Russian Hackers Probably Have Your Passwords. Now What?

By now you’ve seen Tuesday’s New York Times report that a security firm found a Russian hacking ring had pilfered 1.2 billion user name and password combinations and more than 500 million email addresses.

Like many people, your first question is probably whether or not you were included in that dragnet. Hold Security, the Milwaukee-based security firm that uncovered the hack, says you can fork over $120 for an annual subscription to find out in the next 60 days if you were affected. The opportunistic move cast doubt on initial reports of the breach, but prominent cybersecurity experts have confirmed them to be accurate.

At this point, you should just assume you were hacked.

According to the security firm, the so-called CyberVor gang collected more than 4.5 billion records, and about 1.2 billion “appear to be unique.” There are about 2.9 billion Internet users worldwide, so considering the scope of the breach, chances are CyberVor has yours.

It’s too late to safeguard your email and password from this hack. Luckily according to the Times report, many of the records have not been sold yet. They’ve primarily been using the data to send spam on social networks, including Twitter.

Although this hack is the largest that we’ve seen in quite some times, it’s one in a series of reminders, from the Target security breach to the Heartbleed virus, that our online accounts are not as safe as we think. Here’s a few steps to make your accounts more safe in the event of a future breach:

1. Change your passwords.

This may feel like Deja Vu just a few months after Heartbleed, but you should change your passwords, especially if you are using the same password for multiple websites.

  • Use different passwords for different accounts, especially for those that have sensitive information like email or banking.
  • Don’t use “dictionary words” and make sure your passwords include a variety of numbers, letters and symbols.

2. Try a secure password manager. 

With all of the different accounts you have online, it’s hard to keep track of complex and unique passwords for each one. That’s where password managers can help. These websites generate and store longer, complicated passwords for each of your accounts . Here are some of the best options out there, but they aren’t foolproof:

  • LastPass: A spokesman for the company told me today that if you are using the same password for multiple accounts saved to your LastPass, you should change your password. You can check if this is the case by going to Tools > Password > Security Check. If you are using different passwords for each account, LastPass says you need to sit tight for more information. LastPass is currently free for desktop, but with a paid upgrade to Premium, you can access the service across your mobile devices.
  • Password Safe: As noted on its blog, Password Safe is only as safe as the user makes it. The company instructs users to not use the same password across a variety of platforms or keep a list of passwords on paper or in a text document on a computer. It’s also free for your desktop.
  • 1Password: Another similar service, with the same risks if you do not create different passwords for each account. 1Password’s David Chartier told me existing users will be informed if any of their passwords need to be changed through the company’s Watchtower service.  1Password is also free for desktop, but the iOS download is $9.95.

3. Enable two-factor authentication.

One of the most prominent cybersecurity experts, Brian Krebbs, held a Q&A session on Wednesday about the hack. His advice to commenters: Enable two-step authentication. When you enable two-step authentication, every time you log-in to that device on a new device, you have to respond to an additional message, usually a SMS message on your phone.

Matt Cutts, the head of Google’s Webspam team, said, two-factor authentication is more secure because it requires “something you know” (your password) and “something you have.” With the exception of AOL (who owns TechCrunch), most major email providers offer this option, as well as some social networks like Twitter.

Even with all of these steps, there is no way to completely protect all of your data. It’s important to continually monitor your online accounts, especially your email and financial accounts, for unusual activity.