If you believe your information has been compromised in a data breach, follow these steps to help secure your accounts.
You can find out if any of your email accounts have been part of a publicly disclosed data breach by following the instructions here.
Fake data breach warnings are a common tactic used by scammers. They may ask you to confirm details or change your password. An organisation’s website, verified social media pages and news articles can help confirm whether a data breach notice is real.
If you think you may have been part of a data breach, your immediate priorities should be to:
- Change any passwords for accounts with the breached service.
Access the impacted services the way you normally do, e.g. a bookmark in your web browser. Do not click any links in an email, even if the email is a data breach notice (they can be fake).
Start using passphrases. They’re more secure than short, complex passwords. See our password guide here. - Change passwords on any other services that you think may use the same email and/or password. If unsure, change passwords.
Always avoid using the same password on multiple services, particularly if you use the same email or username on multiple websites or email accounts. - Enable multi-factor authentication.
Many services now offer multi-factor authentication. Where possible, start using a password authenticator app like Authy. Authenticator apps are always preferred over SMS authentication. - Start using a password manager.
Using a password manager allows you to update your passwords in seconds. Some managers even send notifications when a data breach is made public. See how to start using a password manager (LastPass) here.
Remember, there is no way to ‘undo’ your exposed information. But the steps above can prevent malicious actors from accessing your accounts.
Making sense of a data breach
Unfortunately, in many data breaches the breached organisation will often provide only general or limited information. For policy reasons, legal reasons or even denial, many organisations hesitate to be transparent after a data breach.
Here are some elements you can look out for in a data breach announcement to help you understand the seriousness of a breach:
- When the data breach occurred and how long the data was exposed.
E.g. the data was vulnerable between 2014-2016; or, the database suffered a breach on February 9, 2018. - When the service became aware of the breach.
- What information was included. Look out information that can personally identify you e.g. Name, Address, Email. Also consider if financial information was exposed, e.g. credit card or bank account details, transaction records.
- If usernames and passwords were exposed. While many online services keep passwords encrypted, some do not. If they aren’t encrypted, changing your passwords should be a top priority (but it’s recommended to update them in either case).
How to be prepared in future
- When signing-up to an online service, only provide the information that is required or that you feel comfortable handing over.
This will reduce your exposure in the event of a possible data breach. - As above, use a password manager and authentication.
A password manager allows you to quickly access your account and reset your password. While an authenticator will stop anyone from accessing your account, even if they have your password. - Don’t use ‘Sign in with Google’, ‘Sign in with Facebook’ or similar sign-in services.
Use separate accounts for each service wherever possible. Choose the ‘Create account’ or ‘Use email account’ option wherever possible. ‘Sign in with’ services may offer some level of convenience, but if you lose access to the account, you’ll lose it everywhere. And that’s before considering any privacy implications.
Remember, data breaches involve a mass amount of account credentials and security is a spectrum.
While no security measures offer 100% protection, taking measures to protect your account can drastically reduce your vulnerability.
If your account is too difficult to access, a malicious actor is likely to give up and move to the next account that may not be as secure.