Today, I started using Firefox Monitor. And I’m very glad I did. Within five seconds of logging in, I found out that my personal information–including my email and passwords–have been part of 20 data breaches. Oh, and the service is completely free. Let me tell you about it.
Why Cybersecurity Monitoring Matters
These days, data breaches are like natural disasters. In the steady drumbeat of ominous news, it’s easy to lose track of each personal information leak, hacked password database, and cybersecurity compromise. It’s even more difficult to fully grasp the scope and impact of each information security event. How many accounts were really affected? Who did the hacking? Was my information stolen? Is this the same hack we heard about last week or is it something new?
You’d be forgiven if you found yourself paralyzed or maybe even a little resigned and apathetic in the face of constant cybersecurity threats and notices. But you shouldn’t let your guard down.
If you’ve been online in the past five years, it’s almost inevitable that your personal information or your username and password have been compromised more than once. It may feel like being one account among 2 million hacked accounts for some site you don’t use anymore isn’t it a big deal. But hackers can systematically piece together information from various breaches to triangulate on bigger fish, like your online bank account or your email or cloud storage account.
Each time a breach happens, you should take action. Firefox Monitor helps you decide which action to take and where.
What is Firefox Monitor and How Does It Work?
When hackers get massive databases of user emails and passwords, they usually end up on the black market and shady parts of the web. Have I Been Pwned? (HIBP), a free site created by Microsoft Regional Director Troy Hunt, aggregates these databases and puts them in an anonymous, searchable form.
Firefox Monitor uses your email address linked to your Firefox Sync account and compares it to the HIBP database to provide you a succinct report of all the times your data has been compromised. Not only that, Firefox Monitor will notify you via email if your account credentials are exposed in a future attack.
With Firefox Monitor, you can see when your email and password were exposed and from which site or service the data was leaked or stolen from.
For each breach, you can read more details about the breach, just in case you understandably did not retain the information when the news first broke.
Sound good? You can get started by going to monitor.firefox.com. There, you can sign in with your Firefox Sync account to monitor your email address. Or, you can just enter your email address without signing up.
If you ever want to opt-out of the service, go to monitor.firefox.com and click Manage Email Addresses. Scroll down and click Remove Firefox Monitor.
Note: You should know that neither Firefox Monitor nor Have I Been Pwned? Store your passwords in any usable form. Firefox Monitor anonymizes the data, they only know that your password has been exposed they don’t actually have the password. Similarly, Have I Been Pwned? never pairs passwords and email addresses–they are uploaded in a completely separate database and can never be linked together. For more information, read this and this.
Okay, I’ve Been Hacked; Now What?
Once you get your Firefox Monitor report, go through and take a look at the sites and what has been exposed. If it says your password has been compromised, the first step is to go onto that site and either delete your account or reset your password. Then, if you’ve used that password on any other site, go and change it everywhere else, too. Once your password has been exposed in a data breach, it’s dead to you–don’t use it anywhere else.
If only your email or phone number or other identifying information has been leaked, unfortunately, there’s not much you can do. It’s out there and it’s not like you can change your email or phone number. What you should do is be wary of any new accounts created with your information. Two important things about that:
- If you get a notification that you created an account (and you didn’t), take the appropriate steps to notify the website. This could mean ignoring the email or forwarding the email to their abuse department.
- BEWARE OF PHISHING ATTEMPTS. New account registration emails often have activation links or report abuse links. I would caution against using those. The email may be spoofed and the links could be malicious. If you need to notify someone of an account opened in your name, I would navigate to that website manually and look for the Contact Us page.
Once you’re done cleaning up that mess, consider enabling two-factor authentication wherever you can.