E-mail address compromised, need advice to stay safe.

[RetiredAndLovingIt]

I'm really concerned about identity theft since it looks like my main e-mail address has been hacked and this is the second time now. I have a bunch of CD's maturing this year and the thought of moving funds around right is scaring me a lot. I'm looking for any suggestions to keep me safe when online so tis does not happen again.

Here's what I have so far

I'm going to create a new separate e-mail address for online banking only and use a new dedicated phone number only for 2FA.

Changing passwords and using a new e-mail address for all my accounts. I'll keep the old one for the junk and subscription e-mails that I get.

I'm going to powerwash one of my Chromebooks and only use it for online banking. I remember reading somewhere I should use it in guest mode as well to stay anonymous. I always use bank websites but then I started to think that their apps might be more secure. I assume the apps might run faster but are they safe? Which method do you use?

I have not ran my credit report in a couple of years either so I need to do that. I will also be freezing my credit.

Is it safe to save my passwords in Google or Microsoft or should I just write them all down moving forward?
I currently have gmail and yahoo addresses, which do you consider safe and use?
Anything else I should do? Basically I would love to completely remove my name and address from the internet and become completely anonymous online if that's possible.

[UpQuark]

What does it mean that your email address was hacked?

[RetMD21]

I save non-essential passwords to Chrome but it's probably not the best for banking and investment ones. Can you use authentication apps or a security key rather than a dedicated phone? I also have an email just for banking and investment accounts. People have a lot of opinions. I use one Chromebook for everything and I think that's low risk.

[statsman]

Like the previous post, I am curious how your email account was hacked. I would also ask what tipped you off, but maybe that's information you don't want to post here.

My personal paranoia makes it such that I refuse to have any cloud-based accounts (i.e. Windows 10 user accounts on Microsoft's servers) or online services managing my passwords. Same goes for apps storing my account names and passwords. My browsers are set to not remember my passwords.

I 2FA every single time I log into an important account. I also refuse to keep my emails stored on the provider's server. All (but the junk) get downloaded to my computer via an email client, then the resulting local emails/folders are backed up to three separate non-OS drives. After that, the server copies are deleted. I use my secondary email provider for those emails where there is *any* worry about being hacked. I trust no one. All that said, I could still be hacked.

I wouldn't recommend what I do to anyone else, but I will say the price of convenience can at times be an increase in risk. I am not sure what I have written will be of any help for you. Sorry for your situation.

[RetiredAndLovingIt]

In my Google security settings it tells me I have 4 compromised passwords and gives me the website names.

[Aerides]

Quote:

Originally Posted by RetiredAndLovingIt In my Google security settings it tells me I have 4 compromised passwords and gives me the website names.

Is that all? I have that for dozens of sites. Most are non-financial and I can't be bothered. Google just recommends I change my password. It's whackamole to keep up.

So your actual email (sending, etc.) has not been hacked, but your email name has been compromised?

Changing your passwords should be sufficient.

[braumeister]

I think the two most basic things anyone can do is to change their password on every significant website (meaning financial or other sites they really care about) every year, and to use a password manager (don't let your browser remember your logins).

[retire48in2018]

My advice - use DIFFERENT passwords for each financial and email.

Use 2 factor authentication for all financial and email accounts.

Have multiple email addresses. For spam, junk, etc - use a junk email. Don’t mix online purchase email with your main/financial email address

Never use these passwords or variants anywhere else.

I know many people that overuse the same password.

[RetiredAndLovingIt]

My mistake was that I used the same User ID, generic password and e-mail address for every website I signed up for including banks for many many years and that seems to be the one that was found in a recent data breach. I changed all my user name and passwords for the banks a while ago but continued to use the same e-mail address which came up in a recent data breach again.

[RetiredAndLovingIt]

Quote:

Originally Posted by Aerides Is that all? I have that for dozens of sites. Most are non-financial and I can't be bothered. Google just recommends I change my password. It's whackamole to keep up. So your actual email (sending, etc.) has not been hacked, but your email name has been compromised? Changing your passwords should be sufficient.

Yep, that's exactly it. Hacked was probably the wrong word to use.

[Chuckanut]

The best 2FA is via a small dongle such as a Yubikey. But, you need more than one in the event you lose the dongle. And use it every time you logon. Also, with the changes in connection ports you many need two dongles one for old-style USB and one for the new USB-C. Then there is Apple's lightning port to consider. They don't make this easy.

https://www.wsj.com/articles/the-str...e-key-d0b38b27

Quote:

Security keys protect you in two ways: First, there’s no code to steal, and second, they use a security protocol to verify the website’s domain during login, so they won’t work on fake sites. You can also add an authenticator app such as Authy to your most important accounts, to use only as a backup. But once you add these secure methods, you should consider removing the text-message code option.

Next best is a authenticator app that generates a code you type in. But criminals will try to trick you into giving them the code by spoofing a bank or brokers website.

Worst is a text message of the authentication code to your phone. Text messages are not very secure. They are better than nothing since a lazy bad-guy might decide to move on to another mark who has no 2FA.

[Graybeard]

Quote:

Originally Posted by RetiredAndLovingIt I will also be freezing my credit. Is it safe to save my passwords in Google or Microsoft or should I just write them all down moving forward?

Definitely freeze your credit at all 3 bureaus.

NO NEVER EVER save passwords, userids, security question answers on ANY browser.

