Last week, online sneaker-trading platform StockX asked its users to reset their passwords due to “recently completed system updates on the StockX platform.” In actuality, the company suffered a large data breach back in May, and only finally came clean about it when pressed by reporters who had access to some of the leaked data.
In other words, StockX lied. And while it disclosed details on the breach in the end, there’s still no explanation for why it took StockX so long to figure out what happened, nor why the company felt the need to muddy the situation with its suspicious password-reset email last week.
While most companies are fairly responsible about security disclosures, there’s no question that plenty would prefer if information about massive security breaches affecting them never hit the public eye. And even when companies have to disclose the details of a breach, they can get cagey—as we saw with Capital One’s recent problems.
It’s not your job to play detective or journalist for all the companies whose services you love and use, but there are a few things you should keep in the back of your mind so you can stay safer about data breaches—especially if a company isn’t forthcoming about them.
Get skeptical about random password-reset requests
This one’s a no-brainer, but it’s still worth mentioning. If a website or service asks you to reset your password out of the blue, something is wrong. Ideally, it has detected that your email or username is part of another data breach, and it is helping you secure your account in advance if you happened to use the same password for both services. You should still get suspicious, however, and maybe check the news (or Twitter) to see if anyone is reporting a data breach about the company itself.
Make sure you’re using “Have I Been Pwned”
In the off chance that a company isn’t being forthcoming about a data breach, it never hurts to have someone else watching your back. Sign up for notifications from Have I Been Pwned, which will let you know if, or when, your email address is involved in a hack.
If you’re a 1Password user, you can also take advantage of the password manager’s built-in tool that checks to see if your credentials were involved in any breaches. It’s called Watchtower, and it’s a great way to stay on top of every weekly (daily?) breach that hits.
Perform your own threat analysis
At Lifehacker, I get to read about a lot of breaches. Some we cover; some we don’t. Typically, if a hack only affects information that isn’t all that interesting, like your email address and your shoe size, it’s not really worth talking about compared to breaches that involve more critical data like account numbers, your plaintext password, or your social security number.
Whenever a company tells you about a breach that affects your information, don’t just take their word for it. Pretend that every bit of data you sent to that company’s service has also been compromised and act accordingly—whether that means paying closer attention to spending on your associated credit cards (or setting up some kind of notification or alert), changing passwords on other sites, or putting a freeze on your credit reports. You never know when a seemingly innocent hack could spiral into something worse.
I realize this might sound a bit like “the sky is falling,” but being more proactive about your data security isn’t a bad thing. You can always take a measured response. For example, you probably don’t need to order replacement credit cards every time a website is compromised that you’ve previously purchased an item from, but you might want to make a reminder to check your credit card statement a little more closely for the next month or so.
Don’t be afraid to walk away
When a company isn’t truthful with you about issues that can have a big impact on your personal privacy and data security, you don’t have to keep using their services. Go find another company that’s willing to go the extra mile to keep your data safe—or, at the bare minimum, give you honest information about any incidents that hit. I’ll take a mea culpa over a lie any day.
A spreadsheet containing the contact information and personal addresses of over 2,000 games journalists, editors, and other content creators was recently found to have been published and publicly accessible on the website of the E3 Expo.
The Entertainment Software Association, the organization that runs E3, has since removed the link to the file, as well as the file itself, but the information has continued to be disseminated online in various gaming forums. While many of the individuals listed in the documents provided their work addresses and phone numbers when they registered for E3, many others, especially freelance content creators, seem to have used their home addresses and personal cell phones, which have now been publicized. This leak makes it possible for bad actors to misuse this information to harass journalists. Two people who say their private information appeared in the leak have informed Kotaku that they have already received crank phone calls since the list was publicized.
The existence of this document was first publicized in a YouTube video that journalist Sophia Narwitz posted to her personal channel on Friday night. (Narwitz has not yet responded to Kotaku’s request for more details about the discovery of this document.) In her video, Narwitz described how the file could be accessed: “On the public E3 website was a web page that carried a link simply titled ‘Registered Media List.’ Upon clicking the link, a spreadsheet was downloaded that included the names, addresses, phone numbers, and publications of over 2,000 members of the press who attended E3 this past year.”
Again, the E3 website has since been updated to remove this link, but cached versions of the site do indeed show that a link titled “Registered Media List” used to appear on a “Helpful Links” page. For some time yesterday, even after this page was removed, clicking on the link in the easily-accessible Google cached version of the page would download the spreadsheet from the E3 website’s servers.
