LastPass Hacked – How serious is it & Things You May Not Know

LastPass Hacked – How serious is it & Things You May Not Know

Lastpass hacked, how serious is it, what you need to know

If you use LastPass as your password manager, I recommend reading this post in full.

If you know anyone who uses LastPass, forward this to them.

Even if you do know about the LastPass hack, I still recommend you read this, as there will be information here that you may not know about and risks you have not thought of

In case you are not aware LastPass got hacked Back In August 2022 and then AGAIN in November and all customer password vaults have been stolen. This is also not the first time they have been compromised either, it has happened before.

LastPass has been very sketchy about revealing what happened or revealing the seriousness of the hack and waited until December 22nd to put out a statement telling customers their vaults had been stolen, knowing full well that most users would have left for the Christmas holidays and probably wouldn’t read the email or be able to take action.

you can read more about the hack here

My advice is to move away from LastPass ASAP and change all your passwords.

How Serious Is This?

As long as you had a very strong master password on your LastPass account, security experts agree that hackers will not be able to crack it and decrypt your vault, which would potentially take thousands of years or more. If however, you had a weak or moderate master password, then you should probably consider it compromised.

However, the strength of your master password is not the only issue.

There have been numerous issues revealed about how LastPass encrypts data and enforces strong passwords, especially for users who signed up several years ago, when the requirements were much weaker, and LastPass has never prompted or enforced these users to change their weak master password. This means many users do still have weak master passwords that are easy to crack.

It was also discovered by security experts, that LastPass only encrypts the PASSWORD and NOTES fields in the vaults, everything else is in plain text and can be viewed by hackers right now, which is a serious problem. This means all the other data in your vault is compromised, so they know who you are, what company you work for, what websites you use, the usernames of those websites, and any other piece of data you stored in your vault.

If any of the websites/accounts you had stored in LastPass also had weak passwords, the chances of those also being hacked have now also increased.

You can also be sure the hackers will be selling your vault to anyone who wants it on the dark web, so it won’t just be the original hackers trying to get into your vault, it will also be every other hacker and cybercriminal they sell the data to.

The even bigger issue here is that LastPass has now been hacked several times, so obviously their security is not up to scratch, plus the way they have handled the situation is highly unprofessional and unethical. In an attempt to save their reputation and stop customers from leaving in droves, they have been intentionally sketchy with the truth and tried to mislead everyone about what happened, when it happened and how serious it was, meaning they simply cannot be trusted anymore.

Armed with the non-encrypted information from users’ vaults, it will be very easy for hackers to launch phishing attacks against users, with spoofed and fake emails, appearing to come from the sites they know you use, in an attempt to get you to reveal the passwords for those sites/accounts. So you need to be extra vigilant in checking that every email you receive is really from who it says it is from.

LastPass Hacked - How serious is it & Things You May Not Know 1 security

It is not likely that hackers will be going after the average user, there are millions of them, instead, they will be targeting the vaults of high-profile users, CEO’s, MSP’s etc, but this still doesn’t mean you are safe, see the indirect risk warning below.

Please also be aware note that the 2-factor authentication on your LastPass acocunt will not help here, since 2FA only protects the login process on the LastPass app or website. The hackers do not need to log into anything here, they just have an encrypted file that they need to decrypt. So they are simply trying to decrypt the password vaults, which are encrypted with your master password only, so no 2FA is involved.

If you used a password that is made up of information that could be easily gleaned by checking your social media posts and activity etc, such as family member names, date of birth, etc, then these are also easily hacked.

NEVER create passwords made from personal information about you or your family or hobbies etc. Always create random passwords or phrases made from random words. This is the point of using a password manager and why they do this for you.

LastPass Hacked - How serious is it & Things You May Not Know 2 security
How you Actually Get hacked

It is also important to consider how this can indirectly affect you.

Even if your vault does not get compromised, someone else or another company who you do business with (such as me for example), who also has access to any of your systems, websites, or accounts, could have their vault compromised, especially if they had a weak password (my passwords are strong BTW) which in turn compromises you.

It is also highly likely that some websites/businesses you use and trust will end up being hacked as a result of this, due to that company or someone who works there having their LastPass vault compromised.

So by changing all those passwords, you are also protecting yourself from this indirect compromise as well.

What you need to do

You need to get all your data out of LastPass, move to a new password manager, delete your LastPass vault, cancel your account, change all your important passwords and enable 2FA everywhere possible.

