No “pwn” intended: how do I know if someone has hacked a site where I have an on-line account?

shutterstock_190390037

Part 7 of our series on Privacy and Data Security Best Practices.

“Pwned accounts”, you might be interested to know, is a term that went viral across the Internet thanks to a simple typo.  Someone reporting that a hacker had ‘owned’, i.e., illegally ‘took ownership’ of a web account, typed the word “owned” a bit too quickly and hit the juxtaposed keyboard letter “p” instead of “o”. Voila, a brand new geeky word was born.  Today, tens of millions of accounts have been “pwned”, i.e., “owned” by hackers from companies around the world. And you can find them being actively distributed as part of a lucrative underground business on “the dark Net”,  places on the Internet where most law-abiding folks don’t ever want to visit.

Pwned accounts are important for clinicians to be aware of because if they are not carefully handled, they can become an ‘Achilles heel’, allowing attackers to gain access to even more confidential data.

So, other than the affected company emailing you directly with a warning, how can you find out if one of your accounts might have been compromised?

The website ‘;–have i been pwned? , created by Troy Hunt, a well-known web security analyst, keeps track of over 3.7 billion accounts that have been hacked, exposing userIDs, passwords, and frequently other personal information. The site will look up any email address you enter to see if accounts associated with it have been reported to be “pwned”.

Keep in mind though, that the information on this database exists only because website breaches listed there are now widely available on the Internet.  If your email address is not listed in the database, this doesn’t necessarily mean that all of your accounts associated with it are safe. Sometimes it can take years before a company knows it has been breached.

So here are five steps to help protect yourself before you find yourself on the list, and especially if you find your account has been pwned:

  1. Change the password on any pwned accounts immediately, if you have not done so already.  Consider the incident to be a potential breach, and investigate accordingly.
  2. Even if a particular web service is of relatively little importance to you, these accounts, if compromised, may be used to gain access to much more sensitive information.  Called “credential stuffing”, this hacking technique relies on the fact that many individuals use the same or very similar passwords elsewhere.  Therefore protect yourself by NEVER using the same password twice for any account.  If you use the same or similar passwords for any other account, you are just asking for trouble.  How do you keep your sanity while maintaining all of all of these unique, complicated passwords? Use a password manager.
  3. If you use a password manager, let it generate very strong, unique passwords for you. Wherever possible, we use passwords with 16 or more complex characters for pretty much every account we have.  However, we never need to remember them because the password manager will automatically pop the user id and password into the login field on your browser or smartphone.  All you need to remember is the master password for all of your accounts.
  4. Use 2-step verification for Gmail, Facebook, LinkedIn, Office 365, your clinic EMR (if it doesn’t allow this as an option, they should), and any other web service that allows it.  And, of course, use a password manager that is designed to support 2-step authentication for its own master password.  “2-step” codes, sent via your smartphone or simple to use devices such as a Yubikey at the moment you start to login, changes every minute. This goes a long way towards protecting yourself from hackers collecting passwords through breached websites or malware.
  5. Check your web accounts, especially old ones, to make sure you have not configured the ‘password reset’ feature with what is now a little-used email address.  If hacked, that ancient email account could become a ‘back door’ to gain access to any other account that uses it for a ‘password reset’.  Use an email address that is very unlikely to change over time… a personal Gmail account, for example. And please make sure you have set that email account up with 2-step verification so that it doesn’t become the weak link, allowing hackers to change the password to all web accounts configured to send the ‘password reset’ message to this email address, locking you out, and giving them access.

What password manager should you use? It’s best to check the latest reviews, and carefully select it based on your clinic security policies.  There are free applications out there that can generate and store passwords, but because we value our accounts, we have elected to purchase yearly subscriptions to a robust commercial product that supports smartphones, 2-step verified master passwords, etc.

For more information on protecting your clinic’s accounts, see our Best Practices post entitled How can I protect access to my confidential accounts? Lessons learned from the PharmaNet breach.

If you need help, contact us.