I was hacked and could have prevented it
I noticed something was up when I got my flight confirmation.
Southwest Airlines had helpfully sent a standard email with details about my upcoming trip to Los Angeles. The only problem was I hadn’t booked a trip to Los Angeles. I made a quick call to my wife to see if she had booked a surprise trip for our upcoming anniversary. The truth turned out to be something decidedly less pleasant: I had been hacked.
Someone got into my Southwest Rapid Rewards account and booked a flight for themselves using a large portion of my airline points. Fortunately, Southwest was able to cancel the flight before my “friend” took off for sunny California. They kindly refunded all my points and the fees that had been charged to my connected credit card. But the process of fighting an attempted theft was still disagreeable and time-consuming.
There was one big lesson I took away from the experience: I could have easily prevented this.
An unnecessary hassle
One week before this happened, I received an email from Credit Karma, which monitors my credit. They said that my email address and a particular password were in a big list compiled by hackers and made publicly available. How it originally got there is a mystery, but the culprit could have been any number of companies whose data has been stolen, including LinkedIn’s 2012 breach.
Although I had changed my LinkedIn password years ago, I was still using that original, stolen password for dozens of other accounts. Not only did I reuse passwords, but, perhaps just like you, my passwords were not always very distinct. I know I’m not alone in this… no judgment! If you’re curious if your info is out there for anyone to find, you can enter your email address at https://haveibeenpwned.com/ to find out what known leaks have distributed your data.
When I got the notice from Credit Karma, I tried to think through which accounts still had that same login. Unfortunately, my system of tracking passwords was not thorough enough. I briefly looked through my list, but I didn’t notice any critical accounts were using that old password.
Evidently, I forgot Southwest. It was the one account that still used the password in question, and sure enough, someone took advantage of that. It wasn’t hard for them to figure out that the email/password combination that worked on LinkedIn also worked at Rapid Rewards—a common account that many people have and, it turns out, is very easy to extract value from in the form of flight points.
The solution I wish I had
Dealing with the fallout from the hack made me get serious about the solution I should have already had in place: I needed a secure password manager. This software is specifically designed to keep your passwords organized and secure. A good password manager provides a number of benefits:
- A central place to store/track passwords
- A secure way to share logins with spouses, close friends or other family members
- An auto-generator to create unique passwords for each site
- A mobile app for easy access to your list
- A browser plug-in for convenient password auto-filling
Since then, I have implemented one such solution. Having my Southwest points stolen was the tipping point that finally made me get this important security step done. Let my mistake be the motivation for you to get serious about this too. If you’re looking for your own, here is a good summary of the various options out there.
Are password managers safe?
A major concern of organizing all your passwords in one place, of course, is safety. What happens if someone hacks the password manager?
This is a reasonable concern: theoretically, all of them can be compromised. You want to choose one that’s much harder to hack than your current DIY password management system. (If that’s post-it notes and your memory, most password managers will be a step up.)
It’s important that you understand the security (or at least the plain-English explanations) of the software you choose. Each takes a slightly different approach at storing data in an encrypted way. For example, many password managers use two-party authentication, which requires both the correct password and a code sent to one of your devices for access.
In today’s digital age, the reality is you can’t make it impossible to be hacked, but you can make it harder. Don’t make the same mistake I did: don’t wait until after you’re hacked to start using a strong password manager.
Interested in protecting not only your passwords, but the wealth you’re building, too? Talk to one of our advisors today.