1. Change Your LastPass Master Password

Please note that this will not help with the copy of your vault that has been stolen, it will only change the password on your current vault, but if the criminals do manage to crack your master password, then you don’t want them then being able to login to your LastPass account and accessing your live vault as well before you have had a chance to delete it and close your account.

2. Export all your data from LastPass

Click here for instructions on how to do that

If you use LastPass as your 2FA authenticator to generate your One Time Passwords (these are the codes you use for 2-factor authentication), these cannot be exported as they are randomly generated every 60 seconds, what you will get in the export will just be junk.

So you will need to reset the 2FA on all those sites where you are using LastPass as the authenticator and set them up in another authenticator. You can either use whatever new Password Manager you move to or if you prefer to use your mobile device, then I recommend using Microsoft authenticator.

You will need to keep your LastPass account active while you do this since you will need to use it to generate your One Time Passwords to log in to those sites and reset 2FA to begin with.

I recommend importing the exported csv file to Excel, password-protect it, and then save as an .xslx file.
now delete the original csv file and also empty your recycle bin.

This way you do not have all your passwords stored on your computer insecurely in plain text.

2 – Import your data into a new Password Manager

First, you need to pick a new password manager, the best solution will really depend on your requirements.

If you don’t need to share passwords with anyone else, don’t need any bells and whistles, and are happy to store everything on your mobile device, then you can use Microsoft authenticator, as this also has a built-in password manager.

The downside of this is that if you need to log into anything on your PC/laptop or any other device, you will need to manually type those long, randomly generated passwords.

Other popular choices include 1PasswordDashlane, NordPass, Bitwarden, KeePass and many others.

If you use Bitdefender antivirus, then this also has an optional password manager.

I personally have moved to Bitwarden, which has a free plan for personal use and very reasonable pricing on all the other plans. However it’s not the most pretty or intuitive app, so may not be the right choice for the less computer illiterate among you, who may prefer one of the other apps above or something else.

All make it nice and easy to import your LastPass data and provide instructions in their knowledge base on how to do this.

And finally don’t forget to delete that exported file once you have finished with it, and also delete it from the recycle bin too. 

TIP: It you press SHIFT while deleting a file, it doesn’t go to the recycle bin.

3. Reset all your 2-factor authentications

As mentioned above, you will need to reset the 2FA on all those sites where you are using LastPass as the authenticator and set them up in another authenticator.

If you don’t do this first, you will no longer be able to get into those sites once you delete LastPass as you won’t be able to generate a OTP, and will need to go through more hoops to reset 2FA and get access to those sites. So decide which option is preferable.

Anywhere that offers 2FA, make sure it’s enabled.

3. Delete your Lastpass account

Once you are sure that you have everything you need from Lastpass, and don’t need to access the OTP’s (One Time passwords) for 2-factor authentication for any of your sites, you can go ahead and close your LastPass account, which will delete your vault.

How to delete your LastPass account.

4. Change all your Important Passwords.

You could work on the basis that your vault will not be decrypted and that you are safe, especially if you had a very strong master password.

Or you may want to go and change all your passwords just in case, don’t forget the indirect compromise I mentioned earlier.

Anywhere where you have 2FA enabled is technically safe, as the password by itself will not let the hackers into that account, and you should get notification of any attempted access.

But you should certainly consider changing passwords on any important site or account where 2FA is not in place.

Such as: your email account (very important, very few email providers have 2FA), hosting account, online banking, social media accounts, website admin, amazon account, and other online stores and anywhere that has your banking or card details stored and could be used to make purchases.

Remember, any website/account that gets hacked, even seemingly insignificant websites, may contain information about you that will then help the criminals/hackers gain access to other accounts of yours, such as your answers to security questions, which are likely going to be the same on every website you use.
Armed with this information, they can then pretend to be you, claiming they have lost their login details, and use the security questions/answers to reset passwords and gain access.

If any 3rd parties also have their own separate logins to anything of yours, such as your email, website, banking, amazon etc, send this information to them, and if they use LastPass, they should also change their passwords too.

5. Be vigilant

As mentioned above, armed with the non-encrypted information from users’ vaults, hackers, cybercriminals, and scammers all around the world will be launching phishing attacks against users, with spoofed and fake emails, appearing to come from the sites they know you use, in an attempt to get you to reveal the passwords for those sites/accounts.

These emails will likely come in the form of warnings about your account being compromised or about this very LastPass hack, telling you to reset your password, and sending you to a fake website.

