Taking Back Your Compromised Account or Device

New CIT staff

Published March 4, 2013

By Jeff Murphy, jcmurphy@buffalo.edu, Interim Information Security Officer

Uh oh! Your computer is acting funny. Is all of your email suddenly gone? You suspect something is wrong. What to do next?

Having your computer or UBIT account broken into can be a stressful time. You don't know what's been deleted or what they've used the account for. The most important thing to do is not panic.

There are several steps that need to be taken if your computer seems to have been “compromised,” which is the technical term given to being hacked or infected, but you may also suspect that your personal information has been stolen. But first, a warning for people accessing High Risk Data.

High Risk Data

If you have access to high risk data (for example other people’s Social Security numbers, identity documents such as driver's licenses, or financial account numbers, such as credit cards), you should contact your local IT support or the Information Security Office before taking any action.

Computer Compromised

If your computer or phone is acting funny (odd pop-up messages, running very slowly, rebooting unexpectedly), then you should immediately stop using it. It is often the case that the computer virus is monitoring any passwords you enter. This includes your UBIT password, as well as your banking passwords, shopping passwords, and so on.

In addition to not using the device, you must change all of your passwords for any account that you've accessed from that computer. Don't assume that those accounts are safe!

Once you’ve done that, if this is a personal device, you should either re-install your computer's operating system (or "restore" your phone), or ask someone to help you if you don't feel comfortable doing this. If you are a faculty/staff member using an university-owned device, you should ask your IT support for assistance. Unlike the ubiquitous television commercials, don’t try to "clean" the computer, as this is generally not effective. Many infections today are sophisticated enough to resist the cleaning procedure—in fact, the cleaning tools will often not even detect the infection!

Once your computer is re-installed (and fully patched) and your passwords are changed, you’re ready to think about how the compromise happened in the first place. Can you remember clicking on a link that your friend sent you? Did you open an attachment in an email? These things are common Internet pitfalls, and are easily avoided by being more cautious while you’re online.

Account Compromised

It may be that your computer is fine, but when you checked your email today, you found it was all deleted.

This is a common indication that your password was compromised, often because it was guessable or you were phished (see our last article on "phishing").

If your account gets compromised, you should immediately change the password and security questions. If you’re dealing with a non-UB email account, be sure to contact your service provider. Next, if you use that password on other accounts (you shouldn't!), go change those passwords as well.  A thief can often guess, from the contents of your email, where you have other accounts. Your banks, Facebook page, etc, are all at risk. Even if you don’t use the same password on those accounts, the hacker may have clicked the "forgot my password" link in order for your bank to send a reset message to your compromised email. That would be bad!

Changing Behavior

The final piece of the recovery process is to understand the behavior that got your account into trouble in the first place. Common things people do that result in account compromise are: A) using untrustworthy public computers (e.g. at conferences), B) clicking on entertaining links your friends send you, C) opening attachments such as videos, zip files, and Word documents, and D) being "phished" (scammed) by a mail message that looks official, but isn't.

We also recommend using Identity Finder to securely remove or encrypt Personally Identifiable Information (PII). UB students, faculty and staff can download and install Identity Finder on personally-owned computers;  IT staff can install a managed version to regularly scan a UB-owned computer.

Recognizing these high-risk behaviors and working to change them is the best preventive medicine you can take to keep your account and computer safe.

For more information, please contact the UB Information Security Office at sec-office@buffalo.edu.