A haunting of unauthorized login attempts

A musing on the nature of data privacy and security grounded in small experiences. This article is an experential sequel to my yester years story on “A haunting of account forgotten”, and similary this story is both an account and a haphazard guide.

Internet life is wild, one minute you are doing serious reading about stress in the career and professional journey you are embarking on, and the next you are declining 2FA requests, and working through data privacy concerns and then writing an article on it.

Photo by Lance Grandahl on Unsplash

2FA is now mainstream, although I too am fatigued about having to set it up everywhere. Like any technically aware individual, I struggle with the balancing the strength of my security and privacy choices against the ease and practicality of maintaining it.

After declining 2FA requests for a couple unauthorized login attempts (most big-tech and internet based apps do a good job with this now), I had to take account of my online data privacy and work through some form of checklist for the same (again).

First things first, I reset the password for the specific account, and then moved to securing my other accounts.

I used my trusty Firefox (now Mozilla) Monitor account to see if this was because of any recently reported breaches for my email. Once there, I noticed the new(ish) data search feature, which checks data brokers so you can know what’s out there. It is true that ignorance can be bliss, because now I know it’s out there and have to work on mitigating the effects to take best satisficing actions for the same. Leaving the gestalt of the issue at hand to the experts, I will just use this time to make my haphazard guide for data privacy check when an adverse security event occurs (I will do my best to refer rather than create).

Looks like both ChatGPT and Gemini can generate recommendations similar to these (so this is not that unique an article), although I will add one nuance to that (1+).

1. Reset the password (refer to the site where you had the event and follow steps to reset)

Most service providers now have a page dedicated for such cases, if they don’t ask them to do better.

1+. Avoid and Mitigate password re-use (Extra) — Password Audit

This is the step that was missing from the suggestions above. In order to manage passwords at scale, even with password managers, we tend to re-use passwords fully or in-part. This means a single breach/hack can have wider and far-reaching effect on your data privacy and security, so I have to do an audit and make sure may other accounts with same/similar password or safe.

I personally struggle with using a OAuth from Google, FB etc. with trusting these providers with your data vs making a new account, it’s hard to balance between privacy and security, although it shouldn’t be (one can dream :D).

2. Time for a check-up

Since you took care of one or more of your vulnerable accounts, good job. Take a breath, get a cup of tea, then you should do a check-up.

You should try and see if there are any known breaches your information was part of. I have heard great things about haveibeenpwned.com, I personally use the Mozilla Monitor, mentioned above, which builds on top of it. Go through the breaches linked to your email(s) or accounts and see how the security and/or personal information may have been leaked, if not, there is more to it. Time to be extra careful and aware, there are many ways this could have happened, time to up our game by reading and learning (https://support.mozilla.org/en-US/kb/how-stay-safe-web).

Photo by National Cancer Institute on Unsplash

3. Online Finance Audit (Extra)

I pay and use my money on the internet, so being extra sure about it is necessary. Take a look at your transactions, see if they are affected.

4. Set myself up for success for the next time

This is not easy, the password requirements are as numerous as the sites, and your password generators may not match with them tacking on more cognitive burden, but I will continue to make an effort to have unique passwords, and safer internet hygiene. This probably means using 2FA on more sites, paying even more attention to emails I get and links I open. Writing this article to make sure I have a place to come back to when I have to think about it.

Kudos to Duolingo, for proactively scanning for associated password disclosure because of re-use and suggesting reset.

References:

1. Mozilla Monitor: https://monitor.mozilla.org/
2. Password managers and generators: https://www.nytimes.com/wirecutter/reviews/best-password-managers/
3. Demystifying OAuth:
4. Deleting your data through Mozilla monitor (paid 😿): https://blog.mozilla.org/en/mozilla/introducing-mozilla-monitor-plus-a-new-tool-to-automatically-remove-your-personal-information-from-data-broker-sites/