“Before even considering making this story public, I contacted the ESA via phone within 30 minutes of having this information,” Narwitz continued in her video. “Worried that might not be enough, I also shot off an email not too long after. On top of that, I reached out to a number of journalists to make them aware of this.”
One reporter who asked to remain anonymous told Kotaku that he had been one of the people Narwitz contacted before publishing her YouTube video. That reporter says that Narwitz told him she had first learned of the document’s existence because someone had emailed her anonymously to say that they had discovered it and downloaded the information. After receiving this email, Narwitz purportedly then confirmed the file’s existence herself. The reporter who says Narwitz contacted him told Kotaku that he had cautioned Narwitz against publicizing any information about this spreadsheet until after it had been removed by the ESA. That reporter then contacted an ESA representative himself. After that, the direct link to the file was removed from the website. Unfortunately, the file itself was still accessible to anyone who knew the link or could find the Google cached version of the page.
After the page containing the link to the file was removed, Narwitz published her YouTube video about the leaks, seemingly believing that the file was no longer accessible. Soon after that, users noted on social media that although the link to the file had been removed, the spreadsheet file itself was still accessible. The anonymous reporter told Kotaku that he then contacted the ESA a second time and, at that point, the ESA deleted the file from its website. However, Narwitz’s video had already unwittingly publicized the existence and continued availability of the file, the contents of which continue to be shared online.
The ESA provided Kotaku with a statement about the leak. “ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public,” it wrote. “Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.”
The ESA representative declined to respond to Kotaku’s other questions about why the file was not properly password-protected, how long the file had been available to the public, and whether this was the way that journalists’ personal data had been treated by the organization in past years.
The Federal Trade Commission (FTC) and U.S. Justice Department (DOJ) have been taking Facebook to task regarding its recent privacy blunders, including the company’s failure to comply with a 2012 FTC ruling over how Facebook handles its users’ data.
While the DOJ lawsuit is still being litigated, Facebook recently agreed to an FTC order that requires the company to pay $5 billion in fines and submit to a 20-year oversight program—including annual reviews of its privacy and data collection practices.
The finer points of the FTC’s ruling mostly affect Facebook’s business structure and won’t have an immediate impact on the user experience (if any at all). However, there are several changes to how Facebook collects and disseminates data that will affect users—some of which build upon existing changes Facebook recently made, likely in anticipation of what was coming down the pike.
Here’s a quick rundown of the privacy changes that you should know about, and how they affect you and your Facebook data.
New rules for sharing data with third-party apps and advertisers
The FTC ruling sets stricter standards for how Facebook deals with third-party apps and advertisers. Facebook is now required to remove third-party entities that don’t comply with Facebook’s policies or cannot reasonably justify their requests for specific data from Facebook’s users.
This means that these apps and advertisers no longer have carte-blanche access to user data and must explain exactly how and why that data will be used, but the exact standards for “justifying” requests are not defined. That lack of definition could lead to a lot of grey areas regarding these rules, but Facebook users have several tools for seeing how their data is brokered, and controlling access to it. Most importantly, this ruling doesn’t place limits on how facebook can learn more about you; rather, it’s attempting to curb what Facebook sells to advertisers.
Better transparency for facial-recognition technology
Facebook now has to clearly alert users that it uses facial-recognition technology, be more forthcoming about how and why it’s used, and alert users if it updates its technology or functionality beyond what users were originally asked to agree to. The company also has to get express consent from users in order to opt them into facial recognition features in the first place—something it notoriously overlooked in the past.
Paradoxically, it was both shocking and unsurprising when reports exposed how Facebook’s poor password data protection. Thankfully, as per the FTC ruling, all password data must now be fully encrypted and the company is now required to regularly scan for plain text storage on its servers. Similarly, Facebook won’t be able to ask new users your email passwords to their other services, either.
Restricted collection of phone numbers
In the past, Facebook had ways of finding (and then distributing) your phone number, even if you didn’t supply such data in your profile. With this new FTC ruling, Facebook is now barred from “using” phone numbers it obtained through security features, such as two-step verification.
What’s unclear, however, is what exactly “using” means. Collecting them? Selling them? It’s hard to say, and that’s frustrating since Facebook has a habit of “accidentally” collecting phone numbers. Thankfully, there are ways to delete such information from your profile and keep Facebook from snooping around your device’s contact information.
