You know that feeling when you’re signing up for something new, and without thinking you just enter your email address and your ‘go-to’ password, and click “Create Account.” Voila, another account, same old password. You’re not worried because it’s just an account that tracks how many steps you take every day. It’s not like you’re protecting your bank account or credit card.
Not so fast, though. Just because that account doesn’t contain “important information” (though it really does, keep reading), doesn’t mean hackers don’t want it. Earlier this year, FitBit was the target of a password-reuse attack, in which hackers used usernames and passwords from prior breaches of other websites (think LinkedIn) to break into FitBit accounts. Those hackers then changed existing usernames and passwords so the original owner could not access their account, and contacted FitBit with complaints of a defective item to receive a free replacement. Hackers then re-sold those replacement FitBits illegally.
Why it matters to you
The impact of hackers breaking into accounts like FitBit is two-fold. First, the data in this supposed ‘throwaway’ account that you didn’t deem worthy of a strong password actually contains personal information such as GPS tracking, common running routes, and sleeping habits. This is information you don’t want in anyone’s hands, particularly anyone with malicious intentions.
Second, each password you have is a gateway to any other account you might have. If you reuse your passwords and they’ve been leaked, it’s only a matter of time before a hacker discovers the other sites where you use that password. If someone hacks your FitBit account and you use the same password for a site like Venmo or Netflix, now they have access to your credit card and billing information. In addition to your location and other personal details. See where this gets a little scary?
What you should do
The reality is, this can happen to anyone, whether you’re the CEO of Facebook or just a regular guy. The number one thing you can do to protect yourself is to create a unique password for each account. Yes, it’s a hassle, but once you put in the initial work to create unique passwords and store them in a password manager like LastPass, the hardest work is behind you, and so will the potential breaches on your accounts.
It’s also ideal to set-up two-factor authentication (2FA) on accounts where it’s an option. With 2FA, you’re designating a second way to confirm your ownership of the account before being admitted access to it. This means that even if your password is stolen in a breach, without the second level of authentication (usually a push notification or SMS code sent to your smartphone), attackers will not be able to access the account.
The bottom line
It’s difficult to know which of your accounts, if any, have been leaked in a past breach, especially if companies themselves don’t know if they’ve had a security issue. The best way to combat that unknown threat is to update all of your accounts, each with a unique password, and add two-factor authentication everywhere you can. Plus, using a password manager like LastPass will keep you organized in your security efforts.