What to do, if someone really stole 1.2 BILLION passwords?

Data breaches have become a routine. It can happen to any site, any day. You can’t prevent it, but there is a way to minimize the damage.

Today the New York Times ran a story about how a criminal group allegedly stole more than a billion passwords and usernames/emails from various web sites. This may sound like the biggest heist in Internet history, however, the exact details of the theft are not provided, and that made the security community a little skeptical.  First of all, the public was not informed what sites were targeted. Technical details were absent as well – i.e. every security expert wants to know whether passwords were hashed or not. However, an ordinary user must know only one thing – is it time to act, and if so, what action to take.


Major providers don’t send password change notifications, which may indicate that they are unaffected or don’t expect negative consequences for end users. However, Hold Security, a company which publicized this research, claims that many affected web sites are small. These sites often don’t have strict security procedures in place and users cannot expect a data breach notification from them.

You can minimize damage by making sure you have a unique password for each account.

This alleged theft may be used as a good occasion to switch from incoherent password policies to more secure and systematic approaches.”You’ve got no real control as a consumer when a breach happens at an online provider you use, but you can minimize damage by making sure you use a unique password for each account,” explained David Emm, Kaspersky Lab’s senior security researcher in the UK.

Unique passwords are paramount to password security. Each password might be stolen either from a user’s computer (e.g. using a keylogger) or from an online provider. Make sure that this password won’t open the door to other important accounts.  It is complicated to keep a long password list in your memory, so password managers are recommended. In addition, each password must be strong enough (you can test yours using our free password checker).

For important accounts (banking, Gmail, etc.), the additional protection is highly recommended. These sites usually employ two-factor authentication to make the password alone useless for thieves.