So far in 2019, I’ve received four email notifications from the Have I Been Pwned service, each one alerting me that I was one of tens or hundreds of millions of people whose data was stolen in a security breach. In fact, if I add up all the people whose data was compromised just in those four breaches, the total comes to 1,588,640,494. That’s right—over 1.5 billion records of data, including names, email addresses, passwords, dates of birth, employers, genders, geographic locations, IP addresses, job titles, phone numbers, and physical addresses.
Such laxity and malfeasance are incredibly distressing, but these breaches are all in the past, and there’s absolutely nothing you or I or anyone else can do about that exposed data now. However, any of that data—particularly passwords—could be used against you, so it’s essential to make sure that you’re as protected as possible from such attacks.
The best thing to do is to make sure that you’re using a password manager like 1Password (TidBITS members get six months free!) or LastPass to create a strong, unique password for every Web site. That way, even if one site is compromised, as seems to happen every other week now, your accounts on other sites won’t be vulnerable (and yes, this happens; it’s called credential stuffing). According to one 2017 survey, as many as 25% of users reuse the same password across a majority of their accounts, and over 80% of people have reused the same password across two or more sites.
If you fall into that 25%, or someone close to you does, I strongly recommend Joe Kissell’s recently updated Take Control of Your Passwords, Third Edition. It’s one of Take Control’s best-selling books because it explains everything you need to know about making your online accounts more secure and simultaneously easier to access. And if you or someone you know has ever said, “But I don’t have anything to hide,” read Joe’s Take Control of Your Online Privacy, Fourth Edition,which he just updated with essential advice on dealing with all the latest threats. (It explains what you do have to hide.) Each book costs $14.99, but you can buy both together for just $20.
One last thing: Take a minute and search for your email address on the Have I Been Pwned site. It will tell you how many breached sites contained your address. (Don’t worry, the site is safe to use; the email address is never stored.) My address, which I’ve used broadly and consistently for many years, has been caught up in 22 breaches; if you can beat that, let me know in the comments.