You’ve been notified that your account was involved in a company data breach – where does that leave you? First, you’re not alone. With mega corporations the likes of Meta (aka Facebook), Amazon, T-Mobile, Discord, Pizza Hut/KFC, ChatGPT, Reddit, Atlassian, ad nauseum… all experiencing data breaches in the not-so-distant-past you bascially have to be living under a rock to not have had at least one account leaked to the dark web. Does this mean we just throw up our hands and do nothing accepting the inevitable? NO! 

There are still actions within our control to protect our data and minimize harm, even in the event of a data breach.

1 – Change Account Password Immediately

When you find yourself caught in a data breach debacle, your first course of action should be to update your affected account password, making sure to strengthen and individualize it. Think of it as changing the locks on your door after discovering that an unauthorized person managed to get a duplicate key.

Now, while using the same password across many accounts for easy access is undeniably convenient, it’s crucial to know that this habit also presents a well-known vulnerability. Cyber criminals thrive on this predictable behavior and use it against you to easily gain access to other accounts that reuse the same password.

What makes a strong password? Long + unique = strong

What’s long? This changes as technology advances. A while back it was 6 characters, then 8. Fast forward to today and ‘long’ is defined as 12 characters or more for your password.

What’s unique? To qualify as unique a password should meet the following criteria:

• Uses a mix of letters, numbers, and special characters (symbols such as !@_-.$)
• Does NOT include personal info like birthdays, street addresses, etc
• Does NOT include only a well-known song lyric or popular movie quotes
• Is NOT a password used by any other accounts or shared with another user

This can sound a bit of a tall order, however, using something called a passphrase is an easy way to create something unique without being a meaningless jumble of random numbers, symbols, and letters. See the image below for a quick guide on how to create a passphrase.

Also consider a password manager to help you manage and use unique passwords across accounts without having to remember them all.

2 – Turn ON MFA/2FA

You’ve changed the digital lock to your account, now it’s time to add a new deadbolt to it by turning on MFA/2FA, if you don’t already have it on. Multi-factor or 2-factor authentication requires any new devices to verify the person logging in is really you and not just someone who happens to have gotten your password (like in the data breach you were sadly involved in through no fault of your own). 

For most individuals, this additional form of verification means using an authenticator app like Google or Microsoft Authenticator or Authy. For accounts requiring a higher level of security, you may want to consider a Ubikey.

3 – Stop & Consider If Breached Password Was Used For Other Apps. If So, Rinse & Repeat Steps 1 & 2

As hinted at earlier, reused passwords are like giving cybercriminals a master key to any other accounts that share that password. If you still do it, you’re not alone but you don’t have to continue making it easy for the criminals. Take a moment to consider if there are any other accounts that use that same password that was involved in the data breach and then go to those accounts and update those account passwords to each be long and unique for stronger account protection.