The data breach reflex
This post was originally posted on Peerlyst on October 6, 2017. I edited it a little bit and added some links to more recent blogposts.
Another day another data breach. Whether we like it or not, it's a reality we have to accept. Bitly and Kickstarter were hacked back in 2014. All together 14 million credentials were stolen. The remarkable fact is that the data only surfaced today. It makes you think about which of our other data is stolen that we are simply not yet aware of. I think a lot of people share that uncomfortable feeling with me. Let me explain how I ease my mind.
This lack of knowledge about possible compromised data makes it really important to have unique passwords for each website. The most secure way to do this is by using a password manager. It helps you to create strong and unique passwords. Further more it takes away the need to remember and recall passwords yourself, exactly the reason why people use bad, easy to remember passwords. There are heaps of passwords managers, both commercial and free ones. In this post you can find some tips for choosing a password manager.
While password managers are the most secure solution, they are not the most suitable solution for everyone. Choose the way of managing passwords that suits you best, as long as it supports the goal of having unique and strong passwords for every account. If you do so, a breach of site X can never impact any of your other accounts.
But what should you do after you learn that a website was breached?
Check if you have an account for the breached service
It happens more than once to me that I hear about a company being breached and I don't remember if I ever created an account on their website. For instance I wasn't sure about bitly. Easiest thing to do then is a password reset. The poor (and insecure) password reset implementation of bitly (that has an enumeration risk) made it extremely easy to discover that I had no account.
Be informed about data breaches
If you haven't done yet, subscribe to breach notification services like Have I Been Pwned. You will be informed when your email address occurs in a data breach aggregated by HIBP. Several password managers will also help you with this, by giving alerts when a service for which you have an account is breached.
If you want to learn more about different data breach monitoring services and tools, I suggest you to read this blog.
By no means this draws a complete picture of all the data breaches in which your data are exposed online. That's why I can't emphasize enough how important it is to use unique, strong passwords to minimize the impact of data breaches, yes even the ones you are not (yet) aware of...
Take appropriate actions if you're in a data breach
Once you know your personal data is leaked you should do a few things. Cursing is allowed ;-)! I guess that's what everyone does when they learn about it. But I often see reactions like this:
This is what we call "breach fatigue". People hear over and over again that companies get breached and they simply don't care anymore. But this might bring yourself into trouble. A few simple steps that literally take 1 or 2 minutes time can make a world of difference.
So what should you do? Immediately change the password of the affected account and activate two-factor authentication if possible. The extra factor of authentication makes it a lot more difficult for attackers to get in to your account, even when they have the password.
Conclusion
It is important learn from data breaches and improve your online (account) security and privacy. In particular for the affected account(s), but even broader. A data breach is a good moment to review if you have strong and unique passwords for your online accounts and 2FA activated (when offered by the website or app).
I reflect on the way I secure my accounts on a regular basis. For instance: insights learned from the onlinerspambot data breach helped me to improve my account management.
Once you have a good security strategy you will feel a lot less insecure the next time you're in a data breach.