in public data. Other services such as Firefox Monitor can also be useful to check if your data has been exposed.
Other than that, just follow these rules, which should be familiar to you by now: avoid reusing your password from site to site, keep your passwords and accounts to yourself or close family members, and delete accounts on platforms you no longer use.. (the fewer active accounts you have, the less you risk).