About two years ago, Peter Marks received a text message from an old friend with a cryptic question: “Have you really lost control of your Facebook account?”
No-one wants to have to deal with the stress and potential embarrassment of being hacked, and Peter — a security-conscious software developer and technology commentator — was spooked.
It didn’t take him long to figure out what had happened.
A hacker had set up a copy of his profile, along with a single photo and a copy of a recent post, and started to message his friends.
“There were some funny conversations. It was some sort of sales scam, and [the hacker was] talking about a business opportunity. I guess the idea was to leverage my network and [my position] as a trusted friend to send out the scam,” Peter says.
Cloning is just one of the many ways our digital lives can be invaded by strangers. It’s something that happens all the time, and it can be upsetting and unsettling when it happens to you.
Thankfully, Peter reported the account and it was removed within an hour — but it’s not always that easy.
Here’s how hackers can catch you out on social media and what you can do to minimise the risks.
Why you should never re-use a password
The number one way hackers access social media accounts is through re-used passwords, says Troy Hunt, a web security expert who created a site that allows users to see if they’ve been caught up in data breaches.
Protecting your online privacy
I’ve found there is a way to balance being active online, and protecting your privacy, Osman Faruqi writes.
If you’re like me, your old passwords are all over the internet. When I typed in my email address to Mr Hunt’s search engine, HaveIBeenPwned, it appeared 12 times.
So how does it happen?
When we sign up for a new account or service online, our details are often recorded and stored in databases.
Over the years, hackers have broken into many of these databases and obtained all sorts of details about us, like email addresses, passwords, names and addresses. Lists of these details — or “credentials” as they’re often called — are then bought, sold and traded on the internet.
It’s scary stuff. In my case, hackers (or would-be hackers) can find old passwords, email addresses, usernames, my date of birth, answers to security questions and even location data.
Re-used passwords a hacker’s dream
It can be hard to remember passwords for every app and platform you’re on, but re-using them is putting you at risk.
These breaches are so widespread that we should assume that any passwords we’ve used before are insecure, Mr Hunt says.
“People being as people are, they re-use passwords across multiples services,” he says.
“What happens is that hackers take your exposed email address and password from one breached service and then they go to the social media account and they login with the details there.
“One of the big challenges we’ve got is that this can be highly automated.
“Hackers will look at what the login process is for one particular service, they’ll take 100 million credential pairs (email addresses and passwords) from data breaches, and then they’ll just feed them into that login service of the target site.”
What you can do about it
There’s a simple solution to your password problems: a password manager. Troy and Peter both recommend them, because they can help us overcome the limitations of our memory.
There are a number of options available, but they work in much the same way. They allow you to generate and store strong and unique passwords for each account you have.
The beauty is you only have to remember one password — the password to the manager — rather than each and every one.
Here are some other tips from Troy and Peter for keeping your passwords safe:
- Create a strong password for your password manager. For something that’s easier to remember, Peter suggests using a passphrase, which is a series of words. They’re easier to remember and can be very secure. (Here’s a website that allows you to generate one.)
- Be particularly careful about the password to your email account. It’s the skeleton key to your digital accounts: if hackers have access, they can use account recovery services to access all sorts of things.
- Whenever possible, use two-factor authentication to secure your accounts. When two-factor authentication is enabled, you will need your password and another verification tool to login. (This could be an authenticator app, a text message to your phone or even a physical USB key.) This makes it much, much harder for your account to be compromised.
- If you must write down a password, a physical password book is a better option than storing it digitally outside of a password manager. To hack you, someone would need to be in your house and view the book, which is highly unlikely.
What phishing is and how to avoid getting caught out
Even if your social media passwords are strong and secure, your accounts can still be compromised.
What do do if you’re being stalked
In the middle of that overwhelming mix of emotions, it can be difficult to know what steps to take to keep safe if you think you might have a stalker on your hands.
It’s obvious, but if you’ve shared your password with someone else, your account is never going to be completely secure.
“If you’ve shared passwords with your friends, and then you’re finding odd stuff on your account, you’ve probably not been hacked. It’s likely that the person you’ve trusted with that password is using it,” says Susan McLean, a cybersecurity expert and former police officer.
It’s an issue that often comes up in cases of domestic violence, Ms McLean adds.
“We know that online issues are present in about 98 per cent of domestic violence cases. It’s a very common way to create harm and havoc in someone else’s life,” she says.
Another risk is what’s known as phishing: when hackers try to trick you into giving up your account details or information using deception.
Apps sharing your personal data ‘routine’
Want to keep your sensitive health info private? Think twice before sharing it with an app, research suggests.
The hackers first send a “lure”, which could be a message, fake website or email. The lure might tell you need to change your password.
The aim is to make you panic, and feel like you need to act urgently.
“I’ve seen this happen to two friends who received Tweets saying words to the effect of ‘Someone is saying nasty things about you, you should check it out’, and a link. It’s hard to resist,” Mr Marks says.
“The page that looks like the login screen is fake and simply gathers your password for the attacker to use.”
What you can do about it
Here are some tips from Susan, Peter and Troy on avoiding phishing and other unauthorised account access.
- Don’t share your passwords to your social accounts.
- Be very wary of any links in emails or messages from people you don’t know.
- Use a search engine rather than links in email and messages to find login pages.
- If you get a concerning message relating to one of your social accounts, contact the social media service yourself separately.
More information about phishing is available from the Australian Government’s Stay Smart Online website.
What to do if your social media accounts are hacked
So, what do you do if your account has been hacked? Or you see something else strange, like Peter did when his account was cloned?
What to do if your private details have been leaked
You wake up one morning to find private photos — ones you definitely didn’t want public — plastered all over the internet. Here’s what to do next.
It’s a problem that social media companies deal with all the time, which means the process is streamlined.
When Peter reported the cloned account, it was taken down in less than half an hour. Whatever the problem is, it’s likely you’ll have to verify your identity, whether via phone, email or another means.
Reporting a hacked Instagram account
If your Instagram account has been hacked, you can get the process started by tapping “My login info isn’t working” on the login screen.
You can follow the prompts to get a security code that may help you access the account. If that doesn’t work, you can report the account. For more information, visit Instagram’s help centre.
Reporting a hacked Facebook account
Facebook has a website where you can report hacked accounts. Again, you’ll have to verify your identity as part of the process. If the hackers changed the email linked to your account, you will be able to reverse it.
To report someone who has cloned an account or is impersonating you, you can click on the (…) symbol on their cover photo and select “report”.
For more information, visit Facebook’s Help Centre.
Reporting a hacked Twitter account
If you can’t access your Twitter account, you can try to reset your password using the password reset form. If that doesn’t work, you can submit a support request, choosing “hacked account” from the list of options.
Twitter will then send you information and instructions.