It was right there in the email:
"Thank you for your pizza order. Your order will be ready for delivery on......."
Wait, what pizza order? My wife must have ordered pizza for herself and her coworkers. How much did she spend THIS time?.....Pizza, breadsticks, liter of Coke. Under $30. Deliver at 12:30 pm to Tupelo, Mississippi. Wait a minute! Mississippi??? We live in Arizona!
And that is how a security professional found out that he was hacked a few months ago. Even I am not exempt from the nefarious behaviors of the underworld. I had done all of the right things. I changed my passwords regularly, watched what websites I browsed to and I kept my antivirus current. There must be a mistake....
And there was. Mine. I discovered that I had accounts on websites that were created a long time ago(2009) that were still active and had been breached(shown below):
All of these accounts used the same username and password. When one of these websites was hacked, they gained my username, email address and password. Armed with that information, the hackers used my credentials to access the most popular websites and waited until they got a, "Welcome, Silly User!" And voila, fresh, hot pizza for everyone under my account. Even my username was changed.
Two things were my saving grace: I had purchase notifications turned on so that if something was ordered I would know, and I didn't have my credit card information saved. The hackers were limited, but it would look bad on my record the next time I wanted it, "Fresh, hot and fast!" I quickly called the pizza place and told them that they had been duped and to not deliver the pizza. They were very thankful and so was I. Subsequently, I closed the exploited accounts and changed all my passwords. If you haven't figured it out by now, there is no free pizza!
- Search for old accounts and accounts with the same password. Delete unused accounts and change the passwords on the rest.
- Passwords should never be used for more than one account. There are personal password managers that can store all your passwords and you'll only have to remember one.
- As soon as you are notified of a breach of security on a website where you have an active account, change that password immediately.
- Always use notifications and alerts.
- Use two-factor authentication to force a push to a mobile device before a user can login. We recommend Duo Mobile.
- Credit card information should not be stored on a website. While it may be extra work to re-enter your card information each time, that is easier than trying to recoup stolen funds.
We are here to support our clients and recommend products or services that will prevent breaches and minimize any resulting damage. If you have any questions, please don't hesitate to contact us.