Hacked? How to bounce back and stay safe.

All week, I'd looked forward to sleeping in on Friday. But Friday morning arrived, 8:00 came and went, and the phone wouldn't stop ringing. Curses! I took a few gulps of coffee and answered one of the many calls. It was a good friend, and she was absolutely panicked. "I'm so glad you're okay! I didn't think you were really in Wales, but I thought I would check. You sounded so desperate in your email!"

Uh-oh.

About 20 people contacted me through various means. Nobody was making any sense, but they all had the same story: I was in Wales, I was in danger, and I needed money immediately. I had either sent them an email or instant message on Facebook. Most friends were wary, but some still took the bait in Facebook chat. One friend even challenged “me” to share some personal info to confirm my identity, at which point “I” became nasty and unfollowed them on Facebook! Likewise, many responded with sincere concern to the email. Tech-savvy friends knew instantly what had happened: My accounts had been hacked.

At this point, I stopped taking calls. I checked my personal email. I was locked out; my password had been changed. Same for Facebook. But my business email was fine, and in came an alert that someone had attempted (but failed) to gain administrative access to my web site. OK… this is serious.

I immediately snapped into crisis mode and secured the important things: My bank accounts and my business web site. I then moved on to less crucial data, and I’m happy to report that everything (except for my dear beleaguered Facebook fan page) is safe and sound. I followed the steps outlined below.

What to do if it happens to you

• Triage! Take no chances. Immediately call your bank and find out if there have been any fraudulent transactions; if so, follow their guidance. Change your online banking passwords if necessary. Do the same thing with your credit cards, investment accounts, and any other sensitive information. Check the most critical accounts first.
• If you have a website, call your hosting company, tell them the situation, and find out if there has been any unusual activity. Change your FTP password and other passwords as necessary.
• Notify your friends with a phone call. Tell them you're okay. Ask them to spread the word for you. Tell them not to respond to any questionable e-mails, IMs, or Tweets. Advise them to secure their own personal information.
• Report fraudulent activity in appropriate fashion for every service that has been affected. They will guide you through the account recovery process.
• Determine the scope of the damage. Log into as many online accounts as you can and see if you've been locked out (your password has been changed), or, if you're able to login, make sure your information looks okay. It's probably a good idea to change your password as well.
• Take written notes of everything you've checked and everything you've changed.
• Determine the IP address of the hackers and the time of day of their activity. If your e-mail has been hacked and spam messages were sent, you might be able to find the message they sent in your "sent mail" folder. Smart hackers will delete such things, leaving no trace. In my case, they did leave evidence behind. Or, call a friend who got a spam message and ask them to save the message header and originating IP address. Some services, when investigating fraud, might ask you for this information.
• If your e-mail has been hacked and spam messages sent: Once you regain control of your account, consider sending a message to everyone on your contact list reassuring them that you are safe and that any messages they received were fraudulent and should not be replied to. I did this, and several people took time to thank me personally.
• Check your own computer. Run several virus scans, as a virus can sometimes be a cause for vulnerability.
• Facebook calls what happened to me a "419" or "London" scam.  Their URL for reporting the incident can be found here:  http://www.facebook.com/help/contact.php?show_form=419_scam
  
• This may sound simple, but just accept that you're going to be without some of your favorite services for at least a few hours, if not a few days or weeks. Facebook is rumored to take a couple months to sort out the problem. Sending several e-mails will not help. (Ask me how I know...) Facebook, in particular, asks you not to create a new account.
• Breathe, and keep your sense of humor. It’ll be okay. Really, it will.

