I have a confession to make: I used to reuse passwords.
It’s the number one security sin, but it was the early 2010s, I’d just left college and I couldn’t use one of the best password managers as I didn't know about them yet and they were just starting to become popular. In truth, I didn’t pay much attention to securing my digital life. This was a huge mistake.
In 2013, Adobe was hacked and the attackers got a list of 153 million usernames and passwords. These passwords weren’t encrypted which allowed people to read them — they were stored in plaintext — so once the list was out, attackers had all they needed to target unfortunate Adobe users like me.
That’s when I discovered what a credential stuffing attack is. It’s a lot simpler than the name suggests; the attackers take a stolen username and password and try it on as many sites as they can. Think of it like trying all the keys on a keyring on a locked door. That’s how they got into my Microsoft account since I was, unfortunately, using the same password there too.
It was a stressful time and given that your email account houses some of your most sensitive information, once they had access to that account, they could reset your passwords to lock you out of other websites and services too. But I kicked them out and learnt pretty quickly how to protect myself from then on.
More than a decade later, there are still attackers trying to get into my account, but there’s an important difference — they can’t now. So, I decided to share how I learnt from my mistakes and how you can easily improve your security to stop the same thing happening to you.
How to protect your accounts: in short
- Don't reuse passwords
- Enable Two-Factor Authentication
- Delete unused accounts
- Sign up to Have I Been Pwned
- Start fresh
1. Don’t reuse passwords
Okay, you’ve probably already guessed this one from earlier in the story, but one of the major issues I had when the Adobe hack happened was I was using the same password on multiple sites. So it was pretty easy for the attackers to use credential stuffing and break into my other accounts too.
Like others, the reason I did this is because there are a lot of passwords to remember! I obviously didn’t want to get locked out of an account, and password reset forms aren’t always that reliable, so I decided that the best course of action was a simple, easy to remember password I could use on all sites.
I thought it was secure as it has numbers, capital numbers and symbols. It wasn’t quite as risky as using “password” or “passw0rd,” but it wasn’t far off.
The best way to avoid this issue is to use a password manager like 1Password or Proton Pass (my preferred option). These store all your credentials in one place securely and can generate long, complex passwords for you to use, but never need to remember. Most have apps for your browser, computer and smartphone too, so you always have access to your passwords.
- Data breaches used to be big news because they rarely happened. But now, almost every week, another massive set of personal information reaches the wrong hands. A few weeks ago, a database containing 184 million passwords leaked, giving attackers a new set of targets. And with more automated or AI-based tools at the hackers disposal, it's getting even quicker and easier for them to try these details on all of your accounts.
2. Enable Two-Factor Authentication
One of the reasons attackers can get into some accounts so easily is that once they have your username and password, they can just sign in as if they’re you. But what if you had a unique token to show that you are really you, and without it, someone can’t access your account?
That’s the idea behind two-factor authentication (2FA). If you haven’t used this on your personal accounts, you may have done at work. It comes in various forms, but the most common are six-digit codes generated by an app or sent to your phone by SMS.
Requiring one of these codes along with your login details shows that not only do you know the username and password, but you have a known physical item with you that helps to verify it’s really you trying to log in.
This is one of the most effective ways to cut attackers off from your accounts, even if your passwords gets leaked. After I set this up for my Microsoft account (using the free Authy app on my smartphone), hackers kept trying to get into my account, but they never can. It’s an easy way to shore up your defences.
I only know this, though, because Microsoft has a really useful Account Activity page which shows when and where sign in attempts come from and whether they were successful.
If you want even more security for your online accounts, you may also want to consider using a physical security key instead.
3. Delete unused accounts
There’s not really a lot to say on this one: if you don’t use an account anymore, delete it. It’s good to have a cleanup from time to time, and getting rid of old or dormant accounts means less clutter and fewer opportunities for your data to go awry.
Not every site gives you an easy “Delete account” button, but if you head to the company’s privacy policy (usually linked in the footer at the bottom of a website), you can find a privacy contact and send an email to request they delete your data.
Plus, in the years since I was hacked, authorities around the world have strengthened privacy regulations, so in many places, there’s now a legal obligation for the business to comply with your request. This is why you can do things like delete your Google account so easily these days.
4. Get notifications from Have I Been Pwned
Yes, Have I Been Pwned is a strange name for a security website (pwn is hacker slag for gaining unauthorized access), but it is easy one of the best free security resources for protecting your accounts. Troy Hunt, the man behind the site, collates data from hacks and can send you alerts when your account is involved.
This is how I would later find out my details were leaked in the MyFitnessPal, NetGalley, LinkedIn and Last.fm breaches, alongside many, many more — usually random sites I had no memory of even signing up to (and had probably stored my details for at least a decade without my realizing).
It’s easy to use and gives you a very early heads up when you need to change passwords on a hacked account. Hacked data can be messy and difficult to verify, so if you want to check if a specific password has been compromised, there’s a searchable Pwned Passwords database too.
- You can perform a manual check of your email address on Have I Been Pwned, but I recommend using the Notify Me service to get an email notification as soon as a hack includes your details.
5. Consider a clean start
By the time hackers were knocking at my virtual door, I’d used my Hotmail email account for almost 15 years. It had built up a long history, and now it was a target, I decided it was time for a fresh start. That’s when I switched from Outlook to Gmail, and more recently, to Proton Mail (which we rate as the best email service for security).
It was a lot of work — I won’t lie to you about that. Going through every account that I had, changing the email address, creating a new password, and setting up 2FA was a big time suck. But it was worth it. My current address has only been involved in one leak (thanks, Twitter), and so there’s less of my data floating around.
Plus, starting from scratch meant that I could make more deliberate security choices. I became more mindful which services I chose to sign up to, where I put my details and how I protected the account. I rarely use my actual phone number unless I have to, and I make sure I opt out of marketing lists.
These aren’t fool-proof techniques that’ll keep your account secure forever; your data is at the mercy of whichever company controls the account. But it does mean I’ve had fewer security issues, I don’t need to worry that someone will get into my account (as they can’t) and I barely get any spam emails now too.
- While it's always a good idea to get rid of unused email subscriptions, risks that way lie too. Some email unsubscribe links direct you to a malicious page to either steal data or download malware. Instead, click the "Unsubscribe from newsletter" buttons that your email provider puts at the top of the email.