Since there will also be legitimate emails from those same websites telling you the same thing, you need to check who the email really came from (check the from address) and verify that links in any emails go to the real website (look at the domain name).

The best suggestion is simply to avoid clicking links in such emails, and instead, just go to the website manually by typing the URL, then you know you have gone to the real website.

Also be wary of unusual emails/messages from friends, family, colleagues, staff, and even your boss, as the person sending the messages may be a criminal or scammer who has compromised their email, social media account, etc. If in doubt, always pick up the phone and call that person to make sure it’s actually them you are talking to.

LastPass Hacked - How serious is it & Things You May Not Know 3 security

I hope this information was helpful.

Stay Safe

Why fraudsters create fake accounts?

Why fraudsters create fake accounts?

Why fraudsters create fake accounts

Fraudsters are everywhere on the Internet. If you run a website that allows users to create an account in order to access goods or services then you will definitely encounter your fair share of them. For the purpose of this article, we’ll cover 2 types of such fraudsters.

Plus, the amount of online fraud has dramatically increased over the last couple of years due to worldwide pandemic, which according to the latest print on demand eCommerce stats, is due to the online business market growing like crazy.

Credit card fraudsters

This is the type of fraudster that you’ll see frequently if you run an online business. They will create multiple fake accounts with various email addresses, often using free or disposable email providers. For them, it’s a form of anonymization to cover their malicious activities. As far as the online merchant is concerned, they are different people because the email address is different.

After creating multiple fake accounts, the fraudster will then attempt to purchase multiple items at the website using stolen credit cards. With different accounts and varying email addresses, it’s often hard to manually trace the culprit. In the end, the online merchant will suffer severe financial losses from chargebacks by the legitimate card owners.

Spamming fraudsters

Now, these guys are everywhere in forums, blogs, review sites, etc. They are often paid shills that are given the task of promoting some dodgy websites or giving fake reviews to boost the status of a questionable product. They just keep spamming everywhere that they can post their website links as well as any review sites.

Similar to the credit card fraudsters, they hide behind the identities of multiple email accounts. Without an automated screening tool, it would be next to impossible to identify all such accounts. Using mass spamming bots, they can severely compromise the integrity of review sites as well as degrade the usage experience of the normal web users.

How to limit the fake account issue?

In the case of the credit card fraudsters, online merchants can use FraudLabs Pro which offers both  plugins or APIs to screen out fraudulent credit card transactions. The highly sophisticated algorithm in FraudLabs Pro, coupled with blacklists powered by feedback from other merchants, makes it a highly effective screening tool to block the transaction.

Since both types of fraudsters rely on fake accounts to perform their nefarious deeds, the use of the FraudLabs Pro SMS Verification is another tool to prevent the fraudsters from signing up with multiple accounts. By requiring a mobile phone number to receive the One-Time-Passcode (OTP) for verification, it is a lot harder for bad actors to successfully sign up for multiple accounts.

In the case of blocking the scammers and spammer on your website, there are plenty of tools available to fight the spammers, which very much depends what your website is built with. One of the most popular solutions is Cleantalk, which can be installed on any website, and blocks spam silently in the background. No annoying captcha or math problems for users to solve.

For added security against other kinds of threats/issues, I recommend Sucuri, which is a web application firewall/proxy service that sits in front of your website and filters all requests for malicious activity and blocks them before they ever reach your website.

For customers using WordPress, it is also critical to have a security plugin to monitor your WordPress installation and protect against malware. A popular passive solution is Malcare, which will detect an automatically remove malware, which is great for sites which are not being professionally managed. At the very least it is recommended to have the free versions version of Wordfence or Sucuri plugins.


Deploying at least basic security/protection doesn’t need to cost you an arm and a leg, in fact in many cases it is actually FREE. The FraudLabs Pro protection is an easy and fast way to limit the potential damage that fraudsters can do to your website and your reputation. Their Micro plan is completely free, so there is no reason not to give it a try.

FYI I do use all the above services myself for both myself and many of my clients.

As usual, If you need any help with your security or anything mentioned here, feel free to get in touch.

Google alienates kids & parents + How to recover files from a suspended G Suite account

Google alienates kids & parents + How to recover files from a suspended G Suite account

Google alienates kids & parents + How to recover files from a suspended G Suite account 4 security

I was one of the early adopters of what is now known as Google G Suite and have been using since it was launched back in 2006 when it was originally called Google Apps.

