In light of the news this week of the personal data of over half a billion Facebook users and another half a billion LinkedIn users appearing online, there has been an understandable increase of concern about data breaches, along with the typical confusion about what that actually means, especially for those who discover that their information was included in one of them. Fortunately, neither of the two above leaks included passwords, so no one need worry that someone can take the information they find online and easily take over their Facebook or LinkedIn account. But what if you discover that your account is part of a leak that did include passwords?
With these two notable releases of personal data occurring in the same week, some people may have visited a site like "Have I Been Pwned" (or maybe used Firefox Monitor, which uses that site as its source of data) and discovered that their email address(es) have been included in other data leaks. Or sometime in the past they received an email from a site where they have an account that explained that the site was compromised. Others might have access to a "Dark Web Monitoring" service, from which they received a notification about one of their accounts being included in a new data leak. Usually, the most serious of these leaks are the ones that included both the email addresses and passwords of users.
“But so what? I use my email account all the time and haven’t noticed anything weird, so if I reset the password for it, I should be good to go, right?" This is where things get confusing for many people. The reason for this is that many sites require an email address as the username, so when someone sees that some leaked data includes their email address and password, they read it as "my email address and my email password were leaked" instead of "my username on that site and my password on that site were leaked", which is more accurate. That the username also happens to be their email address is unimportant as far as the security of their email account is concerned, but is important in that plenty of other sites likely use exactly the same username (i.e., the same email address) and people often get lazy and reuse a password here and there. Thus, if someone uses the same username and password combination on some minor site as they do on a major social media site, and then the first site gets compromised, all it could take for someone else to get control of their social media account is to try the credentials they found. (Of course, if the password is also the same one for the original email account, then it would in fact be vulnerable, too!)
"OK, so what do I do then, to keep my accounts secure?" Well, if you find out that a particular site or service has been compromised, the first thing you should do is reset your password on that site. The next thing to do is to reset your password for any site that uses the same combination of username and password as on the compromised one, starting with the highest profile ones and the ones that would cause you the most grief if someone was able to access your account. Also, don’t ever use that original password again. Use a unique, difficult to guess password for every single site. Yes, that can be a pain, so either use the function in most browsers that allows you to generate and save passwords or, even better, use a password manager application.
A password manager is a service that allows a user to store a unique password for each of their accounts and to unlock access to all those passwords with a single password. They work much in the same way as the password management features of most browsers do, but without being tied to any particular browser or device. You can access your passwords using a web interface, a browser extension, or an app on your phone or tablet. They also store other sensitive bits of information: credit card numbers, medical notes, etc. My family has a "Family Organization" plan for the Bitwarden password manager and one of the best features we’ve discovered is the ability to for anyone share selected items with some or all of the other family members. For example, we no longer have to text each other to find out what the Netflix password is, since it’s shared with everyone. Some other popular examples of password managers are LastPass, 1Password, and Dashlane. Some password managers have free versions, some have free versions with limitations, and others are paid-only, so it pays to do some research.
Whether you use a password manager to store your passwords or just your favorite browser, one final thing you should definitely do is use whatever functionality it provides for analyzing your passwords (I know Chrome and Bitwarden both have this ability, so I’m assuming most others do as well). This analysis will typically check all the passwords you have stored for the existence of weak and duplicated passwords, plus see if they're in a database of ones from past data breaches. In order to remedy what it finds, you will need to log into the site corresponding to each vulnerable password, change the password, and add the new one to the password store. It’s not exactly fun, but it will contribute a great deal toward the security of your online accounts as a whole.