You've heard reports that your social or professional networking service provider's systems or your e-mail service provider's systems may have had a security breach allowing hackers to see your password.
What do you do? You might change your password for that account, right? Sure, but you probably won't be able to stop there if you want to protect yourself. You need to develop a more complete response. First, you need to map the extent of the risk. Here are a few ideas:
- Make a list of all accounts where you use the same User ID as the potentially compromised account. If you are very active on-line, this could be a very long list. Quite often your e-mail address will be your user ID for multiple accounts. For example, LinkedIn, Facebook, Google, online shopping accounts, professional association websites, online access to employment benefits providers, and applications at the office might use the same email address as the User ID for the application. If you ever wondered why Canadian Privacy Commissioners think your e-mail address is personal information, here's why!
- Now make a list of all User IDs that are visible on the compromised account or are connected with the compromised account. What do I mean by this? You might have listed your Twitter address on a social or professional networking page. Is that Twitter address your User ID to log into Twitter? If so, add it to the list. Have you entered other email addresses? If so, add them to the list as well as all the other accounts that use these same credentials as User IDs.
- Now put a mark beside every account that shares the same password with the compromised account or uses a variation on the password used for the potentially compromised account. Yes, you are supposed to have a unique password for each account but we all know that most of you don't. You have a few that you rotate or use as variations of one another.
- Here's your last preparatory step: make a list of all applications that are launched from accounts listed in #3 and that store your passwords for other applications if they are not already on your lists. Put a mark beside those too because they may have been compromised. For example, does the application you use for Twitter also store the password for and post to Facebook on your behalf?
Now you have a map of the potential problem. It is probably much bigger than just changing the password for the potentially compromised account. If a hacker knows the password that is associated with a User ID or group of User IDs, the hacker has a starting point to hack your other accounts that you have helpfully listed or connected for the world (or at least the hacker) to see! If you only change the account that has been potentially compromised, you have locked the front door but left the windows and side door open. If you want to increase your protection, you should be thinking about changing all of these passwords.
Notice that I have not mentioned the potentially compromised account yet? That's because you should consider doing something different for that account. If you are not yet certain whether the alleged security breach has been fixed, you should chose a password that you will not use for any of the other accounts – not even a variation on what you will use for any other accounts. Otherwise, you might have to go through this all again in short order once the breach has been fixed. You might also wish to temporarily suspend any permissions you have given to the potentially compromised account to access your other accounts (for example, if you aggregate social networks or you use one account to post into another account).
Last step: You should monitor your accounts closely, particularly if they contained sensitive personal information (such as financial information) that could be used for identity theft. If you are a consumer and you have questions about identity theft, you may also wish to start with the Ontario Government's pamphlet on protecting your identity.
For more information, visit our Data Governance Law blog at www.datagovernancelaw.com
About Fraser Milner Casgrain LLP (FMC)
FMC is one of Canada's leading business and litigation law firms with more than 500 lawyers in six full-service offices located in the country's key business centres. We focus on providing outstanding service and value to our clients, and we strive to excel as a workplace of choice for our people. Regardless of where you choose to do business in Canada, our strong team of professionals possess knowledge and expertise on regional, national and cross-border matters. FMC's well-earned reputation for consistently delivering the highest quality legal services and counsel to our clients is complemented by an ongoing commitment to diversity and inclusion to broaden our insight and perspective on our clients' needs. Visit: www.fmc-law.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.