A Billion Passwords Have Been Stolen. Here’s What to Do Now

Door that has been broken into
Stuart McClymont—Getty Images

This is potentially a much bigger deal than credit card theft. Change these passwords now to protect your most vulnerable points.

The New York Times is reporting that a computer security firm has found evidence that a Russian cybercrime gang has stolen some 1.2 billion Internet passwords and user names.

At this point, we don’t know which sites the passwords are connected to. But given the size of the possible theft, this is something you should take time to respond to as soon as you can, by updating your passwords and making sure they are secure.

It has gotten easy to be blasé about data theft stories. For one thing, there’s been a constant stream of them, such as the Target credit-card data hack, which likely affects millions of the retailer’s customers. And many of the most publicized thefts have targeted credit-card information. That’s scary, but consumers actually have considerable protection when card data is stolen. Your losses on charges to a stolen credit card are limited by law to $50, and they are capped on debit cards if you report a problem promptly. “I wouldn’t worry at all about credit cards,” says Paul Stephens, directory of policy and advocacy at Privacy Rights Clearinghouse

But the latest case may merit more caution because losing a password to a website that holds your personal data can be much harder to recover from. So here’s how to prioritize your response.

Protect your web identity and online data first.

This means Google, Yahoo, Facebook, Dropbox, Twitter, Apple iCloud, Twitter—any place where you communicate with people and leave valuable data. Consider, for example, how much of yourself can live in on a site like Google—not just your emails going back years, but family photos, music, and work documents. Read (if you can stomach it) this harrowing 2011 story by the Atlantic‘s James Fallows. Hackers cracked his wife’s Google password and used it to send out scam emails to her contacts — and when they were done, they wiped all her email. She was able to recover it with Google’s help, but it took a lot of footwork and quick response.

Stephens of Privacy Rights Clearinghouse adds that keeping online email accounts safe is especially urgent because your archive “paints a picture of your entire life” online, potentially giving a criminal clues about which accounts to try next. Your email address may also be the tool for resetting passwords on other accounts.

So go change your passwords on these sites now.

Use a smart password strategy.

Below is a simple way to create a harder-to-crack but still reasonably memorable password. This is a technique frequently recommended by computer security experts like Bruce Schneier. (We published this graphic with Susie Poppick’s interview with Schneier in the April 2014 issue of Money magazine.)

Screen Shot 2014-08-06 at 10.06.24 AM

Set up “two-factor” or “two-step” verification where you can.

Many sites, including Google, provide the option of an added layer of security beyond passwords, known as “two-factor” or “two-step” verification. In addition to your memorized password, you’ll have to enter another code when you sign in; these codes change every minute or so and get sent to your smartphone (via an app, text message, phone call) in real time.

This may sound like a pain, but on you can typically set it up so that you only have to do this once from each computer you use — which is plenty of protection because the guy halfway across the country who buys your password from one of these Russia hackers won’t also have access to your computer. I use it on several sites, and it’s mostly invisible after you get it started.

Now repeat these steps with any site that taps into your money.

You should probably start with your bank and brokerage accounts. Logic dictates that you want to go to the sites that actually have direct access to your money. With banks, you still have legal protections, similar to those for credit cards, if there are unauthorized electronic transfers out, says Stephens. But losing cash for a time may be trickier to deal with than an unauthorized charge. You also have to report a problem within 60 days, and in a worst case-scenario, Stephens says, a criminal with access to your account could change your address and contact info so you don’t notice right away. That’s one more reason to check in on your accounts regularly.

Many financial sites also have two-step verification now (some use tokens rather than smartphones). Don’t forget sites that you’ve linked to your bank, like ones you might use to pay bills or an old PayPal account.

Finally, lock up the credit cards.

Next, change your passwords at card company websites and any retailer or service provider where you’ve put your credit-card data, such as Even if you are protected financially if your card number is stolen, it’s a pain to deal with and you’ll want to avoid it.

MONEY identity theft

If Your Credit Card Information Was Stolen from P.F. Chang’s, Here’s Your Best Defense

Wallet exposing social security card
8.3 million: How many private records have been exposed to thieves so far this year. Olivia Locher; Prop styling by Linda Keil

Millions of private financial records have already been exposed this year. Follow this simple plan to stay safe.

