It's time to change your passwords again. All of them.
A Russian crime ring has stolen a staggering amount of confidential information: 1.2 billion username and password combos and more than 500 million email addresses from some 420,000 websites, according to a report in The New York Times. Hold Security in Milwaukee first discovered the breach, warning site visitors in a post Tuesday titled, "You have been hacked!"
"The magnitude of this is almost unimaginable," said Adam Levin, chief executive of Identity Theft 911. Given a global population of a little more than 7 billion, he said, "you've got a pretty good shot that you're on the list."
Hold Security has yet to name companies affected, and did not immediately respond to requests for comment. But security experts say the breach could have a domino impact. "The truth of the matter is, consumers still practice incredibly poor password policies," said Adam Tyler, chief innovation officer for fraud detection firm CSID.
Even if say, your bank or favorite retailer weren't among those hacked, people tend to recycle passwords among frequently visited sites — putting even more of their accounts and sensitive information at risk. Scammers are likely to take advantage of the news, too, by sending out phishing emails that masquerade as breach alerts from a bank or retailer, with the net effect of stealing more login combos.
Given the scope, it's smart to take steps to limit the potential impact of the breach. "There are certainly some sites I'm going to go to today and change my password," said Geoff Webb, senior director of solution strategy for security management firm NetIQ. At least, accounts containing sensitive financial or medical information. "The worst that will happen is that you've changed your password," he said. "That's not a bad thing."
With big data breaches becoming more common, experts say it's time to take more steps to protect yourself:
Pick a better password: "Passwords have to be easy to remember but hard to guess," said Parry Aftab, an attorney specializing in Internet privacy. Her trick: Pick a sentence (not a common phrase or saying) that can be boiled down to a string of letters, numbers and symbols. For example, "On Jason's fourth birthday, he ate cake!," which might boil down to "OJ4thbh8c!"
Even then, it's not smart to use the same password for your bank login as you do for a retailer's site or social networking account. Pick a different phrase, she said, or at least consider sneaking in a site-specific abbreviation somewhere (FB for Facebook, say, to make it "OJ4thFBbh8c!") to make it unique to the site, without overburdening your memory.
Try a password manager: Services such as LastPass, Dashlane and KeePass create and manage complex passwords for you. "They make it a million times easier to create complicated passwords," Tyler said. The catch: you'll need a very secure password or authentication as a master password for that account. Basic versions are free, while premium versions covering more accounts and devices can run up to $20 per year.
Beef up authentication: Some sites, including Gmail and Twitter, offer two-step verification — which requires users logging in from a new device to enter a code sent to the mobile phone linked to the account. When that technology is available, enable it, said Webb. "If you have that kind of step, it doesn't matter if someone steals your username and password," he said. "They still can't get in, unless they stole your phone, too."
Limit your financial risk: Don't use a debit card to make purchases online — credit cards offer more comprehensive protection against fraud. It's also smart to limit your online buying to just one card, said Sergey Lozhkin, senior security researcher at Kaspersky Lab. That makes it easier to monitor for potential problems, and cut off criminals' access if the number is compromised. Some issuers, including Bank of America, still offer temporary card numbers to keep your information safe.
Secure your devices: Password-protect your phone and computer to thwart prying eyes, Aftab said. If you're not the only one using a device, don't set sites to automatically log in or save passwords. Password-protect any files containing sensitive information.
Use social identity: Given the option to create an account or log in through a social networking site such as Facebook or LinkedIn — an option more retailers and other companies offer — consider the latter, said Webb. Doing so gives you fewer passwords to remember, and narrows breach worries to just a few sites. Of course, go this route and you'll want to be sure that social networking password is very secure, he said.
Scan for problems: Corporate data breaches aren't consumers' biggest concern. "Malware steals much more data than that each year," said Tyler. If there's malware on your personal or work devices, other password protections won't help at all. "It will just grab the updated passwords," he said. Install software to scan for viruses, spyware and other potential problems, and then use it regularly. This step is particularly important if you have kids — who tend to be less discerning about browsing and downloading, increasing the risk of contracting malware, said Aftab.
Stay vigilant: "You have to be on high alert now," said Levin. Take any email alerts about the breach from companies you do business with, with a grain of salt. "No institution will ever ask you to provide information via email," he said. Don't click on any links in the email, or call any numbers listed there. If the threat is legit, you'll be able to take any necessary steps by logging into your account in a new browser window, or calling the company on its main listed customer service number.
Consumers should also keep an eye on their accounts in coming months to ensure their financial information hasn't been compromised.