How to prevent being hacked and the fall out of data breaches
Single use emails, strong passwords, 2FA, and segregation of data.
I’ve spent the last several years scrubbing away at old accounts to increase my privacy and limit the impacts of a data breach. This will go over email aliasing, creating strong passwords with a password managers, securing your accounts with 2FA, options for phone numbers, and even ways to minimise the impact of your address.
Why is this important
We all know about credit card fraud but 60% of all credit card fraud stems from unshredded mail. I recommend this episode of Darknet Diaries to appreciate how little information is needed by this hacker named “Drew” to get into your accounts. In this interview, Drew goes over common practices but I’ll provide a quick TLDR.
You have probably shopped at Target at some point in your life. In 2013, Target was hacked and in total, 70 million people were affected. This data breach included names, mailing addresses, phone numbers, and emails along with 40 million credit card numbers, expiration dates, and the CVV codes on the back of the card for those who shopped over the Black Friday weekend.
Let’s assume you were in one of two groups, previous shopper with an account or holiday shopper. If you had shopped online or in person before the holidays, the hacker has your personal information but nothing of obvious value. If you happened to shop that weekend, the attacker has your credit card information but not necessarily the billing addresses that it belongs to. What hackers will do, is take the names from the credit card group and match them with other data breaches. So if your credit card information was leaked by Target, they could get your billing address from the Volkswagen data breach that leaked 3.3 million financial records of customers who used their services. Conversely, the hackers who stole the Volkswagen data can cross reference the first group of Target customers to log into their accounts and use the credit card information to order items online.
For every leak, even if it is a partial leak, can be combined with other information to get everything someone would need to hack your accounts. That episode of Darknet Diaries goes into details of how hackers used the Ledger database leak, to then look up the balances of Coinbase users, to find high net worth individuals to spearphish or sim swap to steal millions of dollars in cryptocurrency.
The number one thing you want to do is use some kind of aliasing system. There are different versions of this with different trade offs but at a high level, you are amending your email address in a way that it is specific to the place that needs your email address. This differentiation then gets reconciled in some manner but creates distance between your actual email address and what you provided.
Plus sign trick
This is a very old trick that in reality is low privacy but it helps in large datasets. Let’s say your email address is email@example.com. Well, for each service you use, you can add the plus sign and then the name of the service you are signing up for. You could use firstname.lastname@example.org for Facebook and email@example.com for Sprint Mobile. This creates a very weak alias but it does two things:
- If you sign up for Facebook and you get an email with +facebook from a random company selling lawn furniture, then it means Facebook has sold your data to that third party. Note that there are some legitimate reasons this happens such as Amazon. Most of the things you buy on Amazon are actually from a third party so that third party may email you to review their products.
- As mentioned above, it only really works with large data sets. When Home Depot had its data breach, 50 million customers were exposed. A hacker is not going to go line by line looking for typos in email addresses. They are going to try and match +homedepot with other websites for a match. Hopefully that may be enough to stop it but if they actually look, or take the time to clean the data, they will know your real email address.
I recommend using a password manager in general but I especially recommend it if you use this option. There will be a day when you try to log into an account with your regular email, but you forget what goes after the plus sign making it nearly impossible to recover your account. This gets confusing as companies get acquired and you are logging into AT&T’s website with firstname.lastname@example.org.
Sign in with Apple
I am sure you have seen the social sign in options on many sites. These are convenient options that are effectively passwordless but terrible in the case of a data breach as you cannot change your email.
Apple introduced a version of aliasing with their sign in with Apple feature but it doesn’t help much. When you use this service, it generates an alias, or fake email, on the spot, provides the alias to the website, but then all of your emails still go to that one iCloud account that Apple can see. Moreover, this is the most restrictive option as you can’t change the alias in case of a data breach. The only benefit you get from Apple’s approach is if a data breach occurs and only emails were stolen. This would prevent someone from cross referencing emails across data breaches but almost never happens. The vast majority of data breaches include your name, email, address, etc. which the Apple alias alone would not fend off against.
Email providers with aliasing
Some email clients have aliasing services. These features vary but often times you are allowed to create a fixed number of aliases. Protonmail for example, allows you to create unlimited semi aliases, akin to the plus sign trick, with their paid plans. For example, if your email address was email@example.com you could create firstname.lastname@example.org for your Netflix account. This is a variation of the above + sign trick but it looks more natural. Additionally, there are a few websites I have encountered in the past that will not allow you to add a + sign in the email field. An underscore or a hyphen are common email practices so these will be less suspicious and never banned. Their paid plans also have additional domains so you can create email@example.com as a secondary alias. Again, it helps but doesn’t do much.