Like most early adopters, I started with the free Google Apps account, which was open to anyone and was originally intended for personal use. Like most people, I got it just so I could use my own domain name with Gmail. A few years later I upgraded to the paid plan, which then became Google Apps for Business and then G Suite basic.

Over the years many things have changed, including the name, rules and policies and new features have been added, not all of them positive and many of them infuriating.

One of the big changes is that G Suite is now intrinsically linked with your Google account, which you use for many other apps and services, including Single Sign On.

G Suite is now for business use only, not personal use, and as such they have intentionally crippled it so that it only works with the core G Suite services and you are not allowed or able to use any of the other useful services that regular Google users enjoy, such as Google families.

I have even discovered that I am no longer able to leave reviews for apps on the play store via my G Suite account, which has been a long-running complaint on the forums as this is the only way to contact the developers or get support for many apps.

Basically Google are treating their G Suite customers like second class citizens and seem to be punishing us at every opportunity simply for being a paying customer and having a G Suite account. Many customers, myself included, are feeling very alienated by this as it seems we would be better off using a free gmail account instead.

The other big change/annoyance is that Google now has an age limit. You are required to be 13+ years old in order to even have a Google account and use any Google services at all, even a free gmail account.

If Google finds out that a user is under 13 years old, they will permanently suspend that users account and will never ever reactivate or give that user or you (the parent) access to that account ever again, no matter the reason.

All these changes are a major problem for parents like myself, who used the original Google Apps for personal use. Like many, I used my Google Apps domain for my entire family and gave all my kids an account so that I could centrally manage their Android devices and permissions.

Image result for google apps history

Under Google’s new rules, this is no longer allowed, so if your kids are under 13 and have a Google account of any type, they are at risk of having their Google account suspended and deleted, which has now happened to me twice.

In both cases the cause of the suspension was Google+. Everything was fine until they tried to use something which prompted them to setup a Google+ account. As soon as you enter your DOB on Google+, it suspends your account immediately if you are under 13.

This was a surprise to me since AFAIK Google+ was actually shut down last April. what I had not realised that they had only shut down the public (free) version but it will still active for G Suite customers.

The other ridiculous thing is that the age limit rule also means that your kids cannot use any Android device since this requires a Google account, which they are not allowed to have.

The only way around this is to use Google’s Family link, which again cannot be used with a G Suite account ( I tried), which is a real shame as it seems like it would be a really great app if I could actually use it.

Image result for google family link

You might think, ok, so I will just create another Google/gmail account and have that on my device alongside my g suite account and use that to manage family link. Nope, this is not possible either as Family link does not allow you to have 2 Google accounts on the same device, not even on the parent device.

So the only way you can use Family link is by having a 2nd phone just for this purpose. If you have an old Android phone lying about, then this may be a viable solution, but it needs to be Android 7 to work properly and use all the features. This wouldn’t, however, be viable if you want to use any of the other family services, which you would obviously want on your primary device.

As if this is not bad enough, when I realised that I could not use family link I had to delete my child’s Google account from their phone in an attempt to put it back to normal, this then completely bricked the device.

I was completely locked out of the device by family link due to it not liking me removing the child account, so a factory reset was the only option. But after a factory reset it wants me to login as the previous user, which fails every time. I have now bricked 2 old phones by attempting to use the family link so far.

Now I understand that Google has implemented these age limits in order to be compliant with COPPA, but they seem to gone completely OTT and heavy-handed with their approach and have further alienated a lot of their customers in the process.

I have become so frustrated and disappointed with Google over the last couple of years that am seriously considering cancelling my g suite account and moving my domain over to office365 or Zoho.

Recovering Data From a Suspended G Suite account

Google alienates kids & parents + How to recover files from a suspended G Suite account 5 security
Your Google account has been suspended

As I mentioned above, I have been on the receiving end of Googles “no compromise” account suspension of my daughter’s account.

I pleaded with Google support just to unsuspend it for an hour so I could backup all her files from Google drive, but I was told by the agent that there was nothing he could do and the account could not be reactivated under any circumstances.

I asked if he could backup the files and send them to me, but the answer was also no, and I was told categorically that there was no workaround and no way I was ever going to get access to this account or the files.

So off the top of my head, I came up with a couple of workarounds, which surprisingly the support agent had never thought of, because it was not in his list of KB canned responses. Creative thinking doesn;t appear to be one of the skills of a Google support agent.

  1. Rename the Account
    Despite what I was told, there is in fact 1 way to get an account reactivated, which is if the suspension was a mistake because you accidentally provided the wrong DOB and the user is in fact over 13. In which case you need to provide ID to prove your age and if accepted, the account will be re-activated.