Updated: August 4, 2014

If you’ve eaten at a P.F. Chang’s restaurant anytime since last October, you could have been the victim of a data breach. According to the company, consumer credit and debit card information has been stolen from 33 restaurants in the U.S. (You can find a full list of the affected locations and dates of possible incidents here).

Today, CEO Rick Federico issued a formal statement apologizing to customers and assuring them that their data has been secure since the restaurant chain identified the breach in June. In light of that news, we’re resurfacing a post from earlier this summer, with advice on how to protect yourself in the event you think your personal data has been hacked.

At least 8.3 million private records have been put at risk in 250 separate data breaches revealed this year, says the nonprofit Identity Theft Resource Center. One upshot of the leaks (up 23% over 2013 through late April): greater awareness of the threat of identity theft. Follow this three-tiered plan to defend yourself.

1. Take Advantage of Free Tools

Visit every four months to get a credit report from a different one of the three major reporting agencies, advises Ed ­Mierzwinski at advocacy organization U.S. PIRG. And sign up for any no-cost service your bank or credit card issuer has for notifying you of activity in your account.

2. Warn All Lenders

Afraid your data has already slipped out? Put a free 90-day fraud alert on all your credit reports by contacting Experian, Trans­Union, or Equifax, says Paul Stephens of the nonprofit Privacy Rights Clearinghouse. That tells companies to use extra caution before issuing credit in your name. For confirmed identity-theft victims, alerts last seven years.

3. Lock Down Your Credit

For top security, freeze your ­credit, advises ID-theft consultant Robert Siciliano. Opening new lines of credit will require your password. Visit each of the big three bureaus online to launch it. Costs—up to $30 to place a freeze and $12 to lift it—vary by state.



TIME Crime

Breaches of Your Personal Data Are Up 20%

10.9 million personal records have already been exposed this year.

The number of data breaches that have put individuals at risk of identity theft have jumped more than 19 percent so far this year, according to the cybercrime research group Identity Theft Resource Center.

The group says data from more than 10 million personal records has been exposed so far this year in 381 data breaches, including high-profile cases like when hackers obtained access to the data of up to 4.6 million Snapchat users. A breach is declared if a name and another piece of personal information, like a Social Security Number or a medical record, is put at risk of being seen by someone who shouldn’t have access to that data.

The majority of the breaches this year have been in the business sector, while government and healthcare breaches have each accounted for about 15 percent of the total.

The jump in data breaches coincides with a rising amount of identity theft since 2010, when the crime appeared to dip. According to the private firm Javelin Strategy & Research, 13.1 million people were victims of identity fraud in 2013, up from 10.2 million in 2010.

MONEY credit cards

What MasterCard’s Zero Liability Pledge Means for Your Debit Card

MasterCard's new policy makes using your debit card a lot safer. Here's what you need to know.

June 4 (Reuters) – In the wake of a spate of data breaches highlighting the vulnerability of companies that hold consumer information, MasterCard Inc announced last week it would apply the same rules to PIN-based debit card transactions as those used for credit cards: zero liability when fraud is reported.

“Fraud and identity theft have been in the news a lot lately. We want to give cardholders peace of mind,” says MasterCard spokeswoman Beth Kitchener. The breach at Target last year, which affected more than 40 million customers, is still a top concern for many.

For consumers who have MasterCard-branded debit cards, the extension of zero liability means some things will change, while others won’t. Here is what you need to know about the new policy, which takes effect on Oct. 1.

Q: Does this mean that using a debit card is just as safe for transactions as using a credit card?

A: Not exactly. While those who have MasterCard-branded debit cards will benefit from the policy change, the inherent issues with debit cards remain. The main difference between debit card and credit card transactions is debit cards are tied to users’ bank accounts.

“With credit cards, it’s not a big deal. It’s their money not yours,” says Gerri Detweiler, director of consumer education for “With a debit card it is a big deal. Consumers still need to be very careful when a debit card is tied to their main financial account.”

Q: How much money could I be on the hook for right now if someone steals using my debit card?

