By Ian Garland
It seems like almost every other day we hear about another massive data breach. The carefully-worded statement that you suddenly receive in your email inbox belies the severity of the situation: don’t worry, it usually says, everything is under control, and anyway, only a small percentage of our users were affected. Consider this, though: if the percentage isn’t zero, it’s already too high. Somehow, we have ended up in a dystopia where, to truly protect themselves online, people have to account for the failures of multi-million-dollar tech companies.
So what can be done? Let’s assume the worst: all of your accounts will be breached at some point in the future. With a little preparation, however, you can not only secure your accounts more effectively but also develop good online habits that make it less likely you’ll be affected by future breaches.
Step 1: Assess the damage
The first step is to find out the scale of the breach, exactly what kind of information was stolen, and, if possible, where it was disseminated. It’s also helpful if you know how long your data has been out there: if a million username and password combinations are posted on a forum, for instance, it’s likely they’ll be taken down long before anyone has the opportunity to try accessing your account. On the other hand, if ten people’s bank details are sold on the darknet, far more urgent action will be required.
Take a step back and really consider what this breach means for you. We’ll use Facebook as a hypothetical example since it’s an extremely popular service that has had almost a billion records stolen in the last few years. With your Facebook credentials, an attacker can access more than just your photos; they can also use any site that lets you log in with Facebook, including LinkedIn, Tinder, and Spotify, allowing them to find out a huge deal of information about you.
Step 2: Address immediate security risks
The steps you should take are highly dependent on what data was stolen. If you’ve simply had your login credentials stolen for a particular website, changing your password is usually all you need to do. Problems arise when you’ve used the same email address and password on multiple sites, however, since these are effectively all compromised too.
Sometimes, data leaks include far more sensitive information, such as your bank account details. In cases like these, the first thing you should do is contact customer support and make them aware of the situation. They will usually have protocols that can help restrict access to your account, such as preventing international money transfers or temporarily disabling your online banking service. If your home address has been leaked, call your local police department and ask to be added to their swatting registry (if they have one) — this makes it less likely that they’ll respond to violent incidents at your home without at least calling you to double-check first.
Step 3: Making yourself more resilient to future leaks
First things first: to prevent all of your accounts from being compromised by a single credential breach, you should use a different complex password on every website. The easiest way to do this is with a password manager, and some even let you know whether your current username and password have been found in any major historical data dumps.
While you’re at it, close any accounts you don’t use anymore, especially if you’ve bought anything on them in the past. If you can’t delete your account, remove your payment method and change all of your personal details to gibberish so that you won’t be impacted even if the site is breached at a later date.
The next step is to set up two-factor authentication on any service that allows it. This is less convenient since it requires you to enter a code whenever you log in, but it makes it exceptionally difficult for anyone to gain access without your permission. At a minimum, you need two-factor authentication on your email and social media pages, since if these are compromised, an attacker can reset several other passwords without too much trouble.
Finally, embrace encryption. Use a VPN wherever possible and try to send important information over more secure messaging services, if possible. While you’re at it, research the apps you use: some claim to offer end-to-end encryption but secretly store the keys needed to decrypt your conversations, while other platforms have recently come under fire for lying about how secure their services really are.
Tech giants love to claim that they take user privacy seriously but with hundreds of millions of accounts breached every year, clearly, far more needs to be done. Unfortunately, unless their bottom line begins to suffer, nothing will change. Users deserve better but until industry giants’ put people before profits, they are effectively wholly responsible for their own digital security.
Ian is a computing graduate from the University of the Highlands and Islands. He covers streaming, VPN, and security topics for Comparitech but has an interest in all aspects of technology, and especially machine learning. Ian has previously been featured in other tech and security publications including the RSA Conference blog.