    You will note in the above link it says there is supposed to be an option for the admin to change the users DOB, but this was not available to me, in fact I could not do anything with the account except delete it.

    So I thought, what if I rename the account to be in my wife’s name, and then send them my wife’s ID as proof of age, thus getting the account reactivated.
  2. Transfer files to another User
    When you delete a user from G Suite, it gives you the option to transfer all the files to another user. So I thought I could just create a new user for my daughter, delete the old user and transfer the files to the new user.
G suite delete user and transfer files

Option 2 was obviously the quickest and easiest solution, so that is what I decided to do, and it worked perfectly. Unfortunately, you cannot save the emails using this method, only the files, but this was not a problem for me.

I also then decided to re-create the original user, expecting this to not work because Google would know it was a previously suspended user.
Surprisingly this also worked, the account was no longer suspended and worked fine. so I repeated the process, and deleted the NEW user, and transferred the files back to the original username.

Now let’s just hope that Google do not read this and decide to further screw us over by stopping us from performing either of the above workarounds.

Are you sharing sensitive data & passwords on freelancer websites?

Are you sharing sensitive data & passwords on freelancer websites?

password security - stop sharing your passwords on freelancer websites such as PeoplePerHour and Upwork
stop sharing your passwords on freelancer websites such as PeoplePerHour and Upwork

As a freelancer/consultant, I use freelancer sites like PeoplePerHour or upwork on a regular basis. One of the issues evident in every job I have done is the total disregard for security on these platforms.

Most IT or web-related jobs done on freelance platforms are going to involve the exchange of sensitive data, specifically passwords, which is required in order to do the job. Clients will gladly share everything with multiple freelancers without a second thought, including their logins for control panels, hosting accounts, domain registrars, websites, and everything else.

This unconscious sharing of such details has massive security implications which I will address below and offer better and more secure alternatives.

Security Bad Practices

Firstly and most importantly, you should not post any sensitive information in the job chat/discussion on the freelancer sites (unless they are temporary logins that will be revoked/changed). These conversations are stored in plain text and not encrypted in any way and can be viewed by anyone with access. Certainly, in the case of PeoplePerHour, upwork and Fiverr, I have asked them directly and they have confirmed this is the case.

In fact Fiverr support even said outright to me that they do not recommend sharing passwords on their platform, even though it doesn’t state this anywhere on their site, they do nothing to discourage it and this is exactly what everyone does.

Secondly, your login details are for your own use, and everything that is done with your login credentials links back to you. If you share these credentials with multiple people and there is a security breach, you will have no idea who is responsible. If you are an employee and have a boss, then you will most certainly be blamed for the security breach, which could cost your company dearly.

hackers could  easily gain access to your passwords on freelancers sites
Hackers are everywhere, don;t share your passwords insecurely

Thousands of sites get hacked and data is stolen every single day. Most of them are unaware they have even been hacked and the breach can go unnoticed for months or even years in some cases.

If any of the freelancer sites suffer a security breach, the hackers will have access to any data which is not encrypted, which includes all those login details that clients have entered in the chat with their freelancers. Not forgetting that the support staff can also read all your discussions as well, so any dishonest support agent could simply lift your login details and use them for illicit purposes.

Sadly there are also a lot of unscrupulous freelancers out there too, who will intentionally do damage to your systems in order to generate more work for themselves, or may seek revenge in the event of a dispute or disagreement.

I have had many jobs cleaning up after such situations and have found all kinds of back doors, insecure plugins, malware and extraneous logins that presumably had been created by other freelancers.


Ideally, you should find a single reliable freelancer/company who you are happy with and stick with them, rather than hiring a different freelancer each time. Not only is this better for security, but using multiple freelancers can also cause other problems as they are oblivious to what work their predecessor has done, and so will often break or undo each other’s work.

Sticking with the same person/company creates a relationship as well as a recurring income, which will, in turn, result in a better quality of work, fewer issues and less expense as they will know your systems and the work they have done before and be more inclined to keep you happy.

Plus any decent freelancer/contractor will use a task/project manager and will keep notes on the work he does for ongoing clients which also improves communication and project management.

Do not post sensitive information in the workstream/chat. An exception would be if you are providing a temp login which will be revoked once the job is done.

If you do need to give a freelancer (or anyone) temporary access to your accounts or website, then ideally you should provide them with their own login, not give them yours, which you should revoke (delete) once the job is done. You should also give restricted access where possible so the freelancer only has access to what is required to do the job.

