On my way to work late November 2019, I decided to listen to some music. Books and music are my usual routine on the London public transport system to void eye contact and ignore the terrible squeeze and uncomfortable position you have to subject yourself to get to work.
But this time I realised that instead of playing the usual System of a Down, 90’s Dance music or Iron Maiden, my phone started playing “Mindfulness” music, and every few second the music would stop. By clicking play again, the music would resume and eventually stop after a few seconds. I decided to change to my usual rock and boom, a few seconds later back to unusual tunes. You only experience this behaviour on Spotify when you have another person interacting with the same login as you.
THAT WAS WHEN I REALISED THAT MY SPOTIFY ACCOUNT HAS BEEN HACKED!
The first step was to identify how far they got into it. After a few seconds of exploration, I found that they not only got in, but also tried to change the email. The email alert from Spotify was on my spam filter. I quickly logged in to the Spotify website and changes the email back to my address and changed the password.
I never had this issue again. But the reason why another person got in is that I used to have a password that I shared between unimportant accounts, easy to remember and to type.
But how did they guess my password for Spotify if, as far as I am aware, Spotify was never hacked. Even though it was easy to type it was a complex password. After doing further research and talking to my trusted colleagues, Kay Ubergs recommend that I have a look at https://haveibeenpwned.com/. Also, after asking for my wonderful friend Raphael Perez to comment on this article, he recommended https://monitor.firefox.com/, which does a similar search and monitors emails for you.
Have I been Pwned is a simple email search that looks up at known hacked websites and services. It will show sites that had the list of users published and lets you know if your email, and potentially your password may have been exposed.
People get the list of emails and password exposed by hacks and try it on all kinds of different popular services. And to my surprise, they publish it on Darkweb forums so people can use premium services for a while before the owner of the accounts realised they were compromised. This is commonly referred to as “paste”. Here is the paste identified a few days after I realised my Spotify account was compromised.
This event teaches us valuable lessons:
· Your online identity is more important than ever, take care of it
· Do not share passwords between accounts
· Use password managers to avoid getting lazy again
So how would we act on those lessons?
Your online identity is more important than ever, take care of it
Your primary email account is critical to your online identity. It is most commonly the place you will register your other accounts, and where you will be sent recovery questions, password reset links and 2 Factor authentication messages. Make sure this email has a complex and unique password; this is your most important account as most of the other services rely on it. Do not use the same password anywhere.
Do not share passwords between accounts
That was the critical lesson from this event. Because I shared the same password between services, when a forum website was compromised, they were able to get my email and password combination due to weak password hashes. Someone created bots that tried that combination on many popular services and then shared successful accounts online! The easiest way to make sure you have unique, strong passwords for every site and service is….
Use password managers to avoid getting lazy again
Password managers will generate and store passwords for you. They are plugin to browsers and can be installed on mobile phones. It can autocomplete login requests for you when you visit those sites. But remember, it also requires a strong master password, and it must not be the same as your email account and must be unique to avoid further problems.
Use unique password every time, use a password manager, and actively manage your online identity. Now back to mindfulness music.
Article originally published on LinkedIn.
