Happy New Year! As I began 2024, I spent a little time last weekend evaluating my online presence and personal security practices. I thought it would be worth sharing my perspective on how I manage my personal online accounts and access to those accounts. In doing this, maybe I can motivate you to make it a point to evaluate and shore up your personal security practices to better protect your online presence.
First, what prompted me to spend my time indulging in such mundane activities? As you might be aware, there were recently three major security breaches that have broad impact. They are:
- The Mr. Cooper data breach on October 31, 2023
- The First American Title data breach on December 20th, 2023
- The 23andMe data breach on December 19th, 2023
I’ll start with the 23andMe breach. Initially, the company announced that approximately 14,000 accounts were compromised. the malicious actors used a tactic called “credential stuffing.” This tactic relies on the premise that users are lazy – users reuse passwords across multiple platforms, and they don’t routinely implement 2FA (MFA) on sites that make this available. It was later determined that more than 50% of 23andMe’s 14 million users had their personal data stolen. What is shocking is that 23andMe is publicly blaming users for reusing passwords which lead to the breach. They also publicly called out users for not implementing 2FA which they made available in 2019.
This is an interesting stance as I personally know a person who has an account. Their account has a unique password and yet they were notified that their data was exposed making the claims by 23andMe of password reuse suspect at best.
The other two mentioned breaches are concerning in that the attacks appear to be related – possibly a coordinated attempt to correlate mortgage transaction data from two entities. The data exfiltrated in these two breaches included names, addresses, bank account numbers and social security numbers as well as mortgage balances and details about the titles to mortgaged property.
I am not sure what the future holds regarding the use of that data but suffice to say that having that sort of data readily available for nefarious purposes is disconcerting.
After thinking through the implication of these breaches, I thought about my digital past – what accounts do I have out there that I’ve forgotten about? Maybe I used them at one time and now don’t. Maybe I have multiple accounts with hotel chains each linked to different email addresses.
So why should I care? In the past, password reuse was the normal practice. People didn’t care much about privacy or security, only convenience. We just didn’t understand the risk. But why should I worry about abandoned accounts?
There are two main reasons that come to mind:
- Since password reuse is likely a factor, it’s only a matter of time until a malicious actor uses data from a data breach to gain access to other sites including ones that you may have forgotten about.
- Access to forgotten accounts can be leveraged by the malicious actor to gain access to accounts that you are still using.
Access to these forgotten sites gives a malicious actor a leg up in attempting to impersonate you or assume your identity. Some forgotten sites may also disclose additional personal information that you might not want disclosed or the malicious actor may be able to use the abandoned account as leverage to gain access to accounts that you are actively using. For example, let’s say you have two Hilton Honors accounts, each linked to different email addresses. One account you haven’t used, and it has 35,000 points. Your active account has 75,000 points. If a malicious actor is able to access the unused account by using a password tied to the email account for that unused account, they can log in and request that the account they have “hacked” be combined with their own account effectively taking your 35,000 points. They can also access your stays and other personal data.
Or maybe you signed up for a streaming service years ago and forgot that you had an account. If you reused a password and that password was leaked in a breach, your account might be providing somebody with “complimentary” streaming services!
Each account that you leave out there on the Internet has the potential to eventually come back and cause you some level of grief in the future.
So, I took the time to go through my accounts that I had saved on my iPhone and within my password managers. My goal was to do the following:
- Determine if I still needed or used the service – if I didn’t, I logged in and requested that the account be deleted and removed the account from my password vault.
- If I used that account, I checked to make sure that I was using a unique password for the account. If not. I changed the password. I did have a few accounts that needed the password changed. These were accounts that were created many years ago and rarely accessed.
- I also checked each account that I had to make sure that I had enabled 2FA for all accounts supporting that and that my login data was up to date in my password manager.
All this took a few hours to complete. If you have an iPhone, you can easily check your saved passwords for issues by going to Settings > Passwords > Security Recommendations. I suggest you fix any and all that are recommended. also, many password managers will let know whether your accounts are reusing passwords or whether any of your saved passwords have appeared on data breach lists.
Once I finished this exercise, I felt more confident about my overall security posture knowing that my existing accounts were secured with a unique password (and MFA where possible) and that I had done what I could to remove stale online accounts. Moving forward, I have a plan in place to make sure any new accounts I create are secured with a unique password and MFA and stored in my appropriate password vault.