If it is not possible to create a separate login for your freelancer, then you should always change your passwords after the job has been completed.


how to securely share your passwords on freelancer sites
everyone should use a password manager

Create a Secret Link

There are a number of online tools which will allow you to share information with someone securely via a special secret link that is randomly generated just for you and only works once. As soon as the recipient clicks on the link to view the information, that link and all the information is destroyed.

This makes it safe to share that link via email or on freelancer sites, because the link only works once, so is useless to anyone else that finds it after it has been used.

OneTimeSecret is my favourite so far.

This tool allows gives to a large text area, allowing you to share any amount of information in one go. It also allows you to put an optional time limit on the link (how long it will stay active for) and also an optional passphrase to protect the link as well. So you could then provide the password via phone or SMS to make it extra secure in case the recipient won’t be checking the link immediately or there is any chance of it being intercepted.

A few other solutions include- | Saltify |

Cloud document sharing

Everyone has access to cloud storage and the ability to share files and documents FOR FREE.

I come across a surprising number of people who are unaware of this, but every single Windows user has access to OneDrive by default. It is part of the Windows operating system and allows you to sync up to 5GB of files to the cloud for free. You can then share these files with anyone simply by sending them a link.

Even if you do not use Windows, you can still get a free Microsoft /
OneDrive account.

So you could temporarily put all the info you need to share into a text file or word doc, and share that link with your freelancer. Once the job is done, unshare that file and delete it. You can also password protect the share for added security.

If you do not know how to share files with OneDrive, then please read this article “how to share files with others using OneDrive“.

You can also do the same with Google Drive, which you also already have access to if you have a free Gmail account or use Google Workspace.

Use a password manager

Are you sharing sensitive data & passwords on freelancer websites? 6 security

Using a password manager is something I recommend to everyone. It will remember all your passwords and other personal info for you, software licenses, bank details etc. It will automatically log you into websites, fill in forms, generate strong passwords for you and more.

Some of the most popular solutions are 1Password, Bitwardenand Dashlane, some of which offer a free edition, although there are many other apps available which vary in features and simplicity.

Password managers are also the most secure way to share logins and other sensitive information with your freelancer and then revoke the share once the job is done. You simply choose to share a login, enter the freelancer’s email address, and it will send them a share request. If they already use the same password manager, then job done, otherwise, they simply need to register for the free version in order to accept your share request.

As a result the login details are never shared in plain text, as the freelancer will only use the password manager.


I am going to mention WordPress specifically because this is something I deal with a lot, since I build, support and manage WordPress websites.

In almost every WordPress job I do, clients will send me their own admin login, which they have sent to every freelancer before me, who still has access as the password has never been changed.

If you need to give someone permanent access, then create a new admin user just for them, if just need to provide temp access, then I suggest using the “temporary login without passwordplugin, which will allow you to provide a temporary login which will automatically expire after x number of days.

The dangers of using public WiFi

The dangers of using public WiFi

public wifi

How often do you use public WiFi? Are you aware of the dangers of using public WifI? Do you know how to protect yourself from harm? These are some of the questions that I will answer in this post, so if you or your kids are not currently securing your mobile devices, keep reading.

The Dangers Of Using Public WiFi

Everyone has several points during their day when they find themselves somewhere in public, and they just happen to catch a break. In those times, most people will simply take out their phone and check their favourite social network, email, and similar things.

However, to do so, they need an internet connection, and if they do not have a mobile signal then they will next try to scan the area for public WiFi. Some people even have their devices set to connect to any public WiFu automatically. If you do that, you might think that you are lucky having free internet access. However, you might just be about to enter a hacker’s trap.

Any free public WiFi that you find could actually be a trap set by hackers, but even if it is legit, with such poor protection there’s pretty much no difference. We understand that sometimes you don’t have the time or patience to think about this sort of thing. You might be in a hurry, or maybe you are waiting for an important email, or message.

The dangers of using public WiFi 7 security

Even if you use it for a little bit, your phone, tablet, or laptop can still get compromised.

So in this article, I am going to mention some of the most common and dangerous threats that you may come across when using public WiFi. And also some of the methods that you can use to protect yourself from them.


Snooping is possible when you use any WiFi network that doesn’t have encryption, and most public WiFi networks don’t, which makes them different from your home network. When you use your private WiFi network at home, it has password protection, as well as encryption (or at least it should).

