Tips for an Information Security Analyst/Pentester career - Ep. 20: Lessons from a breach

Scenario 

Over the last few days, I had to deal with information security under a new point of view: as a victim.

I used an old Skype account to talk to my mom in Italy and, when I tried to call her on Friday, Skype refused my password.

When I tried to reset my password, the options provided displayed an email and a phone number not belonging to me, so I got locked out.

I had purchased a subscription for calling to Italy by using that account, and that was my main concern.

This old Skype account dated back to six years ago, when Skype had not been purchased by Microsoft yet, and I hadn't linked it to my Microsoft account.

Dealing with Skype support has been an awful experience.  Their support service is a joke.

All they can suggest so far is to reset the password for my Microsoft account, which doesn't do anything for me in this specific case, because my Skype account isn't linked to it.

I also found a Skype phone support number, but the call never goes through, as it's always busy.

The number doesn't even ring.

At the end of the day, I canceled the automated payments on my end, while still waiting for Microsoft to escalate and solve this problem.

I wouldn't wish such an experience to my worst enemy.

For the first time in my life, when dealing with cyber security, I felt absolutely powerless and overwhelmed, so now I can relate yet more to how victims of such breaches might feel.

This strengthens yet more my commitment and personal mission to make systems more secure.

I'm honestly embarrassed to share this, but I do it with the hope to help other people, so that such situations don't happen to them.

Learned lessons

1. Get hold of all your accounts you created online and check their password strength:

I was pretty lazy in this case, as this specific account didn't have an extremely strong password. I could have changed it years ago and none of this hassle would be going on right now.

If I had linked that account to my Microsoft account, I could've used two factor authentication. But I honestly under-estimated this type of threat, and having a full plate contributed for sure.          

That's another lesson: never think it couldn't happen to you.

2. Avoid daisy-chaining passwords: use different passwords for different accounts. We sometimes lose track of the accounts we created online, but sadly they are still there and can be breached, leading to painful consequences. Maybe you created an account on a website 4 years ago to apply for a job, or because you wanted to create a personal webpage. Then you got sidetracked or changed your mind and abandoned that project, but your account is still there. Sadly, these sites, especially if they're not owned by large corporations, often end up being breached. If you used for that website the same password you used for other websites, or you used your Facebook or Google handle to log in, an attacker might be able to compromise more accounts, possibly all of your accounts. In fact, an account I had on a web hosting website was breached and that led to my Yahoo! credentials being compromised. I changed the password at least 7 times ever since, but that's how you get in troubles. (By the way, I now closed that account).
3. Change all your passwords: especially if you haven't changed them in years, but be careful about how you do it. You want to choose stronger passwords, longer and more robust, not weaker passwords.

A good method for this is to use LastPass Security Challenge.

It automatically checks all your profiles and passwords, highlighting weak passwords, reused passwords and so on.

I was shocked by the results.

I had created most of these accounts a bunch of years ago, when I wasn't so knowledgeable in terms of security as I am now and I wasn't as paranoid.

So I'm taking time to change each one of these passwords to ultra-complex passwords, to prevent this problem from re-occurring over and over again.

I'm also closing all accounts I don't use and/or need for my day-to-day activity.

Should I need them back, I can always re-create them with safer credentials.

Anyhow, waiting to recover my old account, I blocked any automated payments from it.

Sorry, no goodies for you.

You messed with the wrong guy.

Wrap-up

Security isn't only a hassle or something you hear in the news.

It's something that can get much closer to you than you think, and hurt your personal world, along with your finances.

Don't be lazy when it comes down to your security, because this might mean your personal and financial ruin.