A: Federal laws extend protection to consumers using both credit and debit cards, but losses for victims of fraudulent credit card transactions are capped at $50. Most credit card issuers, however, set the cap at zero. Responsibility for fraud on a debit card is tied to when it is discovered and reported.

If you report the loss within two days, federal law caps consumer responsibility at $50. If you report it within 60 days of receiving a statement that shows the fraudulent transactions, liability is capped at $500. If you don’t report it within 60 days, that liability is unlimited.

Q: Why isn’t a PIN enough to protect me?

A: Theoretically, using a PIN protects the cardholder because it’s a secure password. However, card skimmers can steal numbers, and some people use PINs that are easy to figure out.

Javelin Research & Strategy, which analyzes banking and fraud, found that about 10 percent of identity fraud victims had their debit card PIN taken. That works out to more than 1.2 million cards.

Q. How do I get money restored to my account if it is stolen?

A: You should contact your bank as soon as you learn your account has been compromised, says MasterCard’s Kitchener. Call the phone number on the back of your card or the financial institution that issued the card. How quickly the money is restored varies from bank to bank.

Q. What’s the biggest issue for consumers when someone commits fraud with their debit card?

A: Getting back the money in a timely fashion. Only about a quarter of the leading financial institutions offer to make money lost to fraud available in bank accounts the day after it is reported, according to Javelin. However, that one quarter includes some of the largest banks in the country: JP Morgan Chase and Bank of America.

Q. What are the exceptions to the zero liability rule?

A: There is one exclusion for exercising “reasonable care in safeguarding your card.” Consumer experts complain that this is not very specific. “Reasonable can have variable definitions depending on who you ask,” says John Ulzheimer, credit expert for

Kitchener says it’s up to individual financial institutions to determine what would be considered a violation of the “reasonable care” rule. An example, says Detweiler, would be giving your card and password to someone to buy a gallon of milk and ended up spending $200. Or writing your PIN on the card.

Q. Is this policy change a good thing for consumers?

A: Credit experts say that it is. “Certainly the notion that certain transactions weren’t covered by zero liability was confusing to the consumer,” Detweiler says. “It’s great that they’re simplifying that for their customers and covering all transactions.”

Given that so many consumers use debit cards as a way to control spending – using their own cash rather than borrowing on a credit card – Ulzheimer says any effort to protect users is beneficial.

“By and large this is a good thing for consumers who choose debit over credit,” he says. “It lets them keep their budgetary controls in place while worrying less about fraud.” (Editing by Beth Pinsker and Sofina Mirza-Reid)

TIME Odd Spending

6 Mother’s Day Factoids to Show You’re Not a Horrible, Ungrateful Son or Daughter

In advance of your Mother’s Day plans (or lack thereof) not going over well today, here’s some ammunition for making the case that you—and your mom—could have done a lot worse.

Moms get more love than dads. Or at least we spend a lot more on moms. According to the National Retail Federation, average household spending on Mother’s Day is roughly $50 higher than it is for Fathers Day.

Mother’s Day = Scam Day. The Better Business Bureau warns that consumers should “proceed with caution to avoid falling victim to a Mother’s Day scam,” which might consist of phony coupons and vouchers, a phishing e-mail, or an e-card of mysterious origin that is “as likely to contain destructive malware as warm wishes,” notes Consumer Reports. So if you’re desperate, you can use the possibility of a scam as an excuse for why you didn’t pony up and get mom a gift. You know: “Sorry, ma, just trying to save you from the horrors of identity theft.”

Thoughtful, hand-picked gifts are overrated. In a survey conducted on the behalf of PriceGrabber, the majority of consumers (60%) said they’d just order something online as a Mother’s Day gift. As for what moms want on Mother’s Day, 29% said they favored the not-remotely-personalized gift of a gift card, which was the second most common answer after a “gift” that doesn’t cost anything—spending quality time with one’s family (44%).

Mom would probably return whatever you picked anyway. Nine out of ten consumers polled by said they suspect that their mothers have returned or exchanged a Mother’s Day gift at least once. (Only 30% of the moms surveyed admitted to doing so, but what else do you think they would say.)