The best option is to use an outright aliasing service. Websites like SimpleLogin or AnonAddy allow you to create unlimited aliases so every single website has a unique email. Looking at the photo below, each service gets its own email address and the aliasing service then matches your alias to your actual email which is in your inbox. When you respond from your actual email, the aliasing service will then convert it to the alias so the person on the other side does not firstname.lastname@example.org is actually email@example.com. Both services are nearly identical so take a look and see if there is any one feature that really makes it worth your while. Both services are completely open source, have free and paid plans, do not keep email logs, and have browser extensions to make it easy for you to use.
If you use these services, you will absolutely need a password manager before starting. As you can see above, each email will be a random word or string of numbers and letters which will be impossible to remember. If you do not have a password manager, I recommend 1Password, LastPass, and Bitwarden as all three have two factor authentication (2FA) functionality within their differing plans. I would highly recommend paying for a plan if needed to ensure you have 2FA turned in case someone gets your email and password to this account.
When data leaks happen, you simply login to your account at the site that has experienced the data breach, create a new email alias in the browser extension, and paste it into the email field on the site. You may need to confirm the email chain in your real email but if not, open the browser extension, search for your old alias, and disable your old alias. A service like this allows you to change your emails just like you can change your password in a password manager.
Sign up for aliasing service
Since the first options are straightforward, the following with focus on the email services. Pick you provider, a plan, and sign up an account. This can be your regular email that you used now or you can see the paranoid version below.
If you are signing up for a paid plan, the upgrade option for each service is in the upper right hand corner. Enter your credit card information or both services offer to pay in cryptocurrency. SimpleLogin uses Coinbase Commerce but you can email them to pay in Monero. AnonAddy uses the Globee service so bitcoin lightning payments or monero can be used without contacting them as seen above.
Next, go to the settings and set up 2FA. Both options allow for TOTP (Google Authenticator, Authy, Aegis, etc) as well as a Yubikey. You should set this up so a hacker doesn’t get into this account, add a secondary main email, and then all of your alias emails will get forwarded to you and the attacker.
Paranoid best practices
You can absolutely use SimpleLogin or Anonaddy with your current email address. If you want to be a bit more private about things, you can set up a new email address from a privacy preserving provider such as Protonmail, Tutanota, Hushmail, etc.
You can also sign up for that new email using a VPN or over Tor. Most of those email clients do not collect IP address data but should you want to do that as a best practice, you can. Protonmail has an onion page:
Once you set up your new account, be sure to set up 2fa. Again I would recommend using a yubikey over other methods.
After you finish setting up your 2fa, you can go into the settings and copy your PGP keys from your email client into your aliasing service. The above services all provide your PGP keys which when added, will encrypt the messages between your actual email client and the aliasing service. Neither collect that data but there is a moment in time where your email is on their servers as it gets packaged through the aliasing service. Loading your PGP keys mitigates that momentary risk. Alternatively, you can use a service like Mailvelope which is an open source extension that encrypts your emails with 1 click.
Finally, you may want to look into hosting your own email service. This removes the ability of the email client whether it is Google, Apple, or more privacy preserving options like Tutanota from ever seeing your email because it is not on their service. There are more out of the box solutions like Helm which start at $250 and cost $99 a year but very consumer friendly. There are other more technical solutions such as buying a NAS for roughly the same price but you have to do all of the set up yourself to get around the subscription costs.
Edge case concern
The issue with the free aliasing service is that someone owns the domain addresses for all of your emails. Let’s say either either of the services go out of business, well the domain address of the alias can be shut down with it. That means you may be locked out of a few accounts that rely on email based 2FA. You could still login to your less secure accounts and change the email address to your real one but you would lose access to others. When you log into Coinbase for example, they ask you to confirm your signing in by clicking a link in their 2FA emails. Coinbase would email firstname.lastname@example.org but since SimpleLogin doesn’t exist, it cannot be forwarded to your email@example.com account.
The final edge case concern is that over my time using these services, every once and awhile a service will not allow an email address from either aliasing service. I have also had my IP address blacklisted by a few companies as soon as I enter in the default domain by either service.
The way around these is to create a catch all alias which requires buying a custom domain. This would create something called a catch all email address where you can create as many single use emails as you want but it will all go to one address under the same domains. In effect, it’ll make it look like you’re a corporation. I say that because you can buy yourname.com but then it ties your name to the account you are trying to stay private from. The trade off of a custom domain is that your anonymity set decreases. Think of the billions of people who use @gmail.com vs the thousands of people who use a @tesla.com. In practice this is a very small edge case.
You can buy a domain at any number of sites. Google “domain names” and you can find a provider. There is very little difference among providers for the purposes of this and usually cost about 12 dollars. The only considerations you may want to make are paying for the anonymity service from ICANN, a service that has 2FA, or the ability to pay in bitcoin or monero.
