15 November 2015

What to do if your personal data was leaked?

What to do if your personal data was leaked?

The main problem with data breaches is that you never know, when your personal data were exposed and who is responsible for that. The majority of data breaches occur a long time before they are noticed, and most small companies will never notify their users about the incident, even if they have knowledge of it. Furthermore, certain companies willingly share your personal information to third parties.

Recently there was a large number of public incidents, involving data breaches in many EU and American companies and agencies (Twitter, Comcast, FBI, Touchnote). As a result, certain amount of otherwise confidential information appeared on the Internet or in private possession of cybercriminals. The stolen information varies according to reports and may contain your full name, date of birth, email address, hashed password, physical address, phone number etc. In the age of social networking and people willingly sharing a bunch of stuff to everyone, an attacker can easily collect needed information from different sources based on previously leaked data.

What cybercriminals might do with your stolen personal information?

There are plenty of scenarios, in which your personal data might be valuable to attackers. You may fall victim to either random hack or targeted attack. Description of these two categories are beyond the scope of this article, but we will focus on common things that cybercriminals might do:

1. Extend leaked information

Even the most insignificant leak can lead to major losses. For example, information that you do not consider secret (e.g. your phone number, email address) can reveal your identity and make you a hacker’s target. Hackers can google your identity based on your phone number, or use, for example, Facebook search to find your profile using your phone number or email address. If you have a Facebook page, an attacker will know your real name, how you look, who you have friended, what your real home address is (especially if you own a business).

Based on your phone number cybercriminals already know your name, home address, names of your friends, etc. And they also know, which services you are interested in based on the source of the leak.

If your password (or password hash) was also leaked, the attacker will try to access popular online services using your password and possible account names, in case you are using the same password on different websites.
As a result, the attacker has a complete victim’s profile. It can be sold for a reasonable price on the black market.

2. Sell complete profile

Personal information buyers can use collected information to send you spam messages and try selling you some products (“legal” marketing), try to scam you, access your bank account, access other services, attack your employer, etc.

How to protect yourself?

I will provide some basic advice how to minimize possible losses, when your personal information is already exposed.

1. Use password manager to store your passwords

Never use the same password for different websites. Instead, use password manager that will keep your passwords safe. Modern password managers use password generators, so you do not need to come up with a new password every time, just generate one and store it.

2. Always access your bank account from a trusted computer

Do not use public computers, networks (public Wi-Fi) to access your bank account. Never use your phone to access bank account, especially if the bank sends you an SMS to access the account or make the transaction.

3. Always use unique answers to secret question

Secret questions are used to restore access to your account, when your email or phone is not accessible. A lot of online services and even banks rely on them. Never use common answers to typical questions, such as your mother’s maiden name, your favorite football team, or your pet’s name, because attackers can google them. Instead, use password generator to generate a random and unique answer. This way attackers will spend a lot of time trying to restore password and most likely will not succeed.

4. Access your corporate resources from a trusted computer

Never use your corporate addresses, phones, flash drives for personal use. Never access corporate resources from public computers or public networks. If you work from home, demand a secure VPN connection to corporate network.

5. Regularly change passwords to online services

Change passwords to online services on a regular basis at least once in 2 months. Please, do not follow advice of UK’s spy agency GCHQ on recommended password policy!

6. Monitor exposure of your personal information on the Internet

You can use free Google Alerts service to monitor exposure of your personal data. Just subscribe for results, which contain your name, address, phone number, email. If Google is able to spot this information, this means data leak has occurred.

7. Trust no one :D

Back to the list

Latest Posts

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Today Microsoft has released security fixes for 60 vulnerabilities in total. Among them 2 zero-days in Windows Shell and Internet Explorer.
15 August 2018
Microsoft patches for June 2018

Microsoft patches for June 2018

50 vulnerabilities patched, some of them are potentially wormable.
13 June 2018
VPNFilter, attacks on routers and why external scanning is essential for security

VPNFilter, attacks on routers and why external scanning is essential for security

How to protect your router from VPNFilter and other attacks.
8 June 2018
Featured vulnerabilities
Denial of service in Asterisk
Medium Patched | 24 Sep, 2018
Multiple vulnerabilities in MediaWiki
Low Patched | 21 Sep, 2018
Remote code execution in Microsoft Jet Database
High Not Patched | 21 Sep, 2018
Remote code execution in Mozilla Firefox
Medium Patched | 21 Sep, 2018
Multiple vulnerabiltiies in Mozilla Firefox ESR
Medium Patched | 21 Sep, 2018