Tons of sons and husbands whip up plans at the last minute. Among the men polled by, 42% said they’ll make Mother’s Day plans only a few days beforehand or just throw something together on Mother’s Day itself. So you’re in good (or at least abundant) company if you’re totally winging it at the last minute. Just don’t be among the 6% of men who have forgotten about Mother’s Day altogether in the past.

Thousands must think moms really love beer and wings. Some 35,000 people reportedly brought their moms to Hooters last year on Mother’s Day. So on Sunday you can tell your mom, “Hey, at least I didn’t drag you to Hooters last year for your big day.” And if you did—hey, moms eat there free after all on Mother’s Day—at least you weren’t the only one.

MONEY identity theft

Is My Data Safe?

In the April issue of Money, before the story of the Heartbleed bug broke, Money spoke with computer security expert Bruce Schneier, chief technology officer at Co3 Systems and a fellow at Harvard Law’s Berkman Center for Internet and Society. Schneier said it is difficult for consumers to protect their data on their own — a point that Heartbleed has demonstrated all too well.

Is my data safe?

A: Well, that depends … What does that question even mean?

For example, the recent theft of credit card data from Target — as well as names, phone numbers, and email addresses — worries people.

That story is all over the Net, but if your card number was stolen, it didn’t cost you any money and you got a new one. Most of the other data is in telephone books. And all of it is for sale, cheap, from data brokers. If the bad guys want that stuff, getting it is easy. It’s common information, and not very useful for fraud.

So is there anything about data people should be worried about?

Sure. Pretty much everything you do on the Internet is spied on. I used to say that Google knows more about my interests than my wife does. But actually that’s wrong: Google knows more about my interests than I do.

Google knows exactly what I’m interested in and when I’m interested, and Google remembers those things more than I do. Do I remember what I was interested in six months ago? I don’t. Google remembers.

What’s the danger there?

We think we have a right to private thoughts, and that’s increasingly unlikely. That’s why the question “Is my data safe?” makes no sense.

The problem isn’t security of your data. When you go on Google or Facebook, for example, you say, “Yes, I am open to you spying on me.” And I’m talking about legitimate, legal uses.

Take the Nest thermostat, which connects to the Internet. All your heating and cooling data are stored in the cloud, meaning on the company’s servers. The company knows when you’re home, when you’re not.

You might have said, “Well, that’s a small company.” But Google just bought Nest. Now Google has that data, along with its other data. [Nest's CEO has said that data is used only for Nest services, and that if this changes, users will be asked to "opt in."]

And what can happen when companies have all this data?

Then they can use it for psychological manipulation — for advertising. That’s the fundamental business model of the Internet. Google’s profit is the net difference between the value of your data, to them, and the value of the services they’re giving you for your data. You are not the customer of Google or Facebook or other free services. The customers are advertisers. The product is you.

Is this just about showing me targeted ads?

The Federal Trade Commission is now looking at what to do about cellphone tracking in stores. You can be surveilled in a store because you’re carrying a phone. We’ve moved into an era when we are always observed.

Is this really spying? If a computer monitors me to send me ads, that’s not like a person looking at me.

Someone at Google said having a computer read your email is like having a dog see you naked. And that’s sort of what you’re asking.

It’s a computer — what’s the problem? But then think of the difference between a computer and a dog. You can trust the dog. The dog will never say anything. But a year from now if someone asked the computer what it saw you do, the computer might tell.

What about criminals getting into my data?

There are hacker threats. Compared with the threat of what you give away, they’re kind of the background noise, but they’re real. Primarily people are stealing data for financial fraud, and the effort is to get account numbers, passwords — information that can be used for identity theft.

Can I protect myself?

You can do things around the edges, but in the main, not really. And what’s interesting is why not really: Most of your data is not under your control.

How can you protect your Gmail? You can’t. Google protects it. Google can do a good job or a bad job, but you can’t fix it.

That Target hack was interesting because it happened out of Target servers: You as a Target customer could do nothing. It was a wholesale attack: Stealing one credit card is inefficient, so thieves break into a server and steal 40 million.

What are the things you can do around the edges?

You can do things like not putting your passwords in an email. Have good antivirus software. Make sure your software is updated. This is good computer hygiene. But the big threats are not related to those solutions.