We won’t know the full effect users will see from these changes until they’re implemented and acted upon, but it’s hard to put much faith in these changes as long as the platform subsists on collecting and selling your data. We’ll have to wait and see how it all shakes out (including the still-in-progress DOJ lawsuit), but in the meantime, it may be wise to consider whether Facebook is worth keeping—or if you should delete it for good.
While this should be common sense for anyone who has ever had to create a password, and there are plenty of tools you can use to generate, store, and recall, great passwords, there’s one little caveat to this process that you might not have thought about much. How often should you change your password?
You’ve probably experienced this at work more than anything else—some annoying notification or email letting you know that it’s time (once again) to change your password. This can be a cumbersome process, especially if you have to go and update your password across multiple apps and devices.
As it turns out, this entire process is pretty unnecessary. As long as you have a strong password to begin with, its existence doesn’t make it less strong. In a blog post detailing why Microsoft dropped password-expiration policies from its baseline security settings for Windows 10 and Windows Server 2019, Microsoft “Windows nerd” and security expert Aaron Margosis wrote:
“Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.
Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.”
I’m an avid 1Password user—love it—and I appreciate how the app goes to great lengths to let you know when passwords you’re using might be unsafe or otherwise compromised. What it doesn’t do, in line with Microsoft’s suggestions, is give you any grief because the password you’re using is x days old (or x years old).
That said, there is one valuable reason for changing your passwords—whether that’s a forced process or one you decide to do yourself. If you’re the kind of person who doesn’t check to see if the passwords you use have been compromised, coming up with new passwords on a regular basis is at least a good catch-all for dealing with weaker ones that might be out in the open.
To that, I offer an alternative suggestion: Instead of changing your passwords according to an arbitrary schedule, you should upgrade your passwords. If you’re a perfect password creator, you probably don’t need this step. But if you’re normal, like me, and you sometimes use weaker passwords for new services you’re trying out because you don’t want to be bothered pulling up your password manager and summoning a 22-character monstrosity, you should schedule time to check and upgrade your lamer passwords to more secure ones.
It’s super-easy to do this if you’re using a password manager, because you can then just scan down your list of saved passwords and start updating anything that’s out of the ordinary: “cat12345,” as opposed to “1Jf*@4,f@a9!04#*5vka*4&5%.” Though, you should also already have a pretty a good idea whether you’re using weak passwords for your favorite apps and services—which is probably even more likely if you aren’t using any password manager at all.
This will be a tedious process if you have a ton of weak passwords, but you can always think strategically. Start with the accounts you use most frequently and work your way down from there. (Again, a password-management app will make this process easy, and a great one will be able to tell you when it sees that you’re using a weaker password for a service.)
And, of course, even the greatest password benefits from a boost: Use multi-factor authentication wherever possible, and your accounts will be that much more secure. Then print this article—or Microsoft’s blog post—and take it over to your IT team when you’re forced change your password for eighth time this year.
Apple has been facing increased criticism of its privacy practices lately and rightfully so. During CES 2019 last year, the company tried trolling visitors of the annual conference—which it famously does not attend—with a brazenly false piece of advertising: a massive outdoor ad declaring “What happens on your iPhone stays on your iPhone.” Nothing could be further from the truth.
Last week, the Washington Post published the results of one experiment that showed thousands of trackers siphoning data off the iPhone of technology columnist Geoffrey Fowler. “In a single week, I encountered over 5,400 trackers, mostly in apps, not including the incessant Yelp traffic,” he wrote. (Yelp alone was reaching out to grab Fowler’s IP address every five minutes.)
Apple’s big privacy claim was a lie, there’s no other way to put it—even if it did look catchy on the side of a Las Vegas hotel.
This year’s Worldwide Developers Conference (WWDC) saw a few privacy-focused announcements and none that would address all of the tracking issues discovered through Fowler’s experiment. But some options, such as new location sharing features for iOS 13, are a good place for the 43-year-old company to start. Others, such as Apple’s new login system, are exciting and will undoubtedly help consumers shield themselves from data vampires like Facebook.
Here’s every privacy and/or security-related feature, big and small, announced by Apple today:
The first time we heard the word “privacy” on stage Monday it was a reference to the Noise app debuted for Apple Watch. The purpose of the app is to warn users when they’re in environments where sound levels are high enough to negatively impact hearing. “The watch can send a notification if the decibel level reaches 90 decibels, which can begin to impact hearing after four hours per week of exposure at this level, according to the World Health Organization,” Apple says.