All that remains is to hook it. Click on domains, add your domain, then go back to the domain name service and add the txt host listed under the DNS Settings.
Swap your emails on existing accounts
You’ll need to begin swapping out all of your accounts from your current email to an alias. If you use a password manager, it would be easiest to go through your password manager and slowly change them over. If you don’t, you should set up a password manager and change both your email address and your weak passwords at the same time.
This would also be a good time to unsubscribe from everything you don’t use or delete older accounts in general.
Paranoid best practices
If you do start unsubscribing and deleting accounts, you may want to go the extra steps to ensure your data is not leaked in an edge case. This requires understanding the differences among unsubscribe, deactivating your accounts, being deleted from a marketing database, and having your account deleted.
The easiest thing to do is unsubscribe from marketing emails. You’ll stop receiving them, but the company will still have your email in a database. You’ll need to email every company and ask them to delete you from their marketing database entirely. There are some autoted services such as Mine or Unroll.me which makes it easier. Just because your email has been deleted from the marketing database, doesn’t mean your account information was deleted as most brands use another database as their CRM. Some websites like Facebook or Coinbase allow you to delete your account from within the settings. Unfortunately, you’ll need to email most of them to delete the account. If they respond, you should ensure that it is deleted and not deactivated. This week, 30 deactivated accounts at Husbpot were reinstated. Someone socially engineered Hubspot into reinstating the marketing accounts for places like BlockFi or Swan Bitcoin. The entire database was then leaked so 30 business accounts, translates into millions of users.
This is a clear example of why accounts need to be deleted and not deactivated. Since not every entity will get back to you, you may want to remove your profile information. Go through any embarrassing rewards cards you have signed up to like McDonalds, and then delete or change the names in the account. There is no reason why Mcdonalds needs to know where you live or what your phone number is. Change the name to Santa Claus and the phone number as 555–555–5555 before emailing them to delete your account. This way if they don’t respond and your data gets breached later on, you don’t need to worry.
If you want to be thorough, you should open your email, open one of the marketing emails, unsubscribe if you’d like to, go to their website, login, change any profile information, email them to delete the account, copy the domain name, and paste it into the search bar. Select all but one of the emails, and delete it. You’ll need to get to inbox 0 which took me about four years to get through them as new emails came in and follow up reminders to the companies you didn’t hear back from.
How to minimise the fall out from data leaks
Once you have the tools, you need to start using them. If you get a phishing email, you’ll be able to spot it more easily because the email alias does not match the sender, the email contains a fake or real name, or other clues to signal that it is not a real email. Moreover, when a data breach does occur, it matters less as it is easy to fix.
If you have gotten this far, your emails are all unique because you are using SimpleLogin or Anonaddy. Ideally you are using single use emails that cannot be cross referenced but at a minimum, are using the + sign trick. You may have also added PGP keys and enabled 2FA. Ideally, you are self hosting your email as well but know that is a stretch goal for many.
You have set up a password manager and have swapped out all of your old passwords to strong, unique passwords. If you bought a NAS or running a Bitcoin node like Umbrel, you may even want to host your own Bitwarden instance to mitigate the risk of the company being hacked. Ideally your password manager is using a master password that has never been used before and you have set up 2FA on the account.
You have started to go through all of your accounts and either deleted and started fresh or swapped out your old email for an alias and they have unique and strong passwords. All of your profile information such as your name, phone number, and address are mostly fake. There are a few accounts where it will be impossible or a bad idea to use a fake name or phone number. For this, you should set up a burner phone number.
You don’t need to get a second flip phone like you see in the movies. There are plenty of apps where you can get an online phone number. A lot of you will be familiar with something like Google Voice. You should think about who should get what number. There are trade offs you need to make between giving an app that needs 2FA access like Uber your web number for privacy or real number for convenience.
There is the very rare edge case where you’ll need a phone number that is tied to an identity. Some services you sign up for will not accept a VOIP number like Google Voice so you’ll need to buy a secondary device. Personally I would recommend buying a cheap phone online. You can get a pay as you go prepaid plan from your current carrier or places like Mint mobile if want to create further distance between the data sets. There are other services that offer identity numbers as an eSim that can work with an iPad or other devices such as Google Fi or Silent Link if you want to pay in bitcoin.
The hardest dataset to hide is your physical address. Most businesses don’t actually need to know where you live but if you order something online, they do. If you have the ability to do so, you can have packages delivered to your work address. Amazon has those shipping lockers that you can have packages delivered to your nearest 7–11 or maybe Whole Foods. If you want to spend a little money, you can set up a PO Box or go to the UPS Store. If you want to spend a little more money, remailer services will accept all of your email and then send your mail to you. This can be a pain if you something is time sensitive and increases the likelihood of something getting lost.