Is biometrics, like using your thumbprint to open your phone, safer than using a password?

I wrote a piece on Apple’s new fingerprint ID, and I said on the whole this is a good idea. It secures the phone in ways that you’d probably not secure it otherwise. But the neat thing about a password is that if someone steals it, you can make a new one. If someone steals your biometric data, you can’t get a new thumb.

You said having a credit card number stolen isn’t that big a deal. Why? It feels scary.

Card fraud has been largely solved by credit card companies. They want you to use your cards, so they’ve made it easy to get problems fixed. Other kinds of identity theft are nastier, like when someone gets credit in your name.

Card lenders are also legally liable for the losses. You’ve said liability is a key to good security.

We need to put the risk onto the organizations with the power to fix the problem. Congress limited the amount you were liable for credit card fraud to $50. The lender pays the rest. So the people in the position to implement security have the incentive to do so.

As we move into this era where you have less control over security, those who have control should have the liability. If your email provider has lousy security and you suffer privacy loss as a result, you should have legal recourse. That aligns the incentives properly.

Sometimes people seem to shrug off all these privacy concerns. Why?

They’re not unconcerned. It’s that this is how you live your life. You really don’t have a choice. It’s hard to live without Facebook or a cellphone. We’re dealing with immediate gains vs. long-term, nebulous losses. Those are hard tradeoffs for people.

So what do I do, then?

Take a deep breath and go outside and play.


Rescuing the elderly from financial fraud

These MONEY heroes keep an eye out for the financial security of nursing-home residents and other seniors who may be targeted for fraud.

  • Stopping scammers

    Shonita Bossier, 42
    Director, Division of Securities, Kentucky Department of Financial Inst

    When Bossier started as a Kentucky securities regulator in 2009 after 17 years in banking, she was floored by the number of investment cons targeting the elderly that crossed her desk.

    In response she revived ScamJam, a seminar for seniors spotlighting telltale signs of fraud (“Low risk!” “High rewards!”). In 2010 she introduced a state law doubling fines against scammers preying on older citizens.

    Now she’s working to help doctors and nurses identify cognitively impaired individuals vulnerable to rip-offs.

    “Seniors save hard to be secure. Then someone comes along with the right words and takes all their money,” says Bossier.

  • A voice for the elderly

    Elizabeth Bispo, 65

    Volunteer ombudsman, Texas Department of Aging and Disability Services

    A retired nurse, Bispo saw that many of her charges were unable to fight for their rights and needs. So in 2009 she volunteered for a federal program intended to resolve nursing-home residents’ complaints.

    Required to visit monthly, she instead goes weekly to four facilities in her hometown of Fredericksburg, Texas. She addresses financial problems both small and large — for example, reporting a relative who’s draining a resident’s bank account.

    Her pet cause: explaining to families the need for a financial power of attorney.

    “I try to educate people about watching out for their parents. Because what I see happens when it’s too late,” says Bispo.

  • Old money, new scams

    Creativity knows no bounds, unfortunately, when it comes to criminals trying to separate older adults from their money.

    Here’s how to protect your loved ones from some of the latest senior swindles:

    Fake medical IDs

    Fraudsters, reports AARP, have started telling people that the Affordable Care Act mandates a new government insurance card — obtained by supplying their bank account info and their Medicare ID. No such card exists; for real changes to Medicare, visit

    Related: Taxpayer guide to Obamacare

    Misdirected Social Security

    Taking advantage of the Social Security Administration’s new online system, scammers posing as SSA employees obtain personal data from seniors, then reroute checks to their account. So open an account ASAP, before a thief does; if you receive an unexpected SSA acknowledgment of an account change, call 800-772-1213.

    Fire-sale pensions

    Seniors with pensions, report FINRA and the SEC, are being offered upfront cash for their future payments. The catch: The deals can be awfully stingy, and they may be illegal too. Better options, says Columbus, Ohio, planner Jill Gianola, are a personal line of credit from a bank, or an FHA-approved reverse mortgage.

    – Hailey Lee

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser

Get every new post delivered to your Inbox.

Join 46,102 other followers