Ghosts of passwords past: When old accounts come back to haunt you
by Sarah Brown on
If you’re reading this, you probably take your online security seriously — but was your past self as diligent? Most of us have been guilty at some point of reusing passwords or not making our passwords strong enough. But if you haven’t corrected those mistakes, your past just may come back to haunt you.
We’re going to help you clear out those virtual cobwebs and set you up to defend against any ghosts that may be trying to haunt your old accounts.
Here’s what you need to watch out for, and how to make sure all your accounts belong to the land of the living.
The Internet moves fast, and in our enthusiasm to try the latest and greatest, we often leave old sites behind. You might not ever have intended to “quit” Myspace or Ello exactly; you probably visited less and less over time, until it had been months, then years, since your last sign-in. Dormant accounts like these never really go anywhere — and they can come back to haunt you in a data breach.
Abandoned accounts are still full of personal and private information — everything from date of birth to credit card numbers — which leaves you vulnerable in the event of a data breach, like the one that happened to MySpace in 2013. Your email address, password, security questions, and personal identification information could be exposed and dumped on hacker forums or the dark web.
Go through and close any old accounts that you no longer use. But before you do, try to remove your address, phone number, and financial information and change it to dummy data. That way, even if the site doesn’t wholly purge old accounts, your data is safe in the event of a breach.
If you have older accounts that you don’t visit frequently but need to keep open, make sure you’ve updated your password to something strong and unique, and add it to 1Password anyway. You might not visit the site often, but if you store it in 1Password, Watchtower will alert you if the site is ever breached.
Abandoned email accounts have the potential to cause even more issues. If an old email address that you never check is listed as a recovery email for any of your current accounts, anyone with access to that email address could take full control of your other accounts by requesting a password reset.
And, if that old email account is listed as the recovery address for your current email account, the situation becomes even more serious, and could result in somebody taking complete control of your online life — from hijacking your social profiles and payment sites, to impersonating you to people you know.
This is a nightmare scenario, but it’s easily avoided. To keep your information safe, treat old email accounts with the same care that you’d treat your active ones — use a strong, unique password and two-factor authentication.
If you’ve ever received an email with your own password in the subject line, you’ll know these scams can be terrifying: the sender claims they’ve hacked your webcam, and have video evidence of you engaging in some rather…private acts. All you have to do, the scammer says, is send them some bitcoin, and they’ll go away. If you refuse, they’ll share the videos with everyone on your contact list.
This is known as a sextortion email, or email blackmail scam. Often, the scammer obtained that password from an old data breach from a completely different site. But, if you’re using that same password on your email account, it can cause a moment of panic.
You can safely ignore emails like this, but they serve as a good reminder to check Watchtower for any compromised passwords. If you find a password has been included in a data breach, and you’ve reused the same password on multiple sites, you’ll need to change it everywhere. This stops anybody from using that password to access your other accounts — or fooling you into thinking they can.
An attack or breach on one service may seem bad enough, but when a breach is announced that affects you, it’s worth keeping a close watch on your other accounts — especially if you’re in the public eye, or have a large social media presence.
Credentials obtained from one data breach can be used to attempt to log in to other services, and data from one breach can be combined with data from other breaches, potentially giving attackers enough information to impersonate you online.
Have any password horror stories of your own? Share them with @1Password on Twitter! 👻