Over the past month, I have had several people approach me about their facebook accounts getting hacked. As more people approached me I became concerned and started noticing a disturbing trend. Everyone I talked to also had an old abandoned Hotmail/Yahoo email address, which was also being accessed by a hacker.
I'm writing this article to explain one method I found in which hackers are using to access your Facebook account. I'll also show you the steps you can take to protect yourself from this method.
Now, most of you are Millennials just like me. You first heard of Facebook back in your high school days and signed up with your Hotmail email address. Who didn't have a Hotmail account back then? Gmail wasn't even available to the public; I still recall when I received my Gmail invite back around 2006.
Here is where the problem begins. Most of us have never changed the email address on our Facebook account since then. Facebook sends you metric tonnes of email notifications every time someone invites you to play candy crush etc. So why would you update it to your new email address, right?
Like I mentioned previously when talking to everyone whose Facebook account was hacked I discovered that in almost all cases everyone also had a hacked Hotmail account. So I started to dig deeper. The hackers had most likely hacked the email address first and then either tried the same email address & password on Facebook or clicked the forgot-password link and Facebook would send an email to the old Hotmail address allowing the hacker to change the Facebook password.
How are the hackers gaining access to these old Hotmail accounts you may ask? Good question, I did even more digging around on the internet and discovered something very disturbing. Over the years there have been several large companies who have been hacked. You may have briefly seen them in the news but not thought much of it at the time, names such as LinkedIn, Adobe, Forbes, MySpace and the list goes on.
In each of these cases, the information stolen or 'hacked' was enormous lists of usernames, email addresses and most critically passwords. Now here is how this ties in, all of this stolen info is being shared by the hackers and can be found publicly on the internet.
Interestingly enough is the MySpace data breach. In late 2016 usernames and passwords from MySpace started appearing on the internet. I know what you are thinking, who still uses MySpace? Good question, however a guy by the name of Troy Hunt did some investigating and dated the stolen info from around 2008! and who didn't have a MySpace account back in our high school days?
Troy dug through all the usernames and password and found 360 million, yes I said million, MySpace usernames and passwords. So chances are if you had a MySpace account back in the day your username & password is publicly available on the internet. If you would like to know more about his research you can find it here: https://www.troyhunt.com/dating-the-ginormous-myspace-breach/
Now let's be honest here, who reuses the same password on every site you create an account on? Yes, I know they say not to reuse passwords, but hey we have all done it. So, chances are if you had a MySpace account, your Hotmail or Yahoo email account had the same passwords. It's that simple. This is really just fall out from when MySpace got hacked and remember MySpace was not the only one who got hacked. MySpace, Adobe, LinkedIn are just a few notable ones.
Steps you should take to protect yourself from this:
So, how can I prevent this from happening to me? Great question, here are some steps I would recommend you do:
1. - Change your Facebook email address and phone number.
2. - Deactivate your old unused email addresses or forward all the emails you receive to your new email.
Is there any way I can tell if my password is out there?
Yes, you can. Troy Hunt who I talked about earlier has done some amazing work. He constantly watching the shadier areas of the internet in search of data breaches. When he finds them he analyses the data and adds it to his website called: https://haveibeenpwned.com
Now he does not publish the password however if you go to his website you can enter your email address and it will tell you if your email address was ever included in one of these stolen data breaches. It will even show you where it was stolen from.
You can also sign up to get notified, so should there ever be a data breach in the future and your email/password is included in it Troy will send you an email. I would highly recommend you do this.