The New Oil

The New Oil logo
How Getting Hacked Really Works

How Getting Hacked Really Works

One of the most common misconceptions about “getting hacked” is how it really works. Most people think “nobody has any reason to hack me.” While this may be true, rarely is a cybercriminal going to target a total stranger who might not even have anything worthwhile. The “I’m not a valuable enough target” mentality betrays a fundamental misunderstanding of what actually happens to most people in most cases. Here’s how data breaches and modern hacking really work in most situations:

If you’re reading this, you likely have an account with a major service that has millions of users like Gmail, Amazon, eBay, or Facebook. Smart cybercriminals target these major companies. These companies endure billions of attacks every day. The defender needs to succeed every single time, but the attacker only needs to be successful once. Once the attacker is in, they steal everything they can before they get noticed and kicked out of the system: usernames, passwords, card numbers, IP addresses, anything the service logs and they can access.

Typically, responsible companies encrypt the most sensitive information like passwords and card numbers but not always, and rarely things like username and IP address (which can reveal your exact physical location). This matters because step two is to sort through and decrypt whatever information the hacker has stolen. Various programs exist - totally legal and for free - to help crack your password. A given password can be cracked in less than one second depending on the complexity of it and the criminal’s computer. This doesn’t require a government-grade supercomputer, either. A decently-powerful computer capable of cracking dozens or hundreds of passwords in an hour can cost somewhere around $1000 and can be purchased off the shelf at your local electronics store.

How Password Cracking Works

There’s two main methods of guessing a password. The first is called a “dictionary attack.” This when the criminal loads a dictionary into the software and it checks your password against the dictionary, including common variations. For example, “P4ssw0rd” is a common variation of “password,” so the program will check for that. Various dictionaries are available for free, including known common passwords (collected from past data breaches), song lyrics, famous names, quotes, and more. A hacker can even easily make their own dictionary tailored to you with information like names of family members, important dates, pets, sports teams, and more, easily gathered for free online using people search websites and public social media information.

The second method is called a “brute force attack.” This is where the hacker specifies parameters (such as “upper and lower case letters” and length) and the software guesses every possibility, starting with “aaaaaa,“then moving on to “aaaaab,” and so on. Passwords less than six characters, regardless of complexity, can be brute forced in less than a second.

Other Methods

There are, of course, countless other ways to get your account hacked. One of the most common is phishing, wherein an attacker will send entice you to click on a malicious link. This could come in the form of a targeted email/DM, a post from an already-compromised account on social media that you follow, or a malicious ad.

Another is called “credential stuffing.” This is when you reuse credentials across multiple sites. After a criminal has already cracked your stolen password from a previous data breach (or phishing attack), they may attempt to use that same username/password combination on other popular sites like Amazon, Netflix, Facebook, or your email provider.

In rare - but not unheard-of - cases, you may fall victim to some sort of malware like a keylogger or infostealer. These are malicious programs installed without your knowledge that record every keystroke you make, such as your search terms, websites you visit, passwords you enter, or more. These programs can end up on your computer in a variety of ways like downloading suspicious, untrusted, or pirated software, or if someone (like an abusive partner) gains access to your device without you knowing. The best way to defend against this is to only download trusted software from official sources and to ensure your devices are clean.

If you’re reading this, you have almost certainly already been caught in multiple data breaches. You can check websites like Have I Been Pwned or DataBreach.com to see what information of yours has been leaked by who.