I just got an e-mail welcoming me to Instagram, but I haven’t tried to join Instagram. Naturally, I clicked on the link in the message that said, “if you didn’t sign up,” and Instagram said they removed my e-mail address from that account. (I checked carefully, and the message really was from Instagram, and the link took me to the real Instagram Web site.) The user name that attempted to register at Instagram with my e-mail address is “melhock101”. No hits on Google for that name.
The e-mail was addressed to the account I normally use with organizations to which I don’t want to give much real info about myself. I have associated a variety of fake names with the address.
The troubling aspect to this is that the e-mail’s TO field had the name of my three-year-old granddaughter. Obviously, she doesn’t have any online accounts in her name. It’s not clear to me how anyone who got this address could have associated it with her name.
The most likely connection is Shutterfly, where I use that e-mail, and where her name appears in photo captions. Could someone have hacked Shutterfly, or another I’m not remembering that could connect us?
What should I do about it?
FYI, I already use LastPass, so my passwords are all strong and aren’t shared between sites.
Maybe that’s not what happened. But without the details of your interaction with that website, I can’t guarantee anything. For instance:
There used to be techniques to fake out the link displayed in the address bar to show what the hacker wants it to show, not what URL it’s really connected to. I wouldn’t bank on being sure you interacted with the no-kidding Instagram website. Is that even the way Instagram works? You can’t delete an account by just telling them to remove your email address, like an email list unsubscribe, right? That doesn’t sound at all like a service that wants you to register and give them lots of personal information.
Rule 0: never click a suspicious link in an email. It’s too easy to manipulate. Manually go to the website yourself (type it in, don’t click, don’t copy/paste) and find the equivalent page. Or ignore the email and delete it.
ETA: At some point in the recent past, LastPass pushed an update that fixed that security hole, so you may not have had that problem. (I can’t tell when the fixed version was distributed, and I don’t know when you did what you described, so I can’t guess whether that was a problem or not.)
No legitimate company should be sending you a welcome message if you have never interacted with them, or attempted to sign up with them, unless someone has access to one of your email accounts and attempted to register with them. This sounds likely your case.
What should you do? That’s up to you. For me, I never use an online password vault. Called me a Luddite by I don’t trust the cloud for storage (in general), nor any account details (in particular). Yeah, I know it sounds all paranoid and so last century but I take my computer security seriously.
My password vault is KeePass. It sits in my home laptop (which never leaves the house), on an encrypted hard drive. (I have a USB backup.) I still use TrueCrypt because the last secure version works. FWIW, all of my passwords are at least 12 characters long, with critical ones (bank accounts, etc.) are 16 or 24 characters long. Every account I have has its own unique password, too. I’m even moving to separate and individual email accounts where one email account is only associated with one banking or bill paying account, too. I do not participate in virtual reality so I never use a smartphone or other portable device for virtual banking, etc. It’s all done at home from that same laptop.
Why? I’ve been subject to four known identity theft occurrences (one from my bank, one from Home Despot and two from my employer). None have caused me any damage.
I think the LastPass hacks are unlikely to be the source of the problem, since LastPass doesn’t know my granddaughter’s name. I only mentioned LastPass to let you know that I try to maintain a reasonable level of security in my online dealings. (But thanks for letting me know about the hack. I’ve installed the latest version of the plug-in.)
So the Shutterfly hack is probably the source. I’ve just changed my password there, although I had probably done that since the 2014 hack anyway, without knowing about the hack.
Is there anything else I should be doing to protect myself?
Duckster, I’m impressed by your thoroughness. I looked at KeePass, but it just seemed a little too complicated. But maybe I should consider adding a few new e-mail accounts and shifting away from the one I used in this case.
Further thoughts: I guess my real concern is, assuming that someone got some information from the Shutterfly hack, and can associate that e-mail address with the names of family members, what else can they do that might cause problems?
What were they trying to accomplish by setting up an Instagram account with that address?
If it wasn’t really an Instagram account, and the website you were directed to was being run by the hypothetical miscreants, and your LastPass plugin was still vulnerable, they could have ransacked your entire password vault and stored it someplace else for future use.
That’s a lot of ifs. But that’s the risk sequence I saw.
ETA: so the symptoms of this being exploited would be unauthorized access to other online accounts that you have the authentication info for stored in LastPass. That may not happen. Sometimes this kind of info is just collected for lulz, or to sell on the black market to someone else. After which the unauthorized accesses might start. (Might be delayed, in other words.)
I’m speculating from what you said and a lack of familiarity with Instagram, Shutterfly, or LastPass. As a reasonable minimum, I’d think about changing passwords on the most important accounts you have stored in LastPass, for whatever value of “most important” you see that balances inconvenience against risk.
In my work I work with PII (personally identifiable information) all of the time. We take it very seriously (PDF warning), to the point, a first violation (or offense) even inadvertent, is grounds for removal and potential prosecution. I just carry over to home life because it’s second nature (like riding a bicycle).