Of course, in order for Noise to accomplish this, it needs to have its ears on. This type of always-listening technology scares a lot of people. Alexa users, for instance, freaked out when it was disclosed that actual human employees were listening to recordings taken from Echo devices.
Apple’s VP of health, Dr. Sumbul Desai, issued this promise: “It only periodically samples and does not record or save any audio.” According to Apple, none of the audio or sounds in the environment are saved by the app or sent to Apple; only decibel levels are sampled. That’s good news for users who work in loud environments and want to know if they’re potentially suffering long-term damage, but at the same time value their privacy.
Apple’s policies toward health data didn’t change on Monday, but the company announced a slew of new tracking features for the Health app, including the Noise app and the ability for women to log important information related to their menstrual cycles, called Cycle Tracking. These new features offered the company a good opportunity to emphasize its policies designed to protect what Apple’s senior vice president of software engineering, Craig Federighi, referred to as the most private of all types of personal information.
“Health is using machine learning on your iPhone to determine which highlights might be most interesting to you,” he said. “All of this health data is secured stored in your iPhone or encrypted in iCloud, and since there’s nothing more private than your health information, you control your data. You can decide if you want to share particular health data with select apps, if you’d like to share anything at all.”
Apple’s new login service is easily the biggest security and privacy announcement today. Social login options such as “Login with Facebook” are very popular because they bypass the need for users to create new identities on every single website they visit. In most cases, it’s a one-click profile creation system. But these are also very popular with companies like Facebook because they use this feature to track you and sell your information to marketers.
Apple’s promise is to not track users on “Sign in with Apple” and it will even create a buffer between consumers and the services they use. For instance, Apple will let you share your email account with a service if you want, but it can also generate a unique email address for you, which then forwards pertinent messages to your inbox.
As Gizmodo’s Patrick Howell O’Neill writes: “It’s a smart jab against spam: Not only will you be able to turn off spammy email more easily, but you’ll also be able to see who exactly is sharing and selling your email widely when that random address starts to get spam from companies buying up data.”
As someone who’s had to track down a stolen iPhone before, I’m a big proponent of Find My Phone. Apple announced an upgrade to this system that, at first blush, sounds a little nuts: the ability to locate an iPhone or Macbook, even when they aren’t receiving a signal, using other people’s devices.
According to Apple, this feature will work by forcing the device to occasionally transmit a “secure” Bluetooth signal. Other Apple products will sense the device and transmit its location.
“Let’s say you misplaced your Macbook. Even when it’s offline and sleeping it sends out a secure Bluetooth beacon that can be detected by other people’s Apple devices nearby. They can relay your Macbook’s location to the network and ultimately back to you so you can find it,” Federighi said.
“It uses just tiny bits of data that piggyback on existing network traffic so there’s no need to worry about your battery life, data usage, or your privacy,” he added, emphasizing the entire protocol is end-to-end encrypted and anonymous.
We’ve never seen a feature like this anywhere before, so it’ll be interesting to see how it works in the wild and whether it withstands attempts by independent researchers to exploit it.
Apple is rolling out a simple, no-brainer update to the controls that users have over location data sharing. Finally, there’s a one-time location option.
“For the first time, you can share your location to an app just once and then require it to ask you again next time it wants it. If you do choose to grant an app the ability to continually monitor your location in the background, we’ll give you reports so you’ll know what they’re up to,” said Federighi.
He also noted that many apps try to bypass location-sharing restrictions by scanning for Bluetooth and WiFi signals in the area, which may reveal a users’ location. “We’re shutting the door on that abuse as well,” he said.
Lastly, Apple updates its policies on Monday officially banning the use of embedded trackers in Kids Category apps. We knew this was coming last week, but now it’s official, and here’s the language: “Apps in the Kids Category may not include third-party advertising or analytics.”
Apple also advises developers to “pay particular attention to privacy laws around the world relating to the collection of data from children online.”
Parent’s should keep in mind, this policy does not apply to apps on kids’ phones that aren’t downloaded from the Kids Category. If you don’t want your kids to be tracked, you’ll have to remain vigilant in monitoring which apps they download.
