Here’s what to do whenever you hear about a data breach
Every few months, it seems, we must all brace ourselves as news of another data breach comes crashing through the headlines. This week it’s DoorDash, who recently announced a data breach they claim affects 4.9 million customers, workers and merchants on their network. It’s almost comical how often large organizations lose track of their customers’ personal information. Consumers can no longer depend on the organizations with whom they do business to be good stewards of confidential information. We would argue these entities are simply not incentivized to protect this information. Equifax suffered a breach of cataclysmic proportions in 2017 and has yet to pay a dime in restitution here in the U.S. (yes…the credit reporting bureau was fined £500,000 in Britain, an utterly meaningless consequence for a company that posts nearly $3 billion in annual revenue). Facebook lost control of 540 million contact records in April of this year, and yet the social network’s stock price continues its indomitable march back up towards $200/share.
Simply put, these days large platforms weather data breach incidents fairly easily, so don’t expect them to invest a lot of time and effort in preventing the next one. Oftentimes, it’s simply easier to have their legal teams haggle over miniscule restitution payments and offer lip service to privacy advocate groups until public attention shifts elsewhere. Luckily, the tools exist which allow consumers to take personal charge of their own cybersecurity easily and efficiently.
In this article, we’re going to review some steps you should take whenever you hear about a large data breach. You may be thinking, “why should I bother with any of this?” If your details are included in a data breach, you can guarantee that information is currently for sale somewhere on the dark web. Furthermore, cyberthieves test stolen passwords and usernames from one site and try them on other popular sites. If you’ve been re-using passwords, then these other accounts are now at-risk too. According to LifeLock, people suffering from multiple cases of identity theft may take up to 1,200 hours to completely resolve all cases. By addressing breaches proactively, you’re saving yourself a great deal of headache down the road.
Step 1 – Assess the damage
- Go to haveibeenpwned.com (yes that’s spelled correctly). Enter your email. You can see any data breaches (that we know of) where your email is detected. Assume that any password you used on those sites has been breached and should never be used again. Hackers hang on to these records for a long time, hoping people will continue to re-use the same passwords.
- It's generally considered a good practice to check this site regularly. Once a quarter or so. This is good cybersecurity housekeeping.
Step 2 – Get your password manager set up
Password managers are the answer to the problem of reusing passwords in multiple accounts. These programs can generate and store different passwords for every site to which you are a member. If an individual site suffers a data breach, you change your password to that site and update your password manager. The only password you’ll ever need to remember is the one to access your password manager.
I personally love using LastPass. There are others out there, but at the end of the day using a password manager is like keeping a nice yard. It doesn’t really matter what brand of lawnmower you have—just make it habit to cut the grass every week, right? While these instructions are specific to LastPass, it's a sage bet the installation steps for others password managers follow a similar pattern. After you create an account, you’ll need two things: an extension for your browser and an app for your phone.
- Go to https://lastpass.com/create-account.php
- This is the only password you’ll need to remember from now on, so make it long but simple. For instance, you might choose “payson-golf-pinetree-08”. The amount of time it would take a computer to crack that makes it unreasonable to attack you. They’ll seek easier targets. Make your password at least three words separated by some kind of punctuation.
- Download the Chrome LastPass extension for your browser (here’s the link)
- Once installed, you should see the extension in the top right of your browser window. The icon is a little box with three dots in it. When you’re logged into LastPass that box will be colored red. When you’re logged out, the box will be grey.
- When logged in, the LastPass extension automatically detects when you visit a site for which it has stored credentials. The credentials are automatically placed in the login fields for you.
- Now for your phone. Go to the App Store, find “LastPass” and download.
- Log in with your username and password.
***Mobile Device Note***
The app won’t automatically put credentials into apps or your Safari browser. You’ll have to do that manually for the most part. Generally speaking, the app doesn’t keep you signed in for hours at a time. This plan keeps things more secure in case you lose your phone
Step 3 – Start changing your logins with highly-randomized passwords and have LastPass store them.
Financial, insurance, and healthcare-related sites should take priority in this step, followed by social media and other sites.
- Go to the site you want to change the password for. Log in and go to your profile settings.
- Find the place to change your password.
- When it asks for your new password, bring your mouse to the Chrome browser extension.
- Click on the extension and scroll down to “Generate Secure Password.”
- Set the password length to at least 12 characters or more. Check all of the boxes to include letters, numbers, punctuation, and all special characters.
- You should see some red text that reads “copy password.” Click that.
- Go back to Linkedin, right click and paste your fancy new password. Save that.
- After that, you should see a pop-up from LastPass, asking if you would like LastPass to save those credentials. Click “yes.”
- You now have a secure password, saved in LastPass, and you’ll never have to remember it on your own.
- Go through all your accounts and complete the actions in Step 3. This may take some time, no doubt about it. But the good news is that it shouldn’t be more than a couple hours. After which, it is done and you don’t have to worry about it.
- DON’T FORGET to set up account recovery in LastPass when you create your account. But remember, LastPass CANNOT reset your master password. Set up your account recovery, and make sure you can remember just the one long complex password. Keep those two things in mind and you’ll be fine.
- After that, it’s just a matter of developing good habits. Anytime you’re tasked with creating a new online account somewhere, go to your LastPass extension and generate a random password. Once you get into the habit, it makes creating online accounts much, much quicker. You won’t have to sit there dreaming up new passwords (or worse, re-using old ones).
- Lastly, remember that the app isn’t perfect. LastPass still gets a little confused when I log in to USAA, for example. For the most part though, I believe you’ll really love this new process. I sure do!