MONEY

A Billion Passwords Have Been Stolen. Here’s What to Do Now

Door that has been broken into
Stuart McClymont—Getty Images

This is potentially a much bigger deal than credit card theft. Change these passwords now to protect your most vulnerable points.

The New York Times is reporting that a computer security firm has found evidence that a Russian cybercrime gang has stolen some 1.2 billion Internet passwords and user names.

At this point, we don’t know which sites the passwords are connected to. But given the size of the possible theft, this is something you should take time to respond to as soon as you can, by updating your passwords and making sure they are secure.

It has gotten easy to be blasé about data theft stories. For one thing, there’s been a constant stream of them, such as the Target credit-card data hack, which likely affects millions of the retailer’s customers. And many of the most publicized thefts have targeted credit-card information. That’s scary, but consumers actually have considerable protection when card data is stolen. Your losses on charges to a stolen credit card are limited by law to $50, and they are capped on debit cards if you report a problem promptly. “I wouldn’t worry at all about credit cards,” says Paul Stephens, directory of policy and advocacy at Privacy Rights Clearinghouse

But the latest case may merit more caution because losing a password to a website that holds your personal data can be much harder to recover from. So here’s how to prioritize your response.

Protect your web identity and online data first.

This means Google, Yahoo, Facebook, Dropbox, Twitter, Apple iCloud, Twitter—any place where you communicate with people and leave valuable data. Consider, for example, how much of yourself can live in on a site like Google—not just your emails going back years, but family photos, music, and work documents. Read (if you can stomach it) this harrowing 2011 story by the Atlantic‘s James Fallows. Hackers cracked his wife’s Google password and used it to send out scam emails to her contacts — and when they were done, they wiped all her email. She was able to recover it with Google’s help, but it took a lot of footwork and quick response.

Stephens of Privacy Rights Clearinghouse adds that keeping online email accounts safe is especially urgent because your archive “paints a picture of your entire life” online, potentially giving a criminal clues about which accounts to try next. Your email address may also be the tool for resetting passwords on other accounts.

So go change your passwords on these sites now.

Use a smart password strategy.

Below is a simple way to create a harder-to-crack but still reasonably memorable password. This is a technique frequently recommended by computer security experts like Bruce Schneier. (We published this graphic with Susie Poppick’s interview with Schneier in the April 2014 issue of Money magazine.)

Screen Shot 2014-08-06 at 10.06.24 AM

Set up “two-factor” or “two-step” verification where you can.

Many sites, including Google, provide the option of an added layer of security beyond passwords, known as “two-factor” or “two-step” verification. In addition to your memorized password, you’ll have to enter another code when you sign in; these codes change every minute or so and get sent to your smartphone (via an app, text message, phone call) in real time.

This may sound like a pain, but on you can typically set it up so that you only have to do this once from each computer you use — which is plenty of protection because the guy halfway across the country who buys your password from one of these Russia hackers won’t also have access to your computer. I use it on several sites, and it’s mostly invisible after you get it started.

Now repeat these steps with any site that taps into your money.

You should probably start with your bank and brokerage accounts. Logic dictates that you want to go to the sites that actually have direct access to your money. With banks, you still have legal protections, similar to those for credit cards, if there are unauthorized electronic transfers out, says Stephens. But losing cash for a time may be trickier to deal with than an unauthorized charge. You also have to report a problem within 60 days, and in a worst case-scenario, Stephens says, a criminal with access to your account could change your address and contact info so you don’t notice right away. That’s one more reason to check in on your accounts regularly.

Many financial sites also have two-step verification now (some use tokens rather than smartphones). Don’t forget sites that you’ve linked to your bank, like ones you might use to pay bills or an old PayPal account.

Finally, lock up the credit cards.

Next, change your passwords at card company websites and any retailer or service provider where you’ve put your credit-card data, such as Amazon.com. Even if you are protected financially if your card number is stolen, it’s a pain to deal with and you’ll want to avoid it.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser