So Your Email
YOUR EMAIL account has just been hacked. What
do you do?
If you’re thinking to yourself, “this would
never happen to me;’ pay close attention. Because
the way technology’s going, it’s no longer a question
of if you’re going to get hacked, but rather when.
Your first intuition (and it’s a good one) should be to
isolate your computer by turning off Wi-Fi and, if your
computer has a hardwired connection to the internet,
unplugging that connection.
What comes next?
STEP 1: CHANGE YOUR PASSWORD (AND THIS TIME, GO WITH A PASSPHRASE)
Immediately change your password to a long and
unique passphrase. The National Institute of Science
and Technology now recommends the following (paraphrased):
• Use a unique passphrase that is at least 15 characters
long and difficult to guess. For example, “myalpacahaslice”
or “yourkangaroohasfleas:’ No need to
use a mixture of upper- and lower-case letters, numbers
and special characters. New research has shown
that’s counterproductive – after all, a good password
is one you can actually remember.
• Check your chosen passphrase against a list
of commonly used or previously compromised
passwords. So-called “Pwned Passwords” are
over 550 million real world passwords that have
been exposed in past data breaches. You can
check your new passphrase securely at
www.haveibeenpwned.com/Passwords. On that
website, you can also check to see if any of your
accounts have been compromised in a data breach.
• That old rule about periodically changing your
passphrases? Don’t worry about it. Recent studies
have shown that periodic passphrase changes are
counterproductive. (This is a new and still controversial
rule, but the primary research backs it up.)
STEP 2: ENABLE MULTI·FACTOR AUTHENTICATION
Once you have a good, unique passphrase associated
with your account, you should enable multi-factor
authentication (MFA), sometimes called !wofactor
MFA is an extra layer of security for your account:
It requires you to use two different methods of confirming
your identity before you’re granted access to
your account. Depending on your MFA provider, you
can receive a text, phone call or verification code in
an app when you log into your account. If you don’t
click the link in the text, answer the phone call or type
in the verification code, you won’t be granted access
to the account, even if you’ve correctly typed in the
password. This way, even if your password is compromised
in a data breach, your account will stay safe.
Head over to www.turnon2fa.com to learn how
to turn on MFA for your specific email provider.
And remember: This service is not limited to
email! You can enable MFA for your banking,
brokerage and other applications, too.
STEP 3: CHANGE YOUR SECURITY QUESTIONS
You’ve taken the time to create a unique passphrase
and you’ve enabled MFA. Now, as an added
measure, take another two minutes to update your
security questions and responses. Be mindful not
to use obvious responses; for instance, if you’ve
told everyone in the world the name of your beloved
family dog, maybe don’t select the question:
“What’s the name of your first pet?”
STEP 4: UPDATE YOUR COMPUTER’S SECURITY
It’s better to assume your computer has been compromised
than to continue on with hidden malware
lurking in your system. Here’s what to do next:
• While your computer is still isolated from an
internet connection, scan it using your installed
• Reconnect your computer to the internet and
download any available updates for your antivirus
before running the scans again with the updates. If
you don’t already have antivirus software installed,
this would be an excellent time to do so.
STEP 5: INFORM YOUR CONTACTS
Now that you’ve taken remedial measures, take
action to stop people you know from being similarly
affected. Reach out to your contacts to let
them know that you were hacked and that they
should be extra cautious moving forward. If they
received an email from you while your account
was compromised and they clicked any of the links
in that email, they’ll definitely want to switch their
passwords. You might even consider sending them
this article so they can get a head start.
BY JOSH SHARFMAN