Those of you who are still running Windows 7 or earlier need to install critical patches that fix a recently-discovered security bug on older versions of Windows.
Earlier in May, Microsoft disclosed to its users that a serious security vulnerability—dubbed “BlueKeep”—was found on Windows 7 and other previous versions. BlueKeep could potentially grant hackers full remote access to someone’s PC through Windows’ Remote Desktop Protocol (RDP) by using code that exploits the vulnerability (also known as a “worm”). Such worms have recently begun to appear online, which you can see an example of in the video below.
After the BlueKeep bug was discovered, Microsoft released patches for all affected version of Windows on May 14. The problem is that only a small fraction of vulnerable users have installed these updates. According to Wired, a recent scan of Windows machines shows that at least 922,225 vulnerable PCs remain unpatched, though the actual number could be much higher. If you’re among the hundreds or thousands of users who have not updated your machine, do so now. The risk of keeping your PC unpatched is too great to ignore, even if you’re running a business and upgrading your stable of work computers is a lengthy chore.
Fun fact: Snippets of your Alexa conversations may be heard and read by thousands of Amazon employees. According to recent reports, Amazon has an international team of employees who work to help Alexa better understand your many commands and develop new ways for the AI to interact with users. This requires them to listen to snippets of what your Echo speakers and other Alexa devices are recording. Sounds eerily familiar to us.
Not only are real people listening to you talk to (and around) Alexa, but the conversations they listen in on are being transcribed and annotated by Amazon’s employees. These transcriptions are then used to “teach” the Alexa AI to recognize more commands.
If you’re sketched out by this, we understand. Especially since what you say is only kind-of, sort-of associated with your account, as Bloomberg describes:
“A screenshot reviewed by Bloomberg shows that the recordings sent to the Alexa reviewers don’t provide a user’s full name and address but are associated with an account number, as well as the user’s first name and the device’s serial number.”
While you’ll never be able to stop Amazon employees from listening in on whatever you say to your Alexa, you can at least turn off any features that make this easier. For example:
Open the Alexa mobile app
Tap the Menu button in the upper-left of the screen
Go to Alexa Account > Alexa Privacy > Manage how your data improves Alexa
Turn off “Help develop new features” and “Use messages to improve transcriptions” for all profiles on your account
Bloomberg notes that Amazon’s team might still analyze your Alexa recordings “by hand,” but this at least opts you out of some facet of Amazon’s voice study. The only real solution at this point is to ditch your Amazon devices altogether, but adjusting these privacy settings should hopefully help keep unnecessary third parties out of your business a little bit.
A 24 year-old man from England has pleaded guilty to charges of hacking into both Microsoft and Nintendo’s servers, causing an estimated $3-4 million damages.
As The Verge report, Zammis Clark—a former security researcher at Malwarebytes—went before a court in London this week accused of accessing servers at both companies, stealing user information, accessing files related to unreleased products and illegally sharing login details.
He was arrested in June 2017 for his actions against Microsoft, which included hacking into servers that contained “confidential copies of pre-release versions of Windows”.
Yet after this arrest his online access went unrestricted, and in early 2018 Clark used a VPN to get access to Nintendo’s servers, including those used for “highly confidential game development”, and which held “development code for unreleased games”.
Despite his repeat offences, and the severity of them, Clark won’t be facing prison, at least in the near term. Because he is both autistic and has “face blindness”, the judge deemed that prison would pose a risk to Clark’s safety, and taken in light of his parent’s work in attempting to care and rehabilitate him, decided to issue a suspended 15-month sentence.
Leaky security, hardware exploits, crashes, broken features—every piece of hardware or software is prone to bugs and vulnerabilities, and it’s likely you’ve had the misfortune of dealing with them at some point in your tech life. While most people grin, bear it, and wait for the problem to fix itself, you can also take a more active approach to bugs and other security disasters by reporting your findings.
The problem? You might not know how or where to submit a bug report when you encounter an issue. To make this process easier, we’ve taken a look at the most commonly used apps, services, and hardware manufacturers, and consolidated their bug reporting tools into one big list.
Some tips on bug reporting
Though our list explains how to submit bug reports for frequently used apps and services, it’s not exhaustive. If you don’t find what you’re looking for, here are some quick bug reporting tips and best practices:
Some apps and programs will allow you to send a crash/bug report directly. If you’re experiencing frequent crashes, and this option is available, take advantage of it. Often times these auto-reports will include information you’d otherwise have to manually include, making the process much easier.
