I think someone just tried to steal my Uber account. How do I know this? I know it because I received a text alerting me that I had requested a code. Which I did not request. Let me start at the beginning though.
Online Accounts Get Hacked
Like many of you, I have a special email account for a variety of things. I use this account to avoid spam to my work account. In the past, like many of you were (and perhaps still are) I was somewhat lackadaisical about some of my passwords for a variety of my online accounts. Not my extra email account, but perhaps some of the other accounts that used my extra email address as my login.
It wasn’t that my passwords were easy to guess, they weren’t. However, I did sometimes use the same password for different websites. I was lazy, and I didn’t want to have to remember a whole bunch of passwords, just like everyone else. I came up with a really solid password and I used that for a bunch of different things. This was years ago mind you, but I knew better and I did it anyway. I corrected that behavior a while back, but every now and again it comes back to haunt me.
You see, at some point, various accounts have gotten hacked and information about those accounts, including passwords, has ended up in hacker databases. And those passwords, while they did not open my email account, were shown with that email address.
Incidentally, a great way to find out if your email address has shown up on lists is to use Have I Been Pwned. This site will email you if your email address shows up and will give you information about whatever was hacked and what information was revealed. Often before the website gets around to letting you know.
Why It Matters When Email Addresses Get Connected to Passwords
You might be thinking, so what, it isn’t as if the hackers could get into your email account. It was a different password. And you are right, they couldn’t. But they could take the email address and try any listed password on every service they could think of. Including, drumroll, Uber.
I haven’t had occasion to use Uber in ages. I did get an alert from a variety of accounts recently, but no alert from Uber. At least not one I noticed. And since I have not used Uber in a while, I did not think of it when I went on a password resetting frenzy.
I have little doubt that someone decided to try my email address with one of the passwords they found online to try to log in to Uber and see if they could get a free ride on my dime. But they couldn’t do it. Even if they had a password that still worked. Why? Two-factor authentication
What is Two Factor Authentication
Two Factor Authentication is an important security feature you can enable with many different types of accounts. How it works is, whenever someone tries to log into an account from a device the service doesn’t recognize, that service sends a text to your phone with a code. In order to get into the account on that new device, you need that code. No code? No account access. Unless there is a way around two-factor, but that is another post.
In this case, the person may have had my password or they may have tried to reset it. It doesn’t really matter. Since I have two-factor authentication, Uber failed to recognize the device the person was using, and sent me a text with a code.
Turn on Two Factor Authentication
You need to be especially careful to protect any account that has access to your money, your private data, or that can be used to get access to any of these things. Many services have two-factor authentication now and it normally is easy to turn it on. Look on the site itself or search for two-factor authentication and the name of the service on Google.
You will want your phone nearby because you will need to be able to receive a code to get started.
Anyway, if you use the same password on a bunch of accounts, stop it. It is easy to forget and have it come back to haunt you, even years later. And if you don’t have two-factor turned on, turn it on. That way, if someone does try to break into an account, your chances of being safe are much greater. And, like me, you will also know that someone tried to break in, in the first place.