Face it, our government probably knows everything there is to know about you. Other governments do, too. Forgot your email password? Just ask the FSB! But security agencies don't use this data for simple, criminal attacks. A criminal hacking team that gets access to your personal information, on the other hand, typically tries to squeeze as much benefit as possible from its unauthorized access, and as quickly as possible, preferably you hear about it, such as when a breach like the Equifax hack goes public. Just what can you do once you realize that you've been hacked?
How Will You Know?
When a major hack like the recent Equifax fiasco occurs, the news outlets go wild. We all know that hackers now own personal data for 143 million consumers in the US, more than half of the adult population. Sure, you can check on the Equifax website to see if you were affected, but you might as well assume that you were. The only upside is that you're one among millions, so the hackers may never get around to messing with your details.
Other exposures aren't so easy to spot. Your first indication a hacker has compromised your credit card may be unexpected items on your bill. Always read credit card bills, and take care to figure out what every line means—even the small ones. Card-thieves will occasionally put through a few small purchases, just to make sure the card is OK, before making a big purchase. You can use a personal finance service, such as Mint.com, to keep an eye on all your credit card transactions from one place.
If you're lucky, your bank will detect fraudulent activity, decline the charges, and issue you a new card. That's a pain, of course, as any automatic payments you've configured will need the new number. But it's better than letting hackers buy a Caribbean vacation with your credit.
Scammers can use a compromised email account to broadcast spam, or to send targeted email scams to your contacts. Your first clue may be worried phone calls from friends asking if you're truly stuck in a Paris airport with no cash, or irate messages from those "you" have spammed.
An identity thief can also use your personal information to open credit accounts, accounts you know nothing about. You might only find out when a merchant slams the door on your request to open a new line of credit yourself. In the past, I've advised using AnnualCreditReport.com to request a free report from Equifax, Experian, and TransUnion once per year, spreading the requests out at four-month intervals. After the recent breach, I can't recommend having anything to do with Equifax. It's not clear yet how Equifax will pay for its negligence. I can only hope that the other two services will buckle down and tighten their security.
These days, PCMag is bullish on the Credit Karma service, which automatically pulls your credit from TransUnion and Equifax (unfortunately) as often as once a week to keep an eye on your credit. These are "soft" pulls which don't affect your credit the way too many "hard" pulls, the kind a company makes when you apply for more credit, do.
There are credit-monitoring services not associated with the Big Three. Both LastPass and Dashlane offer monitoring as a perk, for example, checking to see if your card numbers show up on the Dark Web. You do have to give them your credit card number, of course, but you're already trusting them to keep your passwords safe.
What Happens Next?
Credit card compromise may be the easiest hack to weather. You're not responsible for the fraudulent charges, and once the bank has issued a new card the problem is solved.
Regaining control of a hacked email account can be tougher. You'll have to contact the email provider and prove that you're the true account holder. Of course, if the hacker changes your password, you can't use your regular email to contact the provider. It's important to have more than one email address, and make each the alternate contact address for the other.
Did you use your email address as a username on other sites? That's certainly a common practice. But if you also used the same password that you used for the hacked email account, those accounts are now compromised as well.
Even if you didn't use the same password, you could still be in trouble. Think about this. If you forget a website password, what do you do? Right—you click to get a password reset link sent to your email address. A smart hacker who has control of the email account will quickly seek your other accounts, social media, perhaps, or worse, shopping and banking accounts.
After recovering from an email account takeover, you absolutely should visit every site that's associated with that email address and change your password. A password manager will be a great help at this point.
Help for Identity Theft
Full-on identity theft can be a nightmare. Victims can spend thousands of dollars over weeks and months trying to get their online identities and lives back in their control. The Federal Trade Commission offers an excellent advice site with full details on how you can proceed. Among other things, the site suggests that you order your credit reports, so you can see what's happened, and make an official identity-theft report with the FTC.
The site goes on to specify absolutely everything you need to do in step-by-step fashion. It includes checklists so you can make sure you didn't miss any tasks, as well as sample letters and forms. You won't go wrong relying on this useful resource.
Won't Get Hacked Again!
How can you make sure you don't get hacked, or don't get hacked again? Since the EquiFax hack, you've probably seen numerous articles exhorting you to freeze your credit, set up a fraud alert (meaning that you'll need to go through extra verification steps to open a new account), and so forth. Before making such modifications to your credit life, stop and consider whether you're willing to make them permanent. After all, the next big breach is just around the corner; in fact, it may have already happened. The actual breach in the Equifax case happened months ago.
As far as credit cards go, there's not much you can do, other than avoid shopping at shady retailers, real-world or online. Most brick-and-mortar stores now accept chipped credit cards (though there are still holdouts). Chipped cards secure in-person transactions thoroughly, but they can't help with card-not-present online transactions.
Mobile-based payment systems like Apple Pay and Android Pay are actually more secure than physical credit cards. Each transaction uses a unique number, so hackers gain nothing by stealing existing transaction data. And you can use the mobile payment system for online purchases as well. Just protect your mobile device with a fingerprint or a strong passcode, and always keep it with you.
Poorly-secured websites can expose your email address and password to hackers, but using a bad password leaves your account wide open to a simple brute-force attack. Use a strong password for your email account, and a different strong password for every other account or secure site. Yes, you'll need a password manager, but you don't have to pay. The best free password managers are quite effective.
On some sites, you can request a password reset by answering a few simple security questions. The problem is, in most cases the bad guys can Google up the answers to those questions in seconds. If you're allowed to define your own security questions, do so, and choose strong questions—ones only you could answer. If you're forced to choose from lame questions like your mother's maiden name, don't use a truthful answer. Pick a false answer that you'll remember. And don't use the same question/answer pairs on multiple sites.
As for protecting against full-scale identity theft, there are some things you can do. Never fill out any information on Web forms beyond what is absolutely required. If it's required but not relevant, like your street address on a site that doesn't ship things to you, make something up! Get an inexpensive shredder for paper bills and statements. Review all statements, and make use of your free credit reports.
Yes, there's some effort involved, some vigilance. But it's vastly less than the work you'd have to expend to recover if hackers managed to steal your identity.