Write down (or take screenshots of) any pop-up boxes or error codes, if possible. Be detailed about what and how the bug, error, or crash happened, and make sure to include your hardware/software specifications where applicable. These detail swill be helpful to include in your bug report (and might be required in some cases).
If you’re submitting a bug on a forum or message board, make sure to read any posting guidelines, which usually require you to run a preliminary search to see if your specific bug has already been reported. While repeat reports help a bug get fixed faster, some bug report forums have strict requirements for how to submit reports for the same bug or error.
If you’re looking for a company’s bug bounty program or how to submit a security-related vulnerability, these links can usually be found on Bugcrowd or Hackerone. Remember, these programs are more geared for high-level issues and major bugs, not your average performance hiccups, and therefore have strict guidelines for submission.
Technical bugs related to PlayStation services and hardware can be submitted to PlayStation’s support team in several ways, including online, on Twitter, through email, chat, over the phone, and more. Check this page to find the method most relevant to you.
If you play video games, you are an ideal target to get wrecked by hackers.
Sure, you’re tech savvy—you know what a hard drive is and have seen an HDMI cable or two in your day. Still, there are some unassailable, totally exploitable truths about gamers: They are very online. They log in to a lot of stuff. They have some money. They want to be better than other gamers. And they like to use the password “Dragon.”
This post originally appeared 5/1/18.
In 2018, hackers broke into thousands of Fortnite players’ accounts and siphoned hundreds of dollars at a time. How? Those players had used their username and password combinations somewhere else on the world wide web. And somehow, they got leaked. Now, they’re begging for big refunds and scurrying to protect themselves from further financial harm. It was a preventable disaster. And we’re here to teach you how to prevent it.
Here some some tips on how to stay safe while gaming.
What matters when it comes to security?
Everything matters. That sucks to hear, I know. Security is like a balloon. If there’s even one hole, it’s not a balloon anymore. When it comes to your gaming apps, if you have unique passwords on your Blizzard and Epic Games accounts, but not on your five favorite gaming forums’ accounts—and if you use those same passwords on PayPal, e-mail or Facebook—then you’re vulnerable to hacking.
Password leaks happen all the time on all sorts of sites. Hackers can input your niche Everquest forum password into, say, your banking site if you use the same password for both. And then you get screwed. It’s that simple.
Think about everything you have an account for. Your PlayStation Network account, your Microsoft account, your Battle.Net account, your Steam account, your Reddit account… when you add it up, that’s a lot of stuff! And each of these accounts contains at least a little personal information, whether it’s your first and last name or your credit card number.
It can seem really intimidating to stay vigilant about so many accounts, but with good habits in place, keeping everything in check can become second nature.
Where do I start?
Start with your passwords. We all know “Password123” is easy to guess. But so is “Dragon.” “StarWars,” “monkey” and “football” are extremely common for the same reason—turns out a lot of people like popular stuff. It’s also likely that your unique, fun password you’ve kept since the fourth grade—“Pikachu,” maybe—is just as easy to figure out.
You need to have crazy passwords for everything. According to our sister site Lifehacker, passwords that are long and include numbers, capital letters and symbols are great. Don’t use common phrases or words. BiRdSaNdBeEs_123 isn’t as great a password as bVWx633HVN7Z.a!=.
Changing your passwords is totally tedious, but on the back end of a security breach, extremely worth it. Spend a few days recording which websites and apps you use regularly. Likely, it includes some combination of Facebook, Gmail, Twitter, Reddit, YouTube, Discord and Amazon. For gamers, that list might include Battle.net, Steam or Xbox Live. Write all of it down. Then…..
Download a password manager
You simply cannot remember 20 very strong passwords. If you can, your passwords probably aren’t strong. You need a password manager. And a lot of password managers can even help you come up with secure passwords.
Since browser-based password managers like the one in Opera have been hacked before, I recommend downloading a password manager onto your phone. I use LastPass. Other people like 1Password. That way, you’ll only have to remember the password to your password manager (or you can just use your fingerprint).
Enable two-factor authentication
Two-factor authentication is a fancy way of saying, “the app asks you to verify yourself.” All it means is that, when you log in to something, you’ll receive a text message or an e-mail with an additional code. You can also get a special app that generates this code on your phone. No one will be able to log into your account unless they enter that code into the client.
