A friend of mine just had their Facebook account broken into the other day, and the attackers employed an ingenious trick to lock her out forevermore: enabling two-factor authentication and tying it to a random phone number. As a result, she can’t get in no matter how many password resets she submits, and Facebook’s official channels—not always the best for customer service—have left her high and dry.
Account break-ins suck, whether they’re random attacks from someone who guessed or got ahold of your password, or people you know who are being cyber-assholes. The latter is the case that Lifehacker reader Michelle is running into, and here’s her (incredibly brief) story she sent to Tech 911:
My ex has hacked all my accounts and keeps backing up passwords so when I try to set knew ones up he has the info already please help
How to get your account back after you’ve been hacked
I’m sorry you’re dealing with this, Michelle. I’m not quite sure I understand the bit about backing up passwords, but I’m assuming that your ex has set up some kind of backdoor into your accounts. So, even if you were to change the password, he still has some way to get back into your account and reset it to something else. There are plenty of ways to do this, unfortunately—even something as innocent as making a copy of the backup keys you use for two-factor authentication (2FA).
Whether I’ve got that right or not, let’s go over everything you’ll want to do to regain access to your accounts—and in what order you’ll want to do them in. First and foremost, you’ll want to make sure you’ve locked down whatever you use to save your passwords. If that’s your web browser, for example, and you’ve signed into said browser with an account (like your Google account), you’ll want to access that account and change the password. Make it something unique, a password that can’t be guessed with random words, phrases, or anything else related to you
But that’s just the bare minimum. While you’re doing this, go through your account’s settings and make sure that everything is correct. Is your email address accurate? Your phone number? Is there any other identifying information that isn’t, well, yours? If so, change it back to yours. And if the company behind said account question offers a way to see anywhere else you’re logged in with your account—and revoke permission for those devices—do that, too.
Next, check to see if you can sign up for two-factor authentication for your account. If it’s already enabled, great! Disable it, re-enable it, and copy/paste any new backup codes you’re provided to a safe location. If you’ve never used 2FA, enable it immediately once you’ve confirmed that only your email address and/or phone number are associated with your account—no others.
This final step is critical, and it should help you address any and all login issues. That’s because you’ll now use a device like your smartphone—either via a text message or authenticator app—as a second form of verification for any login attempts. Someone might know your password, but they won’t be able to do anything with it unless they have that special, changing code that (theoretically) only you can access. And if you get one of these login notification requests, but it wasn’t you that tried to log into an account, you’ll know to change your compromised password (again).
Now that you know the basics, you’ll next want to tackle other pressing accounts: your email, your cellular carrier, and so on. Basically, you’re going to want to go from most-important to least-important and make the same checks and changes: Is any other information associated with your account that shouldn’t be (like a different email address)? Have you changed the password to something you don’t use anywhere else, have never used before, and is impossible for a normal person to guess? Can you set up 2FA?
The more accounts you lock down, the fewer issues I suspect you’ll have with anybody breaking in. And since you’re going to have to go through this annoying process with any account you want to secure up, now’s a great time to start using a password manager (if you aren’t already). Make sure you assign it a solid, unique password—and lock it down with 2FA—and you can then use the app to help you create unique, complicated passwords for all of the accounts you’ll be working on.
Based on your letter, I’m not entirely convinced you won’t have to reset all of your devices, too, to ensure nobody has installed spyware on them. It wouldn’t be the worst idea—reset your PC or Mac and set it up from scratch, or consider taking note of all the apps on your phone, backing up its data (such as your photos) to the cloud, and wiping it. You’ll have to spend some time setting it up again, but you’ll feel better knowing that only you have ever had physical access to this device. And, as a result, it’s probably as secure as it’ll ever be.
Similarly, make sure you’ve gone through any accounts that offer family sharing—such as Google, Microsoft, or Apple accounts—and disable it, in case that’s the trick your ex was using to keep a foot in the digital door.
Basically, you’re going to need to take some time to go through your major accounts, inspect their settings, lock them down, and sanitize your digital life. It’s an annoying process, and I’m sorry, again, that you have to deal with it, but you’ll come out of this with a much more secure setup in place.
David Murphy is Lifehacker's Senior Technology Editor. He has geeked out writing for The New York Times, Wirecutter, PC Magazine, Reviewed, Computer Shopper, and PCWorld. www.thedavidmurphy.com
Your Google Home is a great device for requesting the weather, setting alarms, controlling your smart home or even creating ...
These past few months, as we have all navigated a rapidly changing situation, there have been a lot of treasured ...
Just a few months ago, we would have gone out for brunch with our friends, made a quick stop at ...
There’s plenty of anxiety to go around these days, and unfortunately, it’s not only reserved for the grown-ups in the ...
It sounds ridiculous to suggest, in the age of the camera phone, that you aren’t taking enough pictures of your ...
After many months in quarantine, we’ve all learned that when every aspect of life—working, parenting, schooling, cooking, eating, sleeping—occurs within ...
Living in the pandemic means not knowing what the next day will bring, and not knowing how or when it ...
The first time I heard of the Seven Minute Workout, I thought it was a great idea. But then I ...
With the news that Chipotle will now offer cauliflower rice on the menu alongside its traditional brown and white options, ...
Now that the “new normal” has started feeling, well, normal, how can we ensure we’re still remaining vigilant with our ...
For the past few years, we’ve been told that loneliness is a public health crisis, as damaging as smoking 15 ...
In a time when our fitness options are limited, don’t discount the benefits of walking. Walking is free. Walking doesn’t ...
Not everyone has—or wants—a mentor. But if you do have someone in your life who helps guide your professional and/or ...
Being stuck at home has inspired many of us to try our hands at baking. As a result, there are ...
Exercising outdoors in the winter often means exercising in the dark, whether you’re getting up before dawn or lacing up ...
For today’s classic at-home workout, we’re looking all the way back to 2011, when Lifehacker created its own workout programme ...
Two days from now, it’ll be Election Day. With so many people voting early - both in person and by ...
Everyone overthinks a decision or situation from time-to-time, but for some it becomes an obsession and gets in the way ...