Last week, U.S. online sneaker-trading platform StockX asked its users to reset their passwords due to “recently completed system updates on the StockX platform.” In actuality, the company suffered a large data breach back in May, and only finally came clean about it when pressed by reporters who had access to some of the leaked data.
In other words, StockX lied. And while it disclosed details on the breach in the end, there’s still no explanation for why it took StockX so long to figure out what happened, nor why the company felt the need to muddy the situation with its suspicious password-reset email last week.
While most companies are fairly responsible about security disclosures, there’s no question that plenty would prefer if information about massive security breaches affecting them never hit the public eye. And even when companies have to disclose the details of a breach, they can get cagey — as we saw with Capital One’s recent data problems.
It’s not your job to play detective or journalist for all the companies whose services you love and use, but there are a few things you should keep in the back of your mind so you can stay safer about data breaches — especially if a company isn’t forthcoming about them.
Get sceptical about random password-reset requests
This one’s a no-brainer, but it’s still worth mentioning. If a website or service asks you to reset your password out of the blue, something is wrong. Ideally, it has detected that your email or username is part of another data breach, and it is helping you secure your account in advance if you happened to use the same password for both services. You should still get suspicious, however, and maybe check the news (or Twitter) to see if anyone is reporting a data breach about the company itself.
Make sure you’re using “Have I Been Pwned”
In the off chance that a company isn’t being forthcoming about a data breach, it never hurts to have someone else watching your back. Sign up for notifications from Have I Been Pwned, which will let you know if, or when, your email address is involved in a hack.
If you’re a 1Password user, you can also take advantage of the password manager’s built-in tool that checks to see if your credentials were involved in any breaches. It’s called Watchtower, and it’s a great way to stay on top of every weekly (daily?) breach that hits.
Perform your own threat analysis
At Lifehacker, I get to read about a lot of breaches. Some we cover, some we don’t. Typically, if a hack only affects information that isn’t all that interesting, like your email address and your shoe size, it’s not really worth talking about compared to breaches that involve more critical data like account numbers, your plaintext password, or your social security number.
Whenever a company tells you about a breach that affects your information, don’t just take their word for it. Pretend that every bit of data you sent to that company’s service has also been compromised and act accordingly — whether that means paying closer attention to spending on your associated credit cards (or setting up some kind of notification or alert) or changing passwords on other sites. You never know when a seemingly innocent hack could spiral into something worse.
I realise this might sound a bit like “the sky is falling,” but being more proactive about your data security isn’t a bad thing. You can always take a measured response. For example, you probably don’t need to order replacement credit cards every time a website is compromised that you’ve previously purchased an item from, but you might want to make a reminder to check your credit card statement a little more closely from now on.
Don’t be afraid to walk away
When a company isn’t truthful with you about issues that can have a big impact on your personal privacy and data security, you don’t have to keep using their services.
Go find another company that’s willing to go the extra mile to keep your data safe — or, at the bare minimum, give you honest information about any incidents that hit. After all, honesty is the best policy.