You didn't get hacked

The greatest threat to security is you

Let’s get one thing straight: a friend stealing your phone or getting onto your computer is NOT being hacked. You might as well have left your email open at a public computer at the library; you gave them access, and they performed zero tricks to force their way in. There’s a difference between being mugged and leaving your wallet unattended on the sidewalk.

Other times you realize that your account has been making posts and tweets while you’re away. You race to delete each little nugget of crazy weight-loss pill or sick picture and sometimes end up deleting your account. Were you hacked? Probably not. If Facebook or Twitter ever gets hacked, often times (or at least for the recent history of times that it has been done) it’s many accounts at one time, not just a singled out person, and you’re likely to hear about it on the news.

So what happened?

More than likely, social engineering happened. Social engineering is when a “hacker” doesn't have to sit in front of a black screen, brute forcing passwords and looking for hash collisions; it’s when a person uses society’s want to help each other against them. Usually, it involves impersonating someone that works at a company in order to receive information from others who are trying to help.

For example, say Bob impersonates a Walmart manager and calls up their data center. He drops a few key words here and there, like the name of the data service, and the other person on the line gives Bob names, addresses, even credit card numbers. And this happens all because the person at the data center never thought that Bob could be faking and make himself sound like someone who worked at Walmart, thus following his internal instinct to help Bob out. Now I’m sure that companies provide a secure protocol for handling similar requests, but you’d be surprised how many times people break those rules.

As a real life example, CSS-Tricks was hacked without a single line of code. The hacker, running under the alias of Earl Drudge, merely used social engineering to take down one of the most trafficked sites hosted by Media Temple. In order to gain access to the server, the hosting company required a driver’s license (or something similar) of the owner, and then the password/email reset process could begin. If only they actually verified it. Earl sent in a fake driver’s license, using the name of the server owner (which can be readily found on whois.net), and a picture of a signature he found online. Lo and behold, the website was hacked without any code, just people not following up on security.

Stuff you might fall for

In my experience, there are two common ways that the bad guys try to get into your accounts, and there’s really no reason they should be so prevalent.

The first one is the good ol’ “it looks like the Facebook/Twitter/Gmail sign-in page” trick (more well known as a phishing scam). One way or another, you find yourself trying to look at an article or picture that a friend sent, but it’s behind some log in wall. Only thing is, that wall is fake. It might look like Facebook or wherever you want to go, but it’s not. What the page wants you to do is input your email and password, but just because you put those in the box doesn't mean they’re encrypted or safe. No, they get transferred to wherever they’re going as plain text, naked and afraid. So when you hit submit, they actually go to another server, where they’re logged and now that someone that got you to sign in can just type in your username/email and password, and you would never know.

Companies, those that care for consumers’ security, will encrypt passwords and emails as they are transferred, but that’s entirely up to them and not you or your browser.

Why should this form of information stealing be less prevalent? Because 99 times out of 100, the URL in the address bar will not be the same as the site you are trying to get to, and that is the clearest, earliest red flag you could ask for. It literally means that you are not logging into the same website.

The second overly-prevalent trick is apps. The name of the game is for you, the user, to sign up for a malicious app. And we've been there: an app requests to use your Facebook account, and you go to another page to give certain permissions to said app. Once that app has permission to post anything and read anything, it can have a field day.

Why is this stupidly common? You authorized it, the app, to do all of those things. It came up, said, “Can I post stuff for you?”, and you said yes. If you don’t trust it, don’t hand it a license to kill (or post).

Your emergency guide to getting “hacked”

Okay, let’s take the scenario that you have been “hacked” (the reason quotes are highly concentrated in this article should be obvious: you let it happen, no one used their cunning and skill-set to infiltrate your account). Well no matter whose fault it is, the entire ordeal is well… an ordeal. So here’s your “stop, drop, and roll” for losing control of your account.

1. Change your password immediately. If you can’t log in to do this, ask for a password reset as many sites don’t allow for a user’s email to be changed, so the reset will still go to you. This step makes sure that if your password did end up in someone else’s hands, they can no longer use it.
2. Revoke app access one by one. Go into your app settings and start revoking any shady app’s access until the problems stop. Once you revoke access, that app can no longer act on your behalf.
3. If none of these work, contact the site. Just as you can call if your credit card gets stolen, you can usually call or contact the site in some way.

Some people delete their accounts and start all over, when most could be solved by steps 1 or 2. So stop being a threat to your own security. Pay attention to the sites you go to and the permissions you allow apps, and stop getting “hacked.”