Here’s what to do if you’ve been hacked - The Washington Post

New research from the Identity Theft Resource Center showsthat the number of publicly reported data breaches from the beginning of 2021 to the end of September totaled 1,291, a 17% increase from the total reported throughout all of 2020.

Too many people find out they’ve been affected only after the damage has already been done. If you’re vigilant — and lucky — you might be able to stop a hack before it happens. And if you find yourself the victim of a hack or data breach, or think you might be, here’s our guide to the steps you should take immediately.

This one is a no-brainer: Change your passwords as soon as you’ve spotted some of the sketchy behavior we talked about earlier, or the moment you’ve confirmed that you’ve been hacked. It’s not uncommon for people to reuse the same password across multiple sites and services — if that sounds like you, move fast.

Ideally, you should be using different, strong passwords every time, and password manager apps like Dashlane and LastPass can be a huge help for this. Once they’re installed, you can use them to create secure passwords that they save for later use — all you have to do is remember the single master password that gets into those apps in the first place.

Thankfully, it can be pretty easy to tell if one of your passwords has been compromised. Web browsers like Google Chrome and Apple’s Safari can automatically detect when one of your saved passwords was previously exposed in a hack or data breach, and will strongly suggest you change your log-in credentials to something new and more secure. Apple’s iOS and iPadOS software also offers a security recommendations tool (Go to Settings -> Passwords -> Security Recommendations) that shows you all of your vulnerable online passwords in one place.

Fixing your passwords is just the start — you’ll also want to add another layer of protection. That’s where two-factor authentication comes in.

The most common form of two-factor authentication — or 2FA — relies on text messages. If you’ve ever been prompted to punch in a code that gets texted to your phone when logging into a website or service, you already have some experience with 2FA.

This kind of authentication is better than nothing at all, but it isn’t unbreakable — if someone was able to access your account with your wireless carrier, they could perform what’s known as a SIM-swap attack. Once that happens, every text message that would normally be delivered to your phone would instead be directed to the hacker’s, security code included. If at all possible, use an app like Authy or Google Authenticator instead. Rather than relying on text messages, these apps can generate single-use codes to help you securely log into your accounts.

Once you’ve locked down your other accounts, it’s time to start trying to recover ones you may have lost control of. Many commonly used services offer a suite of tools to help you verify your identity and regain access to your accounts, but some make it easier than others. Here’s how recovery works on some of the services you might be using.

Google: The company will let you verify yourself by contacting other devices connected to that account. On Android phones, that means you’ll get a notification that you can tap “yes” on to prove you’re the account owner. If you’re using an iPhone or iPad, Google makes that verification message available in the Gmail app. If none of that works, Google will send a recovery email to a backup email address if you’ve specified one in the past. To start, click here.

Apple: If someone has taken control of your Apple ID, start by visiting iforgot.apple.com. From there, Apple will ask you to verify your phone number and then sends notifications to your other Apple devices to help you reset your password — but only after you’ve confirmed your identity by punching in your Mac’s password, or your iPad’s or iPhone’s passcode.

Amazon: To start, Amazon will attempt to confirm your identity by sending a verification code to your phone. If that isn’t an option — say, if someone else has control of your phone number — your best bet is to call Amazon customer service. As part of the process, you may be asked to upload a scan of your driver’s license, state ID card or a voter registration card to verify your identity.

Microsoft: Visit the company’s account recovery site and type in the email address associated with your Microsoft account. You’ll be prompted to give Microsoft an account recovery code if you’ve already made one; if not you’ll have to fill out a short form that — among other things — asks you to provide an alternate email you have access to. From there, the company will send a four-digit code to that email address. Once you’ve verified the code, you’ll fill out another short form to start the recovery process.

When in doubt, calling a company’s customer service line can also be a good place to start. Unfortunately, in some cases, it’s nearly impossible to get a human on thephone to work through your problem. That’s especially true of social media services, like Facebook and Instagram — a little Googling quickly reveals a customer support number, but when we tried calling, a prerecorded voice message told us to instead visit Facebook’s Help Center to begin the recovery process.

Some hacks do more than expose your usernames and passwords — they also reveal deeply personal information, like your Social Security number. The biggest high-profile example is T-Mobile, which confirmed that personal data including SSNs, driver’s license information and dates of birth belonging to millions of past and present customers were exposed in a hack.

If you have reason to believe someone has obtained your Social Security number in a data breach, take a deep breath: There are ways to mitigate the potential damage, but you’ll need to act quickly. The best thing to do in a situation like this is to immediately freeze your credit reports, a process that basically prevents anyone — including yourself — from opening new lines of credit without “thawing” it first.

Thankfully, this process is less daunting than it may seem: You can visit the Equifax, Experian and TransUnion websites to get started, and it shouldn’t take more than 10 minutes with each service.

You’ll also want to make sure all of the gadgets you use — even the ones you pick up infrequently — are running the most up-to-date software. Gadget makers like Apple, Google and Samsung routinely release updates meant specifically to fix security flaws, oftentimes between the bigger, feature-packed updates that tend to get the most attention.

In fact, Apple released just such an update: The company’s new iOS 15 and iPadOS 15 for phones and tablets is less than a month old, but it released anupdate to version 15.0.2 to patch a vulnerability that could allow savvy attackers to run their code on your device. One of the company’s support pages for the update goes as far as noting that this vulnerability may have actually been used, though Apple declined to comment further when we asked about it.