Public WiFi networks are different, and many don’t even have password protection at all, so as to easily make them available to anyone. Such as tourists and guests of hotels, restaurants, and alike. However, this also makes them vulnerable, as well as convenient.

When you use a network with encryption, your online actions are hidden from others. If you use one without protection, then everything you do is out in the open for everyone else to see. And if you use such networks to connect to your bank or social network, you will make your privacy available to others.
It is basically like sitting in an office with glass walls, everything you do is visible and nothing is private.

If you use public WiFi to connect to your bank, social network or anything else, you will make your privacy available to others

Compromised Devices

When you are using your laptop or some other device in public, and you connect to an open WiFi, make sure to mark it as a public network. If you do so, the device that you are using will lock down the connection. If you fail to do so, your device will treat it as a safe connection, which might lead to exposure.

In case that someone hacks your device, they might get access to all of your private content and info. That includes pictures, potential credentials, business documents, and everything else that you have.

Malicious WiFi Hotspots

The most dangerous thing that can happen to you is to connect to a fake public network.

They will often have a name like “Free WiFi“, or “Public Network“, or something like that. These are networks that hackers themselves set up, and then leave open, and without protection.

They do so in hope that someone would connect without realizing the danger, and most people will do just that. Not everyone knows about this method, and in fact, the majority doesn’t have a clue that this can even happen to them.

The dangers of using public WiFi 8 security

Several public WiFi Hotspots are set in place by hackers and left open to steal your online credentials, your business documents, contacts list, messages, emails, and everything else

But, when they do connect to one such network, hackers will see everything that they do.

This is how they steal your online credentials, your business documents, contacts list, messages, emails, and everything else.

They can later use this info to break into your bank account, steal your identity, hijack your social networks, and generally ruin your life for their own gain, or simply for their amusement.


Getting malware on your device via WiFi hotspot that hacker controls is much simpler for them, and much more dangerous for you. Hackers can use malware for many things. Some of them might only steal your files, photos, and similar data.

There is always a worse option, which is when malware actually downloads even more malware. Eventually, the hacker might get complete control over your entire device. If that happens, there is no limit to what they can do, from locking down your phone, to making it a part of a botnet.

WiFi Sniffing

This method is pretty simple when it comes to its concept. Basically, hackers will monitor network traffic and record big swathes of data that passes through. They can inspect this data later, and try to find some useful information.

This method can lead to discovering someone’s credentials, and other personal information. The consequences are many, and they might steal your money, your identity, or blackmail you if they find some secret.

And the worst part is the fact that sniffing through packets of data is not even illegal most of the time. It depends on the country’s laws, but not many choose to bother about things like this, that only affect several people at once.

Doing these things is actually very easy. Most people imagine that you need a lot of technical knowledge, or maybe some expensive equipment to do so. The truth is that almost anyone can do these things with an app or two, or some program of a higher quality.

The real technical knowledge is pretty much not even needed, and most instructions on how to do these things can be found pretty easily online.

You should have in mind that all of these dangers are a real threat, whether you are in your hometown, or in a foreign country.

Free WiFi can be a real danger whether you are in your hometown, or in a foreign country

How To Protect Yourself From WiFi Dangers

Now that you know what threats are out there, you should also learn how to recognize the danger.

Also, once you do recognize it, how to protect yourself. Some of these methods are something that you will just have to remember, and others will do most of the job by themselves.

The dangers of using public WiFi 9 security

Your job is to try to remember as much as you can, and when you can, you should avoid public WiFi. It might not be as convenient, but it is always recommended to wait until you get home. Now, let’s see what the methods of protection are.

Double-Check The Network Before Using It

False assumptions are what leads to most of this kind of problems. In short, you shouldn’t assume that a WiFi network is legitimate just because it says so. You shouldn’t really use any unknown WiFi since you don’t know who it belongs to.

It might belong to a restaurant, coffee shop, or a nearby hotel, or it might belong to someone fishing for easy targets.

Stick With HTTPS

Google Chrome lets you know when the site you’re visiting uses an unencrypted HTTP connection rather than an encrypted HTTPS encryption by labeling the former “Not Secure.” Heed that warning, especially on public Wi-Fi.

When you browse over HTTPS, people on the same Wi-Fi network as you can’t snoop on the data that travels between you and the server of the website you’re connecting to. But Over HTTP? It’s relatively easy for them to watch what you’re doing.