Opting in to two-factor authentication can mean the difference between someone else logging into your MMORPG account and stealing all your hard-earned gold and, well, that not happening. Getting a two-factor authentication code when you’re not trying to log into something is also a great way to know someone’s trying to hack you!
Lots of gaming apps let you enable two-factor authentication. Here’s a list from TwoFactorAuth.org plus links to instructions on how to enable it:
If you just scrolled through this and wondered, “Where’s League of Legends?” or some other service not listed, then I have some advice for you: E-mail them! Make sure they know you want this security feature. Basic two-factor is something worth demanding.
Here’s a fun fact: Random Call of Duty players you add as friends on your PlayStation might be able to see your first and last name! Maybe that’s cool with you. Maybe it’s not. Either way, you should know whether you’re leaking personal information you don’t want leaked.
Your PlayStation, Xbox, Steam account, etc. all have privacy settings. The Switch has very limited customization options here, but that’s because Nintendo’s online service doesn’t show friends your real name, anyway. You should familiarize yourself with the privacy and security settings for all your gaming accounts and modulate them to your liking. The PlayStation Network’s settings, for example, ask whether you’d like people on your friends list to see your real name. Microsoft blocks Xbox users’ real names by default, although there was once a bug that temporarily revealed people’s names. Now on Steam, you can even hide how few hours you’ve actually played of PlayerUnknown’s Battlegrounds.
Wow, free Fortnite V-Bucks! Booyah! All I need to do is enter my social security number into the website f0rtn1te.net!
Nothing cool is free in online gaming. Even if all your passwords are perfect and you have two-factor enabled on everything, that won’t stop you from falling for hackers’ tricks.
Any sites or people offering free video game skins, currency, etc. are shady, and especially if a stranger messages links to you through an online game. If you receive an e-mail from a strange address telling you that your Elder Scrolls Online account has been compromised, and that you need to give them your username and password, type that address into Google to make sure it’s legit.
Sometimes, hackers will copy the look and feel of sites you frequent to make their scam see legitimate. If a website starts with http:// and not https://, that can be a red flag. If the website is http://www.ep1cgames.com, and not https://www.epicgames.com, that’s a big red flag.If the website is asking you to download something before proceeding, and that something is not Adobe Flash Player, Google what it is before just automatically downloading it. Most computers these days come with decent antivirus software that will let you know whether you’re downloading insidious malware, but it doesn’t hurt to double up. Here are some good options.
Don’t put your personal information out there
A decade ago, your parents probably warned you about the “strangers” and “dangerous people” haunting AOL chatrooms. Maybe they said that telling MMO buddies your first name could mean inviting some 50-year-old mouthbreather to stand outside your window all night. We’ve been on the internet long enough to know that, for the most part, people who play games online are not going to stalk you because you told them what city you live in. That said, it’s hard to vet how safe online friends are. And it’s easy to leverage even the tiniest bits of personal information against someone.
Somtetimes, even just knowing your mom’s maiden name can be the key to your goods. Other times, someone can impersonate you to your cell phone provider’s customer service rep using your birthday and the last four digits of your social security number. It might not even take that much. People voluntarily overshare on Twitter and Facebook all the time.
If you are playing video games online—or streaming yourself playing video games—here’s a handy list of topics to avoid to protect yourself from potential harm:
Your full name
The full names of the people closest to you
Your exact birthday
Your address or a picture of your home
Your phone number
Your social security number
Any banking information
Where embarrassing photos of you live
Physical places you frequent (i.e. schools, restaurants, stores)
Any combination of this information can spell out exactly who you are, where you live and how to find you. You will need to rely on your own judgment when it comes to trusting strangers. Suffice to say, there isn’t any reason to give out any of the above information to anyone you’re gaming with. (Bonus: You can get a gaming-specific VPN—or, a private network that masks where you are—to really protect yourself from getting tracked.)
Listen, if you’re trolling darkweb marketplaces for high-ranked League of Legends accounts, you’re inherently putting your security at risk. Games’ Terms of Service exist to protect developers, yes, but also, to protect gamers. If you’re doing something that flagrantly breaks a game’s Terms of Service, like purchasing in-game currency or installing cheat software, you could be giving an opening to hackers.
The sad, solemn truth is that it is impossible to account for everything. It really is. Good hacks happen to good, vigilant people. However, with these tips, you can exercise a little more control over the chaos that is the internet.