Protecting Your Accounts and Identity from Theft

Why Should I Care?

To learn how much you’re at risk, and what you can do to protect your accounts from getting compromised or identity theft.

Attempting to recover access to your compromised accounts, or handling the fallout from identity theft, and the wasted time in doing so is stressful. You may never regain access or your data, so it’s best to not get compromised in the first place.

Stolen Credentials

Stolen credentials are as valuable as cash to cybercriminals. Whether they sell the stolen data or use it to takeover accounts, a single data breach can result in years of profit if cybercriminals are able to infiltrate multiple accounts.

Data Breaches

Data breaches have exposed users’ personal information, such as e-mail addresses, passwords, names, addresses, social security numbers, dates of birth, and credit card information.

Some notable data breaches/leaks where customer information was exposed are:


In addition to data breaches/leaks, phishing attacks are becoming increasingly sophisticated and that’s just the tip of the iceberg.

Phishing is a fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. A phishing attack could even come from someone you know, without their knowledge, if their account or system was compromised.

Bad Password Hygiene

The problem with stolen credentials, which is the number one cause of compromised accounts every year, stems from Internet users using the same, or similar, passwords across multiple accounts.

If you’ve used the same password, or a similar password, for your e-mail account that you’ve used on Web sites that were breached, then it’s a trivial exercise for a cybercriminal to take over your e-mail account. And once they have access to your e-mail account, then all your other accounts are fair game. They’ll search your e-mail to determine which Web sites you’ve registered with, then request password resets from those Web sites, which gets sent to your now compromised e-mail account.

Identity Theft

Identity theft is the deliberate use of someone’s personal data, usually to gain a financial advantage in the other person’s name, or to harm the person whose identity has been assumed.

Once identity thieves have your personal information, they can drain your bank account, run up charges on your credit cards, open new utility accounts, or get medical treatment on your health insurance. An identity thief can file for a tax refund in your name and get your refund. In some extreme cases, an identity thief might even give your name to the police during an arrest.

To learn more about identity theft, check of the Federal Trade Commission’s site at:

What Can You Do to Protect Your Accounts?

Using multiple layers of protection is the best way to protect your online accounts, as nothing is 100% foolproof.

Best Practices for Protecting Your Accounts

Your time is valuable. Trust that it’ll take a lot longer to recover access to your accounts, if that’s even possible, than to make some changes before you get hacked:

  1. Enable Multi-Factor Authentication (MFA), also referred to as 2FA (Two Factor Authentication), on all accounts that have that option. MFA/2FA requires something more than just a username & password to log in, e.g. a text message/PIN sent to your phone, or an authenticator device/app that generates a one-time code every time you log in. An authenticator app is preferred over text/SMS messages.
    • 2FA Directory: List of websites and whether or not they support 2FA
  2. Generate new unique strong passwords for every Web site and account.
    • A strong password consists of 4 or more random words, plus symbols and numbers.
    • A strong password consists of 12 or more characters, with upper and lower case letters, numbers, and symbols.
    • Alternatively, you can use a passphrase, like a sentence from a book.
  3. Use a password manager to store your passwords. Make sure to use a very strong passphrase to access your password manager. This is critical, because if a bad actor gets your master password, then you’ve lost the keys to the kingdom.
  4. Do NOT save your passwords in the operating systems, Web browser, or your Google Account. Use a password manager.
  5. Do NOT click links or open attachments in unsolicited e-mails from people you don’t know, or seem out of character from your trusted contacts. It could be an attempt to phish you, or install malware on your system.
  6. Create a new e-mail account that you never use for any Web sites, then set the new e-mail address as your recovery e-mail address for your accounts.
  7. When you set up responses to security questions on Web sites, do NOT use information that may have been exposed in a data breach, such as current or previous addresses, your date of birth, names of family members, previous schools, etc. Make sure to save your answers in your password manager.
  8. Never give out personal, banking information, or passwords in response to an unsolicited phone call, e-mail, text message or fax, even if the caller or sender identifies themselves as being from a trusted source, like your bank or credit union.
  9. Never allow someone access to your computer in response to a message in your Web browser, an unsolicited phone call, e-mail, text message or fax.
  10. Make sure all your devices, operating systems, and software applications are fully patched and up-to-date.
  11. Follow the Principle of Least Privilege by never running as an administrator/root user unless absolutely necessary. Use a standard user account for your day-to-day access.

The Big Picture

One cannot escape the fact, data breaches have already exposed your personal information, and will continue to happen.

Make the effort to understand, implement, and share what you’ve learned to protect yourself, and others, from the fallout of data breaches, phishing attacks, and identity theft.


Stories of Woe

Data Breaches

Hardening WordPress

You should do the following to harden your WordPress installation:

This post was the basis of the talk I gave at WordCamp NYC 2019

Protecting Your Accounts and Identity from Theft is a post from: which is not allowed to be copied on other sites.