Online Accounts are Valuable
Bad actors want access to your accounts. They can use stolen credentials in many ways: steal information from you, assume your identity to trick your friends in effective phishing campaigns, sell your username/password combination. The list goes on. Make sure you are protected and don't become one of those people on Facebook sending their friends malicious links in messenger.
I'm using Facebook as an example in this article because it's popular and easily relatable. You could really replace 'Facebook' with any other social media site or basically any other website at all that you have an account at.
Facebook is a huge target
Almost everyone has a Facebook account full of personal information, pictures and contacts. As well, it's been around long enough that many people are still using the same old password they had when they created their account. This makes it trivial for bad actors to hack into Facebook accounts. In most cases, it's not so much 'hacking' as much as it is 'reading a list of usernames and passwords from other breached websites and trying them to see if they work'.
Old passwords are dangerous because they could exist on the dark-web on lists of usernames and passwords, compiled from breaches of other websites.
Hold on. How can I tell if my credentials are somewhere on the dark-web?!
You can quickly check to see if your email is on any of these lists by visiting haveibeenpwned.com and entering your email address.
I know it sounds sketchy but this is a legitimate service. Trent IT subscribes to this site so that we get early warning when @trentu.ca accounts are found in any new breaches. We can then inform affected individuals as quickly as possible.
Below is a screenshot of a result from entering my own email :
(What does pwned mean?! -- It originated in the early days of online gaming as a typo of the word 'owned', and it somehow caught on at the time.)
Above we can see that this is telling me I had used my email to make a LinkedIn account, and that in 2016 it, along with 164 million other emails and passwords, were exposed.
If I recall, I got an email from LinkedIn about this warning me that a password change was needed, but that isn't always the case. Sometimes the breached sites aren't aware or don't warn of the breach.
Before we leave haveibeenpwned.com, it has another useful feature where you can type in a password and it compares it to a database of 500 million passwords that have been captured from breaches and the like.
If you put your password in and it says it's on the list, it would be a very good idea to go to whatever sites you are using that password with and change them.
This is what it looks like if it matches your password to a breached password. This is one of my earlier passwords that I thought was pretty unique at the time. I guess I thought wrong.
If typing your password into some website you just read about online sounds a little iffy, good! You are sufficiently paranoid! However, in this case it's designed in such a way that anonymity is preserved. If you're curious, the magic behind the design is detailed on this page.
Ok, back to Facebook
So now that we know that there are people out there utilizing these lists of usernames and passwords and trying them on sites like Facebook to access other peoples' accounts, what can we do about it? (side note: this is how the CRA breach worked in early 2020 as well)
Defending your account
The most effective way to protect your accounts boils down to two things :
A strong password (9 characters including 3 types of characters is considered very strong currently). If you haven't changed it in a long time, you definitely should.
Multi-factor Authentication, aka MFA, 2FA. (Note : you can set this up for your Trent account now too!)
This is the process of not only entering your password to login, but also entering a code that changes all the time that you can either have texted to you, or see and use from an app such as Google Authenticator (search your app store) This way you need both something you know (password) and something you have (your phone) to log in.
How am I supposed to remember all my passwords AND make them more complicated?
The idea here being: you remember the password to get into your password manager (make it extra strong!), but then you don't need to ever remember any other password ever again as it will handle them in a secure way for you. Browsers and phones have corresponding extensions and apps as well so you can configure them to auto-fill your logins no matter how you access the web.
As well, since this software holds all of your passwords, definitely configure multi-factor authentication on it.
How to change your Facebook password
Now that we're all too aware of how old (potentially) or Facebook passwords are, go change it:
From your phone :
Touch the three horizontal lines at the top right > scroll to Settings & Privacy > Settings > Security and Login > Change Password.
From your computer :
Log in to Facebook > click the little 'down arrow' button at the top right of your screen > Settings & Privacy > Settings > Security and Login > Change password
You'll see the option to Change your password. Do that now using a new, strong password, as discussed above.
How to setup Multi-Factor Authentication (MFA) on Facebook
After you've changed your password, click 'Use two-factor authentication'.
You can use the Google Authenticator app, or select to get a code texted to your phone on login. This way, even if someone did have your username and password, they still couldn't log in unless they also had your cellphone.
Ok, now what
Your Facebook account is as secure as you can make it. You definitely won't be joining the growing ranks of those folks posting ads on their wall or sending phishing messages out to all their Messenger contacts.
At this time feel free to also look through the privacy settings etc so see if there's anything else you want to tweak, however I understand that's a whole topic unto itself.
Think about your other online accounts. Start with the most important ones first, things like your Trent account, email account, bank account, LinkedIn. Do they have old passwords too? Do they support MFA?
Tell your family and friends about the cool things you learned here today: Password managers, MFA, haveibeenpwned.com, spread the awareness!
Back to Cybersecurity Blog Home.
Stavros Tzagadouris - Level 1 Information Security Officer - Trent University