Protecting your digital persona, cause nobody else will do it for you

Just one website https://haveibeenpwned.com/ lists 11,389,527,466 pwned accounts. The world population is only 7.8 billion. That’s multiple passwords breached for every user. If you wonder whether your password has ever leaked, do look it up in the link above. The passwords have leaked from everywhere. Sample this:

• RockYou2021 (May 2021): 3.2 Billion
• Facebook (Mar 2021): 533 Million
• CAM4 data breach (March 2020): 10.88 billion
• Microsoft (Jan 2020): 250 Million
• Facebook (April 2019): 540 Million
• Aadhaar (March 2018): 1.1 Billion
• Marriott (2018): 500 million
• Twitter (2018): 330 million
• Yahoo (2017): 3 billion
• Equifax (2017): 148 Million
• Adult Friend Finder (2016): 412.2 million
• Yahoo (2014): 500 million

(The above list may include duplicates since some of the collections include scraping together data from multiple past breaches)

The above list is not exhaustive and is just the tip of the iceberg. There are many more. I personally like this website below.

World's Biggest Data Breaches & Hacks - Information is Beautiful

This article was prompted by two breach notifications I received for my personal data leaking as part of moneycontrol.com data dump and Dominos India data dump within the last month. It was irritating but my response actions were limited to changing passwords for these sites using my Password Manager. These breaches did not pose a wider risk for me. How did I reduce my attack surface? I follow some practices that I shall explore below.

As individuals, we have to assume that our passwords are no longer safe and this is risky, especially considering that we conduct many financial activities online, some of which are just protected by passwords. Also, when it leaks, it includes many other data points such as credit card numbers, addresses, mobile number etc.

We need to protect our own privacy and get into ‘assume breach’ mode. Many of the controls applicable in corporate environment applies in personal digital world also. So what can we do?

• Use Password Manager. It helps to create and manage different passwords for each online account you may have. So, even if one site gets breached, the potential risk is limited to the data on that site. A secondary benefit is that, it will prevent you from being a victim of spoofed sites, typically used to extract information through phishing. Even if you cannot tell the difference on the site URL, the Password Manager will know. There are many possible solutions out there, including free ones. I highly recommend it. Check out recommendations from SANS at Password Managers | OUCH! Month Year | SANS Security Awareness.
• Have multiple email accounts, one for important dealings such as online banking and other critical services, and at least one more for everything else. Try and avoid mixed usage and keep them separated as much as possible. If possible, do the same with mobile numbers.
• Most online shopping sites would offer to save your payment details such as credit cards by default and some offer a opt out check box. Look out for this in the checkout page and wherever possible, do not let them save your card details.
• Use privacy minded browsers and search engines, if possible. Where not possible, use browser extensions to reduce attack surface such as AdBlock, Ghostery, uBlock Origin, etc. Read this article to know about few more.
• Most leading browsers now offer Breach monitoring for free and alert you by email if they see your data becoming public as part of data breach somewhere. Check out Firefox Monitor, or about Microsoft Edge and Google Chrome. There are many other similar services online if these do not work for you.
• Wherever possible, especially for anything involving financial or critical data transactions, turn on Multi Factor Authentication for your account. Most social media platforms such as Facebook, Twitter, Instagram, LinkedIn and many more offer this for free. Wherever possible, use an Authenticator App and not SMS as the second factor. Most of these sites support freely available authenticator apps such as Microsoft Authenticator or the Google Authenticator.

There is much more that you can do, but these are good and easy ways to start. It requires a bit of awareness and a little discipline in keeping your digital persona protected and reduce the impact when a breach does occur.

Here are some more ways to explore and learn:

• Privacy — Protecting Your Digital Footprint — SANS OUCH! Newsletter — April 2021
• 12 Simple Things You Can Do to Be More Secure Online | PCMag
• How to Protect Your Privacy Online: Tips | Norton
• Here are 13 Smart Ways to Protect Yourself Online (whatismyipaddress.com)
• How to Protect Your Digital Privacy — The Privacy Project Guides — The New York Times (nytimes.com)