>Benjamin Gaines

Steps to Take After Being Hacked

Some friends of mine recently called to let me know they had been hacked, and wanted to know my thoughts on how to respond. I sent this note to them directly, but figured I’d post it on my page as well so I can share it more broadly with friends and family if needed. Hopefully they never need to reference this.

Top Priority: Notifications

  • Your bank - maintain a copy of all correspondence

  • The FTC (identitytheft.gov) - maintain a copy of all correspondence

  • The police - maintain a copy of any reports they generate

  • Experian - place an identity theft notification and freeze your credit

  • Transunion - (same as Experian)

  • Equifax - (same as Experian & Transunion)

  • Clients - let them know you’ve been a victim of ID theft and to let you know if they receive any suspicious emails from your account. Also, let them know that you’ll likely be switching to a new email/phone number soon and that you’ll let them know when you do. (Your choice on if you update your email/phone, but I suggest it)

  • Friends & Family - (same comments from clients)

Note: except for your conversations with clients, friends, & family, I suggest making a log of all the interactions you have with these notifications. This doesn’t need to be anything fancy. A simple notebook with bullet points about your calls would work. If any of this gets investigated, or goes to court, having a simple ledger with that info would be really helpful, especially months or years later when you can’t remember it all so well. Anyhow: something like this would work:

  • Monday, 4 October 8:30 = Received call from Chase bank asking if I authorized a wire transfer. I said no.
  • Tuesday, 5 October 10:00 = ...
  • Thursday, 7 October = Spoke w/ _ at Chase Bank. S/he said __
  • Thursday, 7 October 12:00 = Called experien
  • Etc.

Next Step: Resetting Accounts & Devices

Up-front note: I know it's super inconvenient, but I suggest resetting everything for which you have an account. Here are some top-of-mind thoughts on things I can imagine you’ll need to reset, but don’t limit yourself to this. If you have more accounts, reset them too.

Accounts:

  • Email - First, I would reset the password to your current email addresses. I would then create new email addresses altogether. When you do, you can open your old email addresses and set up a rule to have emails from your old address auto-forwarded to your new email so you don’t have to worry about missing any emails. You can also check your old emails from time to time if you want. Once you have made the switch, I also suggest opening the shared documents associated with your old email (google sheets, google docs, etc.), going through them to figure out which ones you want to keep, share them with your new account, and delete the rest.

  • Bank accounts - I would also visit your bank in person and let them know you want to close all your old accounts and open completely new ones. If they push back on this, insist. At this point, there is no arguing the fact that your account numbers, and associated personally identifiable information (e.g. name, login, phone number, etc.) have been compromised. I would replace all of your accounts.

  • Amazon / Any online shopping outlet you use - Delete your accounts and create new ones… especially if you use the same email or password for Amazon that you do elsewhere.

  • Online tax accounts (e.g. IRS, NY.gov, etc.) - If you use state or federal tax payment options, reset your user name and password for your accounts. I also suggest sending them an email to let them know you’ve been a victim of ID theft. You probably won’t hear anything back, but keep the email in case someone tries to use your info to file a fraudulent return in the future.

  • Tax software (e.g. Turbotax) - It probably wouldn’t make sense to delete your account and start a new one here because they retain your tax records anyway. But if you use online tax prep software, I would log in and reset your username and password.

  • Social media sites - As a going in-stance, I recommend against social media altogether. But if you need it for business reasons, or just like it that much, reset your username and passwords.

  • Netflix, Hulu, or any other paid streaming services - Delete these accounts and start new ones.

  • Venmo / Paypal / etc. - Delete these accounts and start new ones.

Devices:

  • Router - if you don’t know how to update your wifi name and password, call your internet service provider and ask for help. They get these requests a lot so they might even have a website setup already to walk you through the steps.

  • Laptops - in the near-term, I suggest installing anti-malware software on your laptops. If and when you can afford to do so, I suggest getting new laptops altogether.

  • Phones - I suggest getting new phones, and new numbers. For a few months, you can keep your old phone so you don’t miss anything and can remind clients, family, and friends of your new number. But do not do anything from your old phone during this period. In fact, I would keep it turned off and only turn it on to check it once a day, maybe less.

Finally: Make Your Accounts & Devices More Resilient

  • Set up two-factor authentication for every account possible

  • Use unique logins and passwords for all accounts. At the absolute minimum, ensure you have unique passwords for all accounts. I also suggest creating unique logins for your accounts as well. Most people use their email addresses for their logins, so if you have your own domain name, this can be especially do-able. This is because you can create a simple schema for all your accounts to remember them quickly, and create a unique email account for each.

    For instance, assume I own the domain ‘mydomain.com’ and I have it setup through Google so I can create multiple email accounts for that domain. (A fairly common setup for businesses), I could do something like this:

  • Account: Amazon
  • Email: myamazon@mydomain.com
  • Password: unique_password_1
  • Account: Netflix
  • Email: mynetflix@mydomain.com
  • Password: unique_password_2
  • (Repeat for each account...)

    • This might seem extreme, but it's not as difficult to manage as you might think. The only downside is that you usually have to pay for anything over three accounts (if you use Google anyhow), but in my eyes it is worth it to be able to silo all of your online accounts like this.

  • Use strong passwords and a password manager. I use KeePassXC, and am happy with it. If using a password manager seems confusing, you can also create your own ‘algorithm’ for creating strong passwords and remember that. By creating your own ‘algorithm,’ I mean a routine you can use to apply to all your password that make them easy to remember to you, but ensures the passwords are long and unique.

    I’d still advocate for the use of a password manager. But some folks just aren’t comfortable with that. So I think using algorithms is good option for creating strong, but memorable passwords.

  • Set up credit and identity theft monitoring through your bank and/or one of the credit agencies.

  • Install anti-malware software on your devices. There are a ton of options here, so it's easy to get overwhelmed. I use malwarebytes, which I think is OK. The main things to remember here is that any anti-malware software is better than none (especially if you use a PC + Windows setup), so I wouldn't get too stressed in reading reviews, etc. You can always upgrade, change, add software later in time.