Quote:

Originally Posted by RetiredAndLovingIt My mistake was that I used the same User ID, generic password and e-mail address for every website I signed up for including banks for many many years and that seems to be the one that was found in a recent data breach. I changed all my user name and passwords for the banks a while ago but continued to use the same e-mail address which came up in a recent data breach again.

Write them down and keep a 2nd copy or use a local not cloud based password manager like Bit Warden or KeePass. Make all userids and passwords unique, long (20+ is good as longer is better) and a mixture of upper/lower case, numbers and symbols that don't mean anything. NEVER use words in any dictionary of any language.

Using a Yubikey is a good idea.

[savory]

Quote:

Originally Posted by Chuckanut The best 2FA is via a small dongle such as a Yubikey. But, you need more than one in the event you lose the dongle. And use it every time you logon. Also, with the changes in connection ports you many need two dongles one for old-style USB and one for the new USB-C. Then there is Apple's lightning port to consider. They don't make this easy. https://www.wsj.com/articles/the-str...e-key-d0b38b27 Next best is a authenticator app that generates a code you type in. But criminals will try to trick you into giving them the code by spoofing a bank or brokers website. Worst is a text message of the authentication code to your phone. Text messages are not very secure. They are better than nothing since a lazy bad-guy might decide to move on to another mark who has no 2FA.

This was the same advice that I was provided. I do need a new Yubikey.

I keep my financial and other important passwords on a Kingston thumb drive that if lost or stolen is suppose to have 10 log-ins before it will destroy the info on the drive. I also have a backup Kingston which I put in a fireproof safe.

Finally Keepass is my password manager for my thumb drive. I am guessing it has all the features of the online password managers but the password is stored on the thumb drive and not the cloud, which I believe provides additional protection.

[luckydude]

Quote:

Originally Posted by retire48in2018 My advice - use DIFFERENT passwords for each financial and email. Use 2 factor authentication for all financial and email accounts. Have multiple email addresses. For spam, junk, etc - use a junk email. Don’t mix online purchase email with your main/financial email address Never use these passwords or variants anywhere else. I know many people that overuse the same password.

+1. This is the way to do it.

Use one dedicated e-mail address for your financial accounts and don't use that for anything else.

I keep a master file of all my accounts login info (e-mails, banks, credit cards, e-commerce accounts, SSA account, etc.) and for each account, I track user id, password (all different), last log-in date, address on record, e-mail on record, phone number on record, method of authentication, credit card on record, and any notable events associated with an account (e.g. a cc account getting hacked).

This master file is encrypted and kept in 3 separate USB drives offline and never stored on my PCs or laptops. I only access the file when I need to log into my accounts and I back up the file once a month.

This way I don't have to memorize any password or user id. I just pull up my file to look them up when I need to access an account on-line. I definitely don't trust any "cloud" to safely store all this info for me. Been using this approach for 20 years and have never had any problems.

[freedom2022]

For online banking, I only use wired internet.

[ransil]

everyone i know gets "hacked" using yahoo

with Gmail i have one account setup that gets emailed when one of my other Gmail accounts gets a weird login from a new device, new browser, new location, setting changes ect. plus 2 factor setup on each account.

also with gmail you can use plus address that go to the base account for different websites logins.

sample BOB@gmail.com use BOB+1234@gmail.com and it will go to BOB@gmail.com

[latexman]

Use strong passwords and 2FA, and you should be okay, or as well off as most people.

[donheff]

Quote:

Originally Posted by ransil everyone i know gets "hacked" using yahoo with Gmail i have one account setup that gets emailed when one of my other Gmail accounts gets a weird login from a new device, new browser, new location, setting changes ect. plus 2 factor setup on each account. also with gmail you can use plus address that go to the base account for different websites logins. sample BOB@gmail.com use BOB+1234@gmail.com and it will go to BOB@gmail.com

Yahoo is my goto signup address so most spam goes there. I have had that address for as long as yahoo has provided email and it has never been hacked.

[mpeirce]

Quote:

Originally Posted by donheff Yahoo is my goto signup address so most spam goes there. I have had that address for as long as yahoo has provided email and it has never been hacked.

If you’ve been using Yahoo for a long time, you’ve been “hacked"

https://en.wikipedia.org/wiki/Yahoo%21_data_breaches

The Internet service company Yahoo! was subjected to the largest data breach on record. Two major data breaches of user account data to hackers were revealed during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016.

Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords.

[target2019]

Quote:

Originally Posted by RetiredAndLovingIt I'm really concerned about identity theft since it looks like my main e-mail address has been hacked and this is the second time now. I have a bunch of CD's maturing this year and the thought of moving funds around right is scaring me a lot. I'm looking for any suggestions to keep me safe when online so tis does not happen again. Here's what I have so far I'm going to create a new separate e-mail address for online banking only and use a new dedicated phone number only for 2FA. Changing passwords and using a new e-mail address for all my accounts. I'll keep the old one for the junk and subscription e-mails that I get. I'm going to powerwash one of my Chromebooks and only use it for online banking. I remember reading somewhere I should use it in guest mode as well to stay anonymous. I always use bank websites but then I started to think that their apps might be more secure. I assume the apps might run faster but are they safe? Which method do you use? I have not ran my credit report in a couple of years either so I need to do that. I will also be freezing my credit. Is it safe to save my passwords in Google or Microsoft or should I just write them all down moving forward? I currently have gmail and yahoo addresses, which do you consider safe and use? Anything else I should do? Basically I would love to completely remove my name and address from the internet and become completely anonymous online if that's possible.

Do Not Reuse Passwords.

Our family uses 1Password to manage passwords.

That's our approach now.