Share

This is the story of Sara (not her real name to protect her identity). A 21 year-old university student who loved staying connected with friends and family through social media.

She had a simple password; the name of her younger sister and her year of birth but she was not concerned. After all, who would possibly want to target a regular person like her? As a student, she didn't have any money and wasn't a celebrity or well-known in any way.

One morning after waking up she grabbed her phone to check Instagram. She was logged out. Attempts to login were greeted with big bold red letters; "Sorry, your password was incorrect". She thought nothing of it, maybe some food would clear up her hazy head and blurry eyes.

After breakfast she left her small shared flat for her first university lecture, closing the front door quietly to not wake anyone else. The raining was pouring down when she eventually got onto the bus. Looking at her phone during the journey she saw that Twitter and TikTok were also inaccessible. A similar message, "Wrong password".

She restarts her phone thinking that switching it off and on again may fix something but it didn't. Gmail was logged out too as well as the university learning portal. She was confused and frustrated.

What was going on?

She went back to Instagram and clicked the "Forgotten your password?" option but was asked to "Enter your email address" which she couldn't access.

Returning to Gmail she tried the "Forgot password?" button. Sara was taken to the "Account recovery" page. A pop-up asked; "Do you have your phone?" She held back the tears as the emotions raced through every blood vessel as she remembered her dad showing her how to set up a recovery phone number. A thin, glimmer of hope.

We'll return to Sara's story later. Let's look at how all her accounts could have gotten hacked.

Hackers are trawling the internet for personal and private data all day long. Family members, dates of birth, names of pets, education and employment history, credit card data and of course passwords. They are building up profiles of anyone and everyone of any age from any country of any gender, faith or skin colour.

Everyone is a target.

Sometimes these harvested passwords are published on the internet for all to see. By whom? It may surprise you. Hackers? Criminals? Yes of course. But also by government agencies.

The National Cyber Security Centre (NCSC) in the UK is a government agency setup to make, "the UK a safer place to live and work online". As part of their education remit they have published the top 100,000 most commonly used leaked passwords. Make sure your password isn't on that public page. You can find the list here.

In Sara's case, the password could have been a common one found on a public list. But I also learnt that her password was weak and derivable from the birthdays and names she'd publicly posted on social media. Link this with common password patterns known to hackers.

Common password patterns such as:

• starting with a capital letter

• name of a family member, pet or nickname

• name of tv show/movie or tv show/movie character

• name of a video game or video game character

• name of a music artist

• swear words or body parts

• a colour (red is the most common)

• countries or cities

• fashion, makeup or car brands

• name of your favourite sport or sports team

• end in 2 or 4 digits usually a birth date or anniversary

• only lowercase letters 6-10 characters long

• only 6-8 digitals long

• end with an exclamation mark (!)

If you use any of the patterns combinations above you may be leaving yourself open to hackers by reducing the number of combinations they need to try to access your account.

The number of publicly available hacked passwords matching the pattern first letter capital and 8 letters long is over 4.5 million.

Let's catch up on Sara's progress. She requests a recovery code to be delivered to her phone and waited. Minutes passed but it felt like hours. The noise of the street was muted, replaced by the pulsing beat of anticipation.

Nothing.

A WhatsApp notification pinged. Oh my god. WhatsApp was still working. She let out a gasp and saw 25 unread chats from various people. 10 messages from her mum.

"Are you in trouble darling?"

"I got your email"

"If you need money so urgently you should have just called me"

"I've transferred the outstanding £300 to your landlord's accounts"

At first, the messages didn't make any sense but then it dawned on her. All her accounts had been hacked and someone was now impersonating her.

Her mum, along with other email contacts, had received requests for financial help. Although Sara's mum was the only one who sent money without questioning it.

Sara was now shaking, in tears, quietly sobbing and sniffing, makeup ruined. The man sitting next to her on the bus glanced over and quickly back to his Candy Crush game. He made it clear he wanted no part in whatever was going on.

She was in no state to talk to her mum. A WhatsApp message was sent to her best friend asking her to meet her at the university bus stop.

A phone call from a private number broke the sinner mood. Suspiciously she answered. It was her bank querying a password reset. Through sobbing, she explained her email had been hacked and the bank took the appropriate action; locked her account and cancelled all her cards. She only had enough pocket change for lunch but it would be almost 2 weeks before her financial access would be restored.

When she arrived at university her friend was waiting. They just held each other and said nothing while Sara continued crying.

We all lead lives that are heavily dependent on passwords. However, most people are oblivious to the risks they put themselves in.

Sara’s story serves as a reminder that anyone, no matter how ordinary, can become a target for hackers. All it takes is one weak password to wreak havoc on your digital life. Next week I'll take you through how internet security has improved and what you can do to give yourself the best protection.

Sara eventually got her Gmail account back after more than a week and access to the university learning portal but not her other social media accounts.

Share

Credits:
Intro music: It’s In The Fog by Darren Curtis | https://www.darrencurtismusic.com
Main theme: Abandoned by Keys of Moon | https://soundcloud.com/keysofmoon
Music promoted by https://www.chosic.com/free-music/all/
Creative Commons CC BY 4.0 - https://creativecommons.org/licenses/by/4.0/