Year after year, data breach incidents expose confidential data from millions (and even billions) of accounts. Be constantly vigilant and protect your accounts. But even with adequate security measures, your password could still end up exposed and publicly listed online. When it happens, here’s what you should do.
Mitigate the disaster
If you’re lucky, no cybercriminals have bothered using your exposed password just yet. But the fact that your password is public and ready for the taking by any random person means you must change it fast.
Hackers can lock you out of your accounts, and the steps to recover locked/stolen accounts are almost always more difficult than the process to change passwords. In worse cases, you may be locked out permanently. Again, be quick.
Find all accounts, including the old, unused ones you’ve forgotten about, that commonly use the exposed password and change it. For added security, variations of the exposed passwords that you use in other accounts should be changed as well.
Sign out from all sessions
After changing passwords, web accounts will typically require you to sign back in using the new passwords. But some accounts may skip this requirement and allow users to remain logged in with their existing sessions. The problem is that unauthorized users who managed to sign in to your account could still have access.
Different web/mobile apps and services have varying processes to sign out of all sessions and devices. In general, the option should be listed within the account settings. With Google, for instance, you can visit myaccount.google.com/device-activity to see all devices where you’re signed in on, and then just select each device and click the sign out button.
Review connected third-party apps
You may have accounts (e.g., your email, Facebook, or Twitter account) that you use to sign in to third-party apps and services. Since you’re in the middle of a security checkup, consider removing all of these connected third-party apps.
Facebook lists third-party services on Settings > Security and Login > Apps and Websites. Twitter also has them listed on the Connected apps page. And so does Google. These pages that list apps with access to your account typically have a button or other options to allow you to remove access for apps you no longer trust or use.
Third-party apps pose security and privacy risks. If you grant them enough permissions, these apps could potentially access and steal your data, spread spam through your main accounts, or perform changes without informing you. Only reestablish connection to third-party apps as needed. Avoid connecting to unknown apps especially if they’re from disreputable sources.
- How to earn money by reporting security bugs and vulnerabilities to Google
- How to check if your browser is leaking private data
Notify your contacts
Unless you’re quite certain that no one has hacked into your accounts using your exposed password, you should inform your friends and family to be wary of any recent messages that came from one of your accounts.
A hacked account can be abused for identity theft. A fraudster could claim to be you and request your contacts for money for some supposed emergency or other made-up story. Your contacts may likely let their guard down and give in to the request since the message came from your own account.
Check your other passwords
If you already have an exposed password, then you may be wondering if your other passwords are safe and not compromised. After all, any company—banks, social networks, ecommerce platforms, you name it—can suffer from a massive data breach.
Besides waiting for victimized service providers to tell you, there’s a way to check if your password is already exposed to the public. Visit haveibeenpwned.com/passwords and enter your password there. The website will crosscheck from its list of pwned passwords it aggregated from past data breach incidents and see how many times your password has been exposed.
For instance, the word password itself has been seen 9.6 million times in data breaches. Such high occurrence is the main reason why you should never use this very common password, besides the fact that it’s too short and can be easily discovered via brute-force attacks.
The HaveIBeenPwned exposed password list is downloadable via torrent if you’re hesitant to enter your password. Alternatively, visit the home page at haveibeenpwned.com to submit your email address instead, so you can see if your account has been in a data breach.
The next data breach is coming
You don’t know when it will be, but expect another data breach to happen and affect you. At this point, you can’t just trust companies to protect your data; you must take security precautions yourself.
Start by enabling multifactor authentication in your accounts. Make it a habit to use unique passwords for every online account, so that an exposed password will only affect a single account. Remembering multiple passwords is hard, so consider using a password manager. Or learn creating long, secure passwords that are easy for you to remember but impossible for others to guess.