What to do if it happens to a friend

• Immediately call your friend on the phone. Find out if they are safe and if they know their accounts have been hacked.
• If you receive instant messages from your friend's account but you suspect it is a hacker, play along a little bit. Ask them to give you a phone number where they can be reached. This may help you determine how valid the instant messages really are. A friend in trouble will probably give you a phone number, but a hacker won't.
• Do not say anything to challenge or irritate the hacker. Many times hackers are automated "bots", but in this case instant messages were being sent via my personal account on Facebook by "real live" humans. If you respond to them in negative fashion, they could react in anger and cause further harm to your friend's accounts.
• If you receive suspicious messages from your friend's e-mail account, save the messages but do not respond to them. Again, call your friend on the phone and ask them if they sent the e-mail in question.
• DO NOT give out any personal information: no credit cards, no phone numbers, no physical addresses, no e-mail addresses, no passwords... nothing. Do not engage.
• Tell other friends what has happened via phone. Let them know your mutual friend is okay, and ask them to respond to the situation in the same fashion. Keep it low key.

How to protect yourself

• Use different passwords for different services. For example, your email and Facebook passwords should never be the same.
• Change your passwords frequently.
• Always keep a backup email address to use in case of emergency.
• Do not keep an e-mail folder full of passwords or other sensitive information. Get these things out of your mailbox! If you're afraid you will forget passwords, there are many choices: 128-bit encrypted password managers like Roboform, storing your passwords in a text file on a thumb drive, storing your passwords in a password-protected zipped text file, and so on.
• Keep your e-mail contact list tidy. Nobody wants a spam message sent to their ex-boyfriend, former boss, biggest client, or family members (think of grandma, who uses e-mail now and then but doesn't understand spam and could give vulnerable personal information).
• Limit your use of games and fun quizzes on social networking sites. They are said to be juicy data-mining opportunities.
• Run regular virus scans on your computer. Trojan variants can create open ports, which are great back doors to your personal data. On my list (for PCs) are Malware Bytes, Avast, Prevx, Kaspersky (Zone Alarm), and Spybot, but there are many more. I run all of these on a regular basis, and I was clean this time, as usual. I don't mess around!
• Use a firewall.
• If you have a wireless router in your home, set up encryption. WPA security is stronger than WEP.
• Don’t conduct personal business on public computers (libraries, etc.).
• Consider running NoScript (an addon for Firefox) to block potential sabotage through hidden scripts on a website.

How to protect your online business

• If you own an e-commerce site, it is absolutely critical that you run security scans and PCI (credit card data safety) scans on a regular basis to prevent something like this from becoming disastrous. PCI compliance is an issue that cannot be ignored. My company uses McAfee Security to run weekly PCI and other security scans, and we work hard to eliminate any potential vulnerabilities. We are fully PCI compliant; further, we do not store any credit card information anywhere, including on our domain.
• Be sure your site has a valid SSL certificate.
• Destroy the "generic" administrative logins that shipped with any applications you run on your website. Create new ones immediately and change them routinely.
• If you are a sole proprietor handling your own website, educate yourself! Learn about file permissions, secure hosting options, SSL certificates, PCI compliance. Learn about and use PGP or GnuPG to encrypt data.
• Learn how to block access for IP addresses you do not trust.
• Use HTTPS protocol for at least your checkout pages, if not your whole site.
• Use a contact form instead of displaying your email address on your website. Consider using "captchas" to ensure you receive only valid inquiries.
• Back up your online data routinely. This includes SQL databases, which drive most blogs and probably all e-commerce sites these days.
• Learn the security options available to you within your e-commerce (or other) applications and use them.
• If you don't know how (or are too busy) to do these things, it is well worth paying someone knowledgeable to help you. In fact, it’s a good idea to hire a pro anyway, and is much cheaper than the cost of compromised sensitive data.

To repeat, my company's website is safe and was untouched. The hackers took a halfhearted stab at our site, but our stringent security measures completely blocked their attempts. Only our Facebook fan page was affected; this happened on Facebook, not my company's domain. Unfortunately, we have yet to hear anything back from Facebook. I have contacted Facebook in efforts to interview them for the purposes of this article, so their users can know what to expect in such circumstances, and thus far have received no response.

Follow the above steps. Get educated. Use that old-fashioned thing called a phone. Stay smart, and stay safe!