Thankfully all major sites are using HTTPS now, meaning that data is encrypted, but a lot of smaller sites are still using HTTPS and apps on your mobile device also may not be using a secure connection to connect to servers.

Update Your Software And Antivirus

Your OS will get updates on a regular basis, which goes the same for all legitimate apps on your phone or tablet. Installing these updates might be boring and annoying, but it is one of the best ways for you to stay safe.

New vulnerabilities are always being found and patched. If you have a system that did not patch old vulnerabilities, hackers might still bypass your protections. Most of these updates will install themselves automatically, only if you allow that in your settings.

And the same goes for your antivirus, that won’t help much if you connect to a network that hacker controls. However, it will help a lot if they try to send you a malware. That is why you need to keep it fresh and operational.

Forget A Hotspot When You Leave

If you have no choice and it is an emergency, you will simply have to connect to a hotspot and do what you need to do. However, we recommend doing what you must as quickly as possible. And after you finish, forget the hotspot immediately.

You don’t want to risk your phone remembering it and reconnecting automatically every time when you get close to that hotspot. That way, you might allow someone access without even knowing that you are in danger.

Having your phones remember WiFi that you use is practical and convenient, but also very dangerous. This is a danger that you must not overlook, otherwise, trouble is sure to follow.


Finally, the best thing that you can do to protect yourself is to use a VPN. Using them is cheap, it is easy, and they will follow you always, and protect you no matter where you are. Even if you connect to a public WiFi.

VPN stands for Virtual Private Networks, and their main purpose is to help you stay safe online. They have multiple methods of doing so, which all add up to one big protective app that you can download on any device.

Depending on a VPN, there are different features that you can use to enhance your protection.

The dangers of using public WiFi 10 security

However, three main features are what they all have in common;

  1. First of them are security protocols. In order to keep your data safe, VPN can create a protective tunnel around your data flow. Your data goes through this tunnel, and while it is inside, nobody can use it, see it, or record it. With this method, your online actions are safe and under strong protection.
  2. The tunnels are not perfect, and there might be a leak. Still, there is nothing to worry about, because VPN’s also encrypt your data, just in case something like this happens. They use strong encryption that will keep everything you do protect. Even if someone somehow manages to get through your tunnel’s protection, they won’t know what they are seeing. And these protections are so strong, that some of them have never been breached before.
  3. Finally, they offer large server networks that can change your IP address. Thanks to this, nobody will connect you to your online actions, since they will go to another IP address, while you will remain completely safe and anonymous.

As mentioned, VPN’s offer a lot of extra features. Some of them serve as an enhancement to the existing methods of protection. Such as DNS leak protection, that will make sure that your tunnel has an extra layer.

Others will make sure that your protection will remain even if something disturbs the connection. This is what kill switches do.

All in all, whatever features they offer, the best VPN’s will protect you as best as they can. They will do it by blocking out hackers, stopping malware, and even by blocking ads.

To buy a VPN service is economical. You can subscribe to one of the best VPN starting from as little as £2.45 per month. Considering that your privacy and safety is at stake, it is well worth to give it a thought.

You can also use a VPN router, here is a guide to buying the best VPN router.

One thing to be aware of, many people believe that using a VPN hides your online activity and makes you completely anonymous, this is not true. Your online activity is tracked by more than just your IP address. Your apps on your mobile devices and the cookies in your browsers are sending information about your activity all the time, allowing advertisers to track you around the internet.

Which VPN To Choose?

Because of their sudden popularity which keeps on increasing, there are now hundreds and hundreds of different providers. Choosing one is hard enough, but choosing a good one can be even worse.

Here are some of the most popular VPN providers. I personally use Tunnel Bear right now, and each account allows up to 5 devices to be connected. So depending on the size of your family, then a single account could be used for your entire family’s smartphones.

According to sources, all of these are strong, fast, cheap, and they will give you the best protection that you can find, at the time of writing anyway.


Using public WiFi hotspots can be risky without a VPN, but you sometimes can’t help it. It is understandable, but you should still try to avoid doing it when possible unless you have a VPN to protect you.

However, when you find yourself in a situation that you have to use one, try to remember what you should and shouldn’t do. Do not log into social networks, emails, and especially don’t connect to your bank account. Also, try not to pick something that looks like it is offering itself too strongly.

And of course, subscribe to a VPN, and always have it on your devices. Many VPNs allow multiple connections at once, which means that with one subscription, you can protect 3-5 of your devices at the same time.

So remember these things next time when you choose to connect to a public WiFi hotspot and try to stay safe.