Fastmail Co-Founder, Rob Mueller, explains what data breaches are, what Fastmail does to protect our customers, and what you can do if you find out you’ve been involved in a data breach.
Having worked in technology for over 30 years, I’ve seen the growth of the internet from a network that joined a set of universities and their staff & students together into a worldwide network that allows the majority of the world’s population to interact and share huge amounts of information with each other.
While this is a positive change, unfortunately, there have been some negative repercussions of this expansion. Nowadays, many companies collect large amounts of personal information from their users, and they don’t always treat this data with the respect and privacy it deserves. A continuous stream of cases where personal information is leaked online has stemmed from this extensive data collection.
Given this situation, it’s important for people to consider how they can best protect themselves to minimize the potential damage of any data breach that might leak their personal data.
A data breach is simply when someone accesses personal information they shouldn’t have access to. This is most often due to some form of a security breach, but can also be by accident, or due to poor access controls on data.
Data breaches come in different shapes and sizes. Sometimes the personal information accessed is relatively minor, but other times it can be significant amounts of personally identifiable information like full names, phone numbers, email addresses, credit card details, social security numbers, etc.
Breaches can sometimes also include passwords, which combined with the username would allow attackers and others to gain access to many user accounts at the compromised service.
An example of a particularly large data breach was on LinkedIn in 2021. The details of over 700 million LinkedIn users were leaked online including their LinkedIn username, profile URLs, email addresses, full names, phone numbers, geolocation records, personal and professional experience, gender, and other social media account details.
Data leaked in a breach can be used for numerous nefarious purposes. Simple ones include using a stolen email account to send spam or a stolen credit card to make fraudulent purchases. However, there are many levels, all the way to complex crimes that involve using stolen details to send more realistic spear phishing emails to enact CEO money sending type scams or even being used by state threat actors to create fake employees to steal company secrets.
Breached data can also be correlated between multiple different breaches. For instance, an email address is a common piece of information associated with each account at a service, and most people use the same email address at every service they sign up for. If breaches occur at multiple services, hackers can use the email address between each service to correlate multiple different pieces of personal information at different services.
Unfortunately, data breaches have become extremely common over the last decade. Even extremely large and well-funded services like Yahoo and Facebook have had hundreds of millions or even billions of records of user information breached.
It’s likely that the majority of people have at least one account at one service that has experienced a breach. Unfortunately, once data has been breached and leaked onto the Internet, there’s no realistic way of removing that data completely.
Many services these days will use your email address as your “username” or “account name.” They will often also use your email address as a way to contact you and as a way to reset your password at that service if you’ve forgotten it.
Online your email address acts as a key that can get you back into many other services, and access to it can be a highly sought-after piece of information for hackers and criminals.
Because of this, both your email address and the password for your email account are extremely important pieces of information that should be kept private.
As the “key” to many other services and a store of your electronic memory, Fastmail is extremely careful about how to store and protect your data.
There’s no single magic bullet to keeping information at a service secure. We carefully think about all our systems and processes and review them regularly to ensure all user data is kept secure both electronically and physically, while at rest and in transit, and from both internal and external systems. In the interests of transparency, we’ve documented a large amount of this on our help pages.
Based on this, we recommend protecting both your email address and email account password as much as possible, so:
In general, reusing passwords is always a bad idea, and where possible you should use a password manager that generates a secure and unique password at every service you use. However, if you can’t do that, at least never use the password you use for your email account at another service.
As mentioned above, many services use your email address as a username. So if you reuse your email account password at another service and the service is breached, attackers immediately have your email address and your email account password, which then allows them to reset and gain access to any other services that use your email account as a backup.
Again many services use your email address as a username. One way to reduce the damage of any leaked information is to make this email address different for every service you signup for.
Fastmail makes this easy with the Masked Email feature. Every time you signup for a new service, just generate a new Masked Email address. This generates a new unique random email address. Any email sent to that address goes to your Fastmail Inbox, but you cannot use that email address to log in to your account or in any way know what your account’s real email address is.
If a breach should happen at the remote service, the email address provides no useful information to the hacker since they can’t use it to log in or correlate accounts between different breached services.
If you want to find out if your email address has been involved in a breach, the website https://haveibeenpwned.com/ is a great and well-respected resource for checking what breaches an address was in, and what other information associated with that email address was also in the breach and thus can be correlated back to the same email address identity.
If you find your email address listed in a data breach, it’s a good idea to log in to that service and update your password, and if possible, change the email address used. It’s also wise to review if you have used the email and password combination with other services. For other data, like your name, or address, unfortunately, there isn’t much you can do. The data is out there on the internet, and it’s not feasible to ever have it removed.
The best thing you can do is protect yourself against future breaches is by following the suggestions above on using separate email addresses and passwords for all your online services, and where you can, go back and update the email addresses and passwords you use on existing services to make them different as well.
If you’re looking to upgrade your privacy and productivity and join the best in email, go sign up for your free 30-day trial of Fastmail.
You may still be tracked even while using a “private” window like Incognito or VPN. Here are the best private browsers to protect your privacy.
Introducing nine privacy-friendly tools to control more of the information you are sharing with third parties.