Three Things You Should Do Right Now To Protect Yourself Online

There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.

– John Chambers, CEO of CISCO

Corporate hacks, data breaches, and leaked celebrity photos: data security has seen almost non-stop news coverage in recent years.

You can’t do anything about hackers or companies with inadequate security. Fortunately there are some things you can do to reduce the likelihood of hackers gaining access to your accounts, and minimise the impact if they do.

My Spotify account recently got hacked, which prompted me to improve security on my other online accounts. Here are three of the most important things I did, which you should also consider doing today.

Check Your Passwords

Adobe. Tesco. Sony. Vodafone. Yahoo. Domino’s. Forbes. Adult Friend Finder. Gawker. Ashley Madison. VTech. All of these sites have been hacked, and all have had their account data leaked. If you had an account with one of these sites, it’s likely that someone else now knows your password.

How do you find out if your data was leaked in any of these cases? HaveIBeenPwned.com allows you to enter your email address and search for it among over 220 million leaked accounts across all the above (and more) breaches. You can also sign up to receive notifications in case you are ever involved in a future leak.

If your details were leaked and you reused the password somewhere else, then you should consider that password public information and change it as soon as you can. To protect yourself against future hacks, one of the best things you can do is to use a unique, strong password for every account you have.

Set Up Two-Step Verification For Your Email Account

Your email account can be used to gain access to almost all of your other accounts. Two-step verification is an extra hurdle that makes it much harder for a hacker to gain unauthorised access to your account, by requesting an extra code when you log on from a new device. Here’s how to do this for Google/Microsoft/Apple accounts.

If that seems like too much hassle, this article is worth reading to see the full impact of losing access to your email account. If you think reading the article isn’t worth your time either, then just tweet me your email address and password and I’ll set up two-step verification for you.

Only joking, you should never do that. Please set up two-step verification.

Pay Attention To The Little Padlock Icon In Your Browser

When doing anything online, realise that people can listen in. If you’re using public wifi, it’s possible for people to intercept all the messages going between your device and the website you’re visiting. One way to protect yourself is by making sure that the messages being exchanged are encrypted, which means that anyone listening won’t be able to understand them.

That little icon, what is it good for? Security!

How do you do this? Look out for the padlock icon in your browser, which means that a site is using HTTPS. HTTPS messages are encrypted, so anything sent between you and that site will be protected from prying eyes. Do not send or receive any sensitive information on a webpage without the padlock icon, especially if you are using a public wireless network.

Thanks for reading. If you found this useful, please recommend and share. Leave a comment or response if you have any tips of your own!

View at Medium.com

How I Lost Control of My Spotify Account

And How To Prevent Unauthorised Access to Yours

Monday morning. Bag down, headphones on, ready to get to work. But first some music.

Please enter your username and password.

Hmmm, I don’t remember the last time Spotify asked me that.

Incorrect password.

Sigh. I guess I’ll have to reset.

Password reset email sent.

Why am I not getting a password reset email?

Maybe I signed up with my Facebook account?

Welcome to Spotify, would you like to take a tour?

That’s weird, it thinks I’m a new user…


What Happened?

It took me surprisingly long to figure out why I couldn’t access my Spotify account. Someone had managed to log themselves into my account, and had replaced the email address on the account with their own. Luckily it was a premium account, so even though it took several days and a few emails back and forth, the Spotify support team reset my account and restored the playlists I had lost.

Luckily Spotify’s support team were fairly helpful in restoring access to my account

But why would anyone want to hack into my Spotify Premium account?

Surely no one hates ads so much that they would hack into someone else’s account to get rid of them rather than paying the monthly fee?

Months after this happened and I had forgotten all about it, I read this article about Spotify’s royalties model which revealed a motive:

All a fraudster has to do is set up a fake artist account with fake music, and then they can use bots to generate clicks for their pretend artist. If each stream is worth $0.007 a click, the fraudster only needs 1,429 streams to make their $10 subscription fee back, at which point additional clicks are pure profit. But… it’s possible to purchase stolen premium accounts on the black market, making the scheme profitable almost immediately.

So someone got control of my Spotify account, and was using it to play their own ‘music’ on repeat to extract royalties from the system. It turns out that it’s possible to make up to $600 monthly per account this way. But how did they get into my account in the first place?


My Mistake

This is where I have to admit that even though I’ve been interested in computer security for a long time, I’ve been lazy for a much longer time, and sometimes I reuse passwords. I know, I know… When I first set up my Spotify account I used a password I had used before. I didn’t bother changing it when I upgraded to premium.

It turns out that one of the things I had used that same password for was to sign up for an Adobe Photoshop trial. Oh and, in the meantime, Adobe got hacked and the details of 153 million accounts leaked. Oops.

So I’m guessing that some ethically compromised, entrepreneurial faux-artist out there realised that people would reuse their Adobe passwords for other things and checked all the hacked details to see if they could log into Spotify with them. And my account was one of those.


Lessons Learned?

Stop reusing passwords. Seriously! Stop it. Right now.

After this happened I read up a bit on best practices for personal online security, and wrote up a short summary of the easiest things with the greatest impact. You can read it here.

Thanks for reading, I hope you’ve found this useful. Please recommend and share so others can read this too. Leave a comment or response if you have any tips to share! Now, I have some passwords to change…