1.2 billion usernames and 500 million emails have been stolen from 420,000 websites. The worst part is that we still don’t know exactly which websites were affected.
The everyday user may not be able to do much to convince companies to allocate their budgets so that they take security more seriously, but that doesn’t mean we are completely helpless.
Perhaps the most important lesson we can take away from this breach is the advice from Jeremy Gillula of the EFF: Don’t use the same password on two or more different sites.
If you’re having trouble remembering your passwords, use a password manager to help you keep track of them all. If you’re using a password manager, it really doesn’t matter how complicated or long your password is; it’s a simple matter of copy and paste.
If you don’t want to use a password manager for some reason, there is an alternative method proposed by Bruce Schneier that you can try. It basically involves turning an easy-to-memorize sentence into a password.
By the way, if new information emerges that reveals the affected sites and you have an account at such a site, change all your personal information on that site immediately. This includes usernames, passwords, and secret questions. Also, because so many e-mail addresses were compromised, be on the lookout for spear phishing e-mails. I previously wrote a post on how to protect yourself against spear-phishing.
The phishing e-mails may look genuine because the crooks who broke into these websites know which site the e-mails came from, and because you actually had an account at the site, it may not seem surprising that the site is contacting you. In other words, the hackers know more about you than a phisher who’s sending the same e-mails to thousands or millions of potential victims: they know you have an account at the breached site, and they know all of the personal details they managed to pilfer from the site. The more information an attacker has about you, the easier spear-phishing becomes.