In this week’s tech-support column, I’m taking on an uncomfortable issue: How to regain control of your accounts from a not-so-kind ex. I’m hoping your former loved one isn’t a complete psychopath — or, at least, isn’t a psychopath that has access to your accounts — but it’s an all-too-familiar story. You live with someone, you share your hopes and your dreams, and they find a way to get into your accounts. (That, or you share login credentials, which is a pretty bad idea, too.)
Before I begin, one quick aside: Even though Lifehacker readers sent me plenty of questions to tackle in future posts—thank you for that! — I saw this post a few days ago in my favourite-ever subreddit, /r/legaladvice, and I couldn’t get it out of my head. In it, the author writes:
“[My ex-husband] has continuously hacked into my phone, emails, work profiles, and social media. I found out there were over 50 hidden apps on a previous mobile phone i couldnt see or take off. I got another and now i have learned there are 3 on this one i cant see or take off. He has never had access to my phones. He took old email accounts i have deleted and turned them into a corporate account and linked them to his business account. When i try to access my new email ive only had for a month everything is in croatian. I was getting garbled facebook messages, after a little investigation i found that he had somehow made it to where everytime i pulled into my driveway he would get a notification. He was somehow receiving all of my facebook messages before i did....”
Though a little tricky to parse, the gist of the original poster’s story is that her ex-husband is causing all sorts of digital chaos in her life.
While this might be an extreme example of account and device manipulation gone wrong, it’s not that extreme. If you ever gave an ex a password to one service and you’re lazy and reuse your passwords on other services, it’s not that hard for things to quickly go south — especially if you don’t have a lot of account security, and double - especially if they’re a horrible, vengeful person.
There are a lot of ways you can fix this scenario, and I’ll try to go in order from “least annoying” to “witness protection program status.”
Change your passwords
Obviously, if someone is using your passwords to log into your services (or devices), change them. And don’t make your new passwords something obvious. Don’t re-use any other passwords you currently or previously used. If you’re using a password-management app like LastPass one 1Password to help generate or keep track of your passwords, change your master password on that, too.
Once you’ve changed your passwords on your major social media sites, cloud storage services, email accounts, bank and credit card accounts, work logins, your smarthome device accounts, and your laptop or desktop — to name a few — make sure you also check to see if your services allow you to view any other systems or sessions that have logged into your account.
Changing your password should prevent someone who has previously logged in from regaining access (if, say, you broke up and your ex claimed control of your shared laptop). If you can revoke access for any devices that have previously logged into your account, do that. It never hurts to be safe.
Also, this is a great way to see if someone else has managed to access your account even after you’ve changed your passwords. If so, it’s time to get craftier.
Use a stronger login method for your devices
If you’re still living with someone, or you’re nervous about a person that can physically access to your devices for whatever reason, consider switching to a stronger authentication system. If your smartphone or tablet supports fingerprint or face recognition, use that — unless you think someone is going to hold your smartphone up in front of your face while you sleep, or something strange like that.
You can also switch to a hardware-based security key like Yubikey, which will prevent someone from accessing services that support these devices even if they have your login credentials. No key, no login. Easy as that.
Use account alerts and two-factor authentication
You should be using, at minimum, two-step authentication wherever you can — typically in the form of a service sending your smartphone a text message with a code that you, or someone else, would have to type in when trying to log into your account on an unrecognised device.
However, this still leaves you vulnerable if a crafty person hijacks your mobile phone number using personal information they might know about you. You’re better off using an authentication app, which then requires them to log into your device (which they shouldn’t be able to do, if you’ve locked it down using our aforementioned suggestions).
While you’re at it, you should check to see if your various services offer login alerts whenever an unknown device attempts to access your account. If you start getting a bunch of these at once, someone is clearly trying to mess with your digital life, and it might be worth triple-checking that everything is as secure as it can be. (And if the person trying to access your account is coming from the same IP address, and that correlates with where your ex lives, for example, you’ll probably have a good lead on who might be behind the attempts.)
Turn off location tracking everywhere
If you’ve been using Google’s location services, or you haven’t pored over apps like Google Maps or Apple’s “Find My Friends” in a while, consider going through your major apps and services to see if there’s any way to limit the amount of information about your exact whereabouts. If your ex was crafty, they might have added themselves as a “friend” within your mapping app or other apps, which could allow them to see exactly wherever you are at any point. Not good.
Reset your devices
You can change all the passwords in the world, but it’s going to become a cat-and-mouse game if someone has installed a keylogger or remote-access utility on your laptop, desktop, or other devices. If you’re still noticing that people who aren’t you are logging into your accounts, even after you’ve set up 2FA and new passwords, you might want to consider backing up your critical information and factory-resetting your devices.
This should purge them of any annoying tracking or remote management apps (or configurations) someone else might have installed. And while you could always try to hunt down these apps manually, restoring them to their as-shipped condition — annoying as it is to reinstall your stuff — will give you a lot more peace of mind.
If you really want to make it impossible for someone else to track your digital life, start a new one. Get a completely new smartphone number. Create a new primary email address that you don’t share with anyone until your digital life dies down. Delete your old email address (after you back up and reimport your email). Reassociate all your services with your new email address — which includes everything from the accounts you use with your car (if you have any fancy services, like OnStar), to your Amazon account, to your social media accounts. Don’t use your old email address for anything.
For your major services, consider seeing if you can add any extra security — perhaps a secondary PIN number or some other way to authenticate with your wireless carrier, for example. If not, at least change your security questions and prompts to something different and impossible for another person to guess, even a person who knows a lot about your life. Buy a new wireless router, in case your ex has installed some kind of third-party firmware and is tracking everything you do. Change your locks. Buy a giant dog. Get a restraining order.