You've heard reports that your social or professional
networking service provider's systems or your e-mail service
provider's systems may have had a security breach allowing
hackers to see your password.
What do you do? You might change your password for that account,
right? Sure, but you probably won't be able to stop there if
you want to protect yourself. You need to develop a more complete
response. First, you need to map the extent of the risk. Here are a
Make a list of all accounts where you use the same User ID as
the potentially compromised account. If you are very active
on-line, this could be a very long list. Quite often your e-mail
address will be your user ID for multiple accounts. For example,
LinkedIn, Facebook, Google, online shopping accounts, professional
association websites, online access to employment benefits
providers, and applications at the office might use the same email
address as the User ID for the application. If you ever wondered
why Canadian Privacy Commissioners think your e-mail address is
personal information, here's why!
Now make a list of all User IDs that are visible on the
compromised account or are connected with the compromised account.
What do I mean by this? You might have listed your Twitter address
on a social or professional networking page. Is that Twitter
address your User ID to log into Twitter? If so, add it to the
list. Have you entered other email addresses? If so, add them to
the list as well as all the other accounts that use these same
credentials as User IDs.
Now put a mark beside every account that shares the same
password with the compromised account or uses a variation on the
password used for the potentially compromised account. Yes, you are
supposed to have a unique password for each account but we all know
that most of you don't. You have a few that you rotate or use
as variations of one another.
Here's your last preparatory step: make a list of all
applications that are launched from accounts listed in #3 and that
store your passwords for other applications if they are not already
on your lists. Put a mark beside those too because they may have
been compromised. For example, does the application you use for
Twitter also store the password for and post to Facebook on your
Now you have a map of the potential problem. It is probably much
bigger than just changing the password for the potentially
compromised account. If a hacker knows the password that is
associated with a User ID or group of User IDs, the hacker has a
starting point to hack your other accounts that you have helpfully
listed or connected for the world (or at least the hacker) to see!
If you only change the account that has been potentially
compromised, you have locked the front door but left the windows
and side door open. If you want to increase your protection, you
should be thinking about changing all of these passwords.
Notice that I have not mentioned the potentially compromised
account yet? That's because you should consider doing something
different for that account. If you are not yet certain whether the
alleged security breach has been fixed, you should chose a password
that you will not use for any of the other accounts – not
even a variation on what you will use for any other accounts.
Otherwise, you might have to go through this all again in short
order once the breach has been fixed. You might also wish to
temporarily suspend any permissions you have given to the
potentially compromised account to access your other accounts (for
example, if you aggregate social networks or you use one account to
post into another account).
Last step: You should monitor your accounts closely,
particularly if they contained sensitive personal information (such
as financial information) that could be used for identity theft. If
you are a consumer and you have questions about identity theft, you
may also wish to start with the Ontario Government's pamphlet on protecting your identity.
FMC is one of Canada's leading business and litigation law
firms with more than 500 lawyers in six full-service offices
located in the country's key business centres. We focus on
providing outstanding service and value to our clients, and we
strive to excel as a workplace of choice for our people. Regardless
of where you choose to do business in Canada, our strong team of
professionals possess knowledge and expertise on regional, national
and cross-border matters. FMC's well-earned reputation for
consistently delivering the highest quality legal services and
counsel to our clients is complemented by an ongoing commitment to
diversity and inclusion to broaden our insight and perspective on
our clients' needs. Visit:
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).