Hey, folks! I just thought I'd make this quick topic as a warning not to leave your information floating around in cyberspace. Don't roll your eyes at me. I know you know not to give Skype bots and Russian Bride sites your social security number. I mean stuff you might not even think about. The stupidest little bit of information can get you. Stuff you wouldn't even think about. I know because it happened to me. I'm going to give you the short version which is still too long. If you want to read my example of what happened to me, hit the spoiler tag. If not, skip it and go right to a list-in-progress of ways to protect yourself online.
Something a LOT of people don't seem to realize is that gathering or knowing basic info like your name, date of birth, mother's maiden name, favorite sports team, names of pets, and the town you were born in is stupid easy, especially with social media in full swing. I can google a user name and if I've talked to that person for more than a few minutes, there's a good chance I can break into some stuff. Let me tell you this; if someone breaks into the right email account, it's all over.
In the 20 years since that single post in 1998, I've been all OVER the place. I've made probably 50 email accounts, had single and double accounts at forums, websites, MMOs and everything else. I forgot many of these accounts ever existed, sometimes within a week of making them. Scattered across these accounts were tiny little personal details that alone really couldn't do any harm. From: X CITY, lives in X STATE, an old phone number from ten years ago, old AOL Instant Messenger names, Xangas and LiveJournals. (Kids, those are how we pretended people wanted to know every detail of our lives before Twitter and Facebook)
Well, someone - over the course of a couple months - systematically collected or already knew a bunch of that information and used it to break into some accounts. They broke into (or probably guessed the password of) that old forum account. There, they found an old yahoo email account THAT FOR SOME REASON WAS STILL ACTIVE and used the same information to get into it. From there, it was just patience. You find something else associated with that email address, do the password recovery bit, and boom - you have new accounts and email to play with. They did this undetected for two months, and it's almost impossible to notice happening if they're smart and you're not paying attention.
This person daisy-chained their way from one forum post in 1998 through a confirmed 122 accounts spanning various platforms. A total of 384 accounts were potentially compromised. I didn't notice until Google sent me a message like 'Hey... how do you have three devices synced and running where you are, plus another 3 in the Chicago area?' I got to looking and found some recovery emails in my gmail trash and that's when I figured out what was up. This person had 3 devices in the Chicago suburbs synced to my primary account through which I do all my banking and everything else. They were downloading apps - some of which I had paid for - watching my netflix and who knows what else.
I spent a total of 36 hours over three days (and then more time since as I found more accounts) following breadcrumbs, finding every account I had ever made, getting in, wiping information, wrestling with admins to change usernames and delete stuff I couldn't, and basically undoing a majority of 20 years of crap that I had left behind me. So far, I've wiped, secured and consolidated everything I've found and am working very hard to seperate my public presence from my private existence. I'm working with Google to try and secure information that's still archived out there. I will literally never be able to chase down all the information that is public and shouldn't be, because for a long time I had an enormous online presence.
As an aside - the idiot that attached these devices to my account basically set them up so they were mine. As such I was able to remotely lock all three of them, so whoever owns them can only see a short 'Stay out of my shit' message and a contact number for me. Sunday night I was able to reset two of them back to factory default remotely. While this feels like a little bit of justice, they could have JUST as easily done the same to me from inside my account.
It can be scary out there, and a lot of the time, most of us are too acclimated to the internet to realize how dangerous it is. There are a lot of things you can do to prevent this, and I'm not an expert on internet security, but here's a few tips.
- Change passwords often. Use random letters and numbers and special characters and / or random words strung together. For example, @ppl3h0rsEba11scarr0Ts (apple horse balls carrots) which will make it impossible to guess and take forever for machines to crack. This example specifically is rated for up to 252 sextillion or 252,000,000,000,000,000,000,000 YEARS and is easy to remember after punching it in a dozen times or so.
- Keep track of old email addresses and once you haven't used them for a while, delete everything in them, then go to trash and delete them again, then deactivate the account.
- Never use your first name, last name or date of birth in your username, screen name or instant messengers. You will probably want an email like that for professional reasons, but it shouldn't be used for non-professional places. For example firstname.lastname@example.org would be great for LinkedIn but not so much for a dating website.
- Keep a list of places you have accounts somewhere safe, so if you switch email addresses you can just spend half an hour or so changing your account information over. I keep an encrypted spreadsheet on a thumb drive that requires its own password to access in a fire-proof lockbox.
- ALWAYS look at your public profile immediately after account creation. Take note of what's visible to people.
- If a non-government, non-current-employer site, forum or anything else requires what you consider to be personal information which other people can see, create a separate identity for yourself and keep that info somewhere in case you lose it. Be a 42 year old man named Chad Bennington from Brunswick New Jersey. Unless of course that's who you actually are.
- YOU are on social media. Unless you are a company page, don't let people find you by email. I can go to the member list here right now, grab a couple dozen emails and punch them into the search bar on Facebook and I guaruntee I find someone who hasn't been here in 5+ years in less than 20 minutes. Go to your privacy settings - EVERY social media outlet has them - and read and customize EVERY option. Don't just select a pre-defined setting for the whole thing.
- When prompted for security questions, don't choose things like mother's maiden name, favorite cousin, favorite sports team, first car, favorite pet's name, etc. This is all information you've given people without realizing and is very easy to find out if you've made any sort of public posts. When choosing questions, ask yourself Is this something my friends would know? and if the answer is yes, pick a different one.
- When possible, ALWAYS double authenticate. My Steam account is worth significant dollars and I used to stream a lot. I've had people try to get into it before. Having Steam send me a text message with a specific code every time I log in can be a pain in the butt sometimes, but it's worth it.
- ALWAYS have a recovery account. You use your email for everything? Good. Set up another email and never use it. Make THAT the account your primary email sends password change notifications and such to. That way if someone breaks in, it's potentially easier to get back.
- Quit hoarding emails and private messages. Download what you absolutely must keep and then delete them. I know they're nice to have, but that conversation with the girlfriend you had for a month 12 years ago isn't going to be useful to anyone anymore. Neither is the confirmation number for an electric bill payment from more than a month ago. If someone gets in, they have less to play with.
- Once in a while, look through your accounts. If it's something you haven't used in a year and you don't see yourself ever using again, either wipe it of any sort of personal contact data or shut it down. You don't need that Ebaum's World account you created and never used.
You can have an online life and an offline life, and those can cross over as often as you're comfortable with. It is however your responsibility to make sure that it doesn't cross over in a way you AREN'T comfortable with. That's all I've got off the top of my head. Some of you out there probably have even more advice. Throw it out here and I'll add it to the list. Stay safe out there, folks.
Edited by WindRider739 on February 20, 2018 at 14:32:23