Lost in Data #2: Data Breaches
A talk about a data breach, how to protect privacy, and interesting reads for the week.
I received a call today that inspired me for this edition. The woman started this way: “Hi, mister Hassen?... I’m miss X, and I would like to discuss an investment opportunity we are offering you. Do you know bitcoin?...”
I receive these investment-of-a-lifetime calls and emails at least twice a week. I even got an ad from a crypto platform by snail mail. However, I didn’t opt into any of this spam. Things started in mid-2020…
The day Ledger had a data breach.
My whole identity leaked online: My name, phone number, email, and even my postal address were out for everyone who wanted to pay for it without me being able to do anything.
Ledger, a hardware company that sells hardware crypto wallets, was targeted by a cyberattack that led to a data breach in July 2020. Specifically, those are the contents of their e-commerce database from June 2020. [1]
Having my real name and address available online for anyone that wants to know where I live is very worrying. But coupled with the information that I bought a crypto hardware wallet here somewhere in my house, makes things dramatically less fun!
That’s how I learned a great lesson, and here my friends, I share it with you, so you don't end up with the hassles I had:
The best way to avoid troubles with leaked personal information is not to give them.
I learned that just because someone asks me for my details doesn't mean I should simply give them.
Of course, I’m not talking here about government stuff, online banking, or insurance (to cite only a few); those are situations where giving real information is mandatory by law or benefits you personally. But online services exist to provide you with virtual information that hides your personal information.
Sure, things are much easier if you provide you real information. But believe someone who is doing this for a few years now: You waste 10 seconds a few times a day to avoid triaging hundreds of spam and unsolicited contacts. Plus the peace of mind of not getting your identity stolen.
Now comes the fun part: How can I do that?
① Email:
This is the easiest. I learned to use temporary emails for quick white papers downloads. Something like TempMail is always in my bookmarks. I even have it as an Alfred plugin to quickly generate a temporary email.
For more lasting email addresses (like for subscriptions), I use MacOS and iOS “Hide my Email” feature, which assigns to me as many iCloud email aliases as needed. Emails are then forwarded to me when I get one.
The general rule is to keep important email addresses (for Gov or banking) different from the less important emails (subscriptions, webinars, socials, advertisements,... etc.)
② Phone:
I prefer to use TOTP (time-based one-time password) as my 2FA (two-factor authentication) method whenever possible. I’m personally using Authy, but Google Authenticator is a solid tool too. Using TOTP is preferred in case my identity gets stolen: At least the thief can’t receive my codes for authentication.
In case I use a service that doesn’t support TOTP but a text message validation code, there are a ton of online services that give temporary phone numbers to receive text messages. For example, I use Receive SMSs, but there are a ton of other solutions like My Temp SMS and Anonymous SMS (just avoid receiving personal information as everybody can see them).
Finally, one can use a burner phone which is a cheap, prepaid mobile phone that you can destroy when you no longer need it. My phone operator provides a free second SIM card with few options, including receiving text messages. Maybe your operator does it too?
③ Payment Cards:
Many banking services now have a feature to create virtual card numbers, which is handy for online payments. When I no longer need the virtual card, or I want to discard it for some reason, all I have to do is click the “cancel” button on my banking app, and the virtual card instantly no longer exists. This is way easier and faster than contacting the bank.
Many services allow you to hide your personal information. Some don’t even require providing KYC. And in the case of banking, banks understood that it was in their interest to give their clients the possibility to protect their purchases (with virtual cards and TOTP). More and more banks do not share personal information via email but just notify you when something important requires your attention and must be read on their platform or app.
④ IP address:
This gets a bit technical, but most devices have IP addresses linked to you and your geographical location. To hide your IP address, many VPN services exist with very friendly pricing: I recommend Proton VPN, which has a free plan.
⑤ How can I get organized with all of that?
There is no secret to this: You need an identity and password manager.
I personally use 1password, which I share with my family (this way I can help them become more vigilant online). I also tested Bitwarden which is legit, open-source, and free (family share comes as a premium unless you set up your own server with the open-source code).
So when I create an account, it suggests a random password and saves which email address I used. But the most interesting feature is the Watchtower which gives an overview of weak passwords and compromised websites with my leaked data.
Getting more secure online is more about good habits than technical skills.
Protecting personal information should be the default behavior
It might sound paranoid, but things can go terribly wrong when your identity gets stolen. It becomes a nightmare because it is up to YOU to prove that you are YOU, not the thief, who can do whatever he wants with your identity.
The goal of all of this is to make protecting your personal information a habit. Always keep in mind that no one cares about protecting your personal information as much as you do.
Until then, take care.
-- Hassen
Images source: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
[1] https://www.ledger.com/message-ledgers-ceo-data-leak
Thanks to Sam Cho, Chris Wong, Christopher Coffman, Alvin T. and Louie Bacaj for their feedbacks on drafts of this essay.
Good Reads
Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof [2022] 👉 https://cybernews.com/news/stolen-data-of-500-million-linkedin-users-being-sold-online-2-million-leaked-as-proof-2/
533 million Facebook users’ phone numbers leaked on hacker forum 👉 https://www.bleepingcomputer.com/news/security/533-million-facebook-users-phone-numbers-leaked-on-hacker-forum/
Yahoo 2013 data breach hit 'all three billion accounts' 👉 https://www.bbc.com/news/business-41493494
Twitter data breach affects 5.4M users [2022] 👉 https://www.malwarebytes.com/blog/news/2022/08/twitter-confirmed-july-2022-data-breach-affecting-5.4m-users
Open Data
Online data breaches
List of data breaches [Wikipedia]
🙏 That’s all for this newsletter folks. If you want to comment, please feel free to hit the reply button and give me your thoughts. I’ll reply as soon as I can.