One of my Old Passwords Was Hacked on Six Different Websites and I Had no Clue

Andrew Henke
Feb 23, 2018 · 8 min read

Don’t Ever Have a Single Point of Failure

Passwords suck.

I remember the late 90’s when my password was only 6 lowercase letters and I didn’t have any problem using it on all kinds of different websites and email accounts for years. I never got hacked or had any issues with it at all. The best part was I could actually remember the damn thing.

It was 1999, so I didn’t have much except for a Myspace account and a few email accounts. And then all of a sudden, things started to get complicated:

Your password must contain at least 8 characters, and at least one number.

“OK,” I thought, “That’s not too bad.”

So I added the last four digits of my social security number to my six letter password, which was really the same three-letter word twice. Best password ever, right?

I laugh about it now, but thankfully, I was extremely lucky and none of my accounts were ever compromised. Password requirements got even pickier as time went on, and today I use a password manager to store all of my passwords in a secure online vault.

So the other night I’m on my laptop just browsing random sites when I stumbled on this site called haveibeenpwned.com. Apparently, this guy named Troy Hunt setup the site based on recommendations from The National Institute of Standards and Technology (NIST). In 2017 they recommended people check passwords against a database of known breaches to ensure that they are using a unique password. I checked my master password for my password manager, and it came back clean. Curious, I decided to check my old password.

Here’s what came up on the screen:

This was somewhat disturbing to me but not really that bad considering I had changed all my passwords a long time ago. It was more disturbing to think about the people who still use the same passwords over and over again, including passwords listed in the breach data.

Before 2-factor authentication and email login verification, passwords used to be the only line of defense stopping an intruder from accessing your accounts. When the Internet was still in its infancy, there were little to no requirements for passwords.

Nowadays, there are much more stringent password requirements when you sign up for a new account anywhere over the internet. Many of these requirements vary from site to site. This makes it harder to use unique passwords for different accounts when you have to remember so much more information. As a result, people commonly use the same password for all of their different accounts. This is a terrible practice that can have very severe consequences, so don’t do it!

The last few decades have brought us to the point where it is extremely difficult to live in today’s modern society without the need to access and transfer personal information via the Internet in some way. As a result, we are much more vulnerable because of the amount of personal information we divulge to others over the internet. This information is usually kept secure. Unfortunately, no matter what we do, hackers will always find a way to hack stuff. That’s just what they do. Let’s see how they do it.

Let’s say you have an account a hypothetical website. Their development team knows that SQL injection attacks are easily preventable and they make sure that any user input sent to the server is sanitized to prevent these types of attacks. Unfortunately, one day, the development team make a huge mistake. They edited the site’s back-end code but then neglected to perform a security audit before publishing their changes to the web.

The site functions completely normally, except for when a hacker discovers the website screwed up and left a security hole wide open for anyone to take advantage of. He sends a few specially crafted SQL queries to the server, and now he has instant access to the entire database of user accounts (including yours), which he can easily pull off the compromised server to a text file, and then sell or giveaway the lists to other hackers and criminals.

The value people see in these lists has to do with the fact that people often use the same password on multiple websites, which, as I have mentioned, is a really bad idea. But how else can you remember all of them without writing them down somewhere? (This is also a terrible idea unless you store them in a secure location.) We will get to that in a moment.

Check your Password(s)

Using this site, you can quickly check if your password is located in the massive database of account breaches containing billions of stolen credentials.

The site was created by Troy Hunt, a Microsoft Regional Director who also writes courses for Pluralsight.

Troy Hunt: Founder of haveibeenpwned.com

You can be confident that you are safe checking your passwords on the site. He does not save any of the queries and he is one of the world’s foremost security professionals. Troy receives worldwide recognition for his work, as well as his haveibeenpwned.com website.

Keeping Your Accounts Safe

Use a password manager

I personally use LastPass. It’s completely free, and it’s great at generating completely random passwords. I recommend using 12 characters with all possible character types. If you see a checkbox that asks if you want to avoid ambiguous characters, it’s a good idea to make sure it’s checked. It makes sure that you don’t end up with lower case L’s that look like identical to I’s. (Common with sans-serif fonts.)

Dashlane is another popular password manager that has good reviews. I may be compelled to try it in the near future because Lastpass has been somewhat temperamental lately and does not want to play nice with my Google Pixel. I would also like to see if the Chrome extension performance is better with Dashlane.

Password managers are a great tool, but make sure you read the user guide and learn a few things about it when you dive in. Make sure your master password is secure and don’t use it anywhere else. If you don’t like the idea of using a password manager, you can always use 2-FA instead.

2-Factor Authentication (2-FA)

It can be intimidating, but as long as you keep good track of your phone and keep backup access codes in a safe location, your accounts will be as secure as Fort Knox.

You could theoretically set all your passwords to “boobs” if you really wanted to (please don’t), and as long as you use 2-FA on those accounts, there is no way for anyone to login without the authentication code on your phone.

Just be aware that 2-FA was designed for security. If you lose access to your phone for whatever reason, it is designed to be much more difficult to verify you are the account owner and regain access to your account. I use Authy for my 2-FA enabled accounts because I can access it with a secure password which is stored in my Lastpass vault. Fortunately, some companies allow you to print out an emergency sheet access codes, allowing you to restore access to your account even if you don’t have your phone.

Sign up for the Notification Service

Just click on the link directly above and sign up to be notified if your accounts ever become compromised. If your email address shows up where it shouldn’t, you will be notified so you can take action as soon as possible.

Knowledge is Power

Most of those identity theft stories you hear about on the news could have been prevented, and although the websites that store your data are required to be held to a certain degree of accountability, your best bet is to plan for the worst possible scenario. You probably don’t have to start wearing tin foil hats yetDo yourself a favor, and take the appropriate steps to maximize the security of your personal information you place in the hands of others. If you make yourself a difficult target, do you think a criminal will waste his time with you or move on to an easier mark?


The Money Order Scam

This planet is full of people who do nothing all day except try and figure out new ways of stealing money from Americans.

And who can blame them? Especially when we just keep cashing those fake money orders. This shit has been going on for years. If you have never heard of this popular scam here’s the basic version of it:

The thieves find some reason to send you a money order for something you are selling, usually on Craigslist or eBay. They communicate in broken English(which amusingly seems to be getting better and better over time), then they make up some sob story about why they need the item shipped. Soon you receive a very impressive looking money order that is way more than the amount of what you had agreed upon.

Then they ask you to cash the (bogus) money order at your bank and keep more of the money than what was initially agreed upon for the item you are selling. Wow, sounds like a great deal! What a nice guy. He sure did a good job making that money order look really fancy. So good, in fact, that it fooled you, and the bank. But don’t expect any sympathy from them. Even a money order is your responsibility to verify before you present it to your bank.

The most annoying part about all this hacking and scamming is that it’s not even our fellow Americans doing the scamming anymore. I would feel like an idiot to get ripped off by someone in Curaçao that convinced me it was totally normal to send me a $1500 money order for a laptop I wanted $400 for.

“Sure buddy, I’ll just cash this fake money order at my bank and Western Union you the rest. No problem.”

How do people fall for this crap? At least if I’m getting scammed by someone in the US I know it’s just someone trying to come up with money to pay for their prescription medications.


If you enjoyed my article, don’t forget to follow me and share it with your friends on Facebook or Twitter. I’m thrilled that I have reached so many people here. Check out another related article below.

Andrew Henke

Written by

Science & Technology Enthusiast — La Crosse, Wisconsin

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade