I was forwarded the article <a href="https://www.newsbreak.com/share/4021008980422-major-warning-issued-for-apple-facebook-paypal-and-google-users" author="Kevin Harrish," source="Newsbreak / Men's Journal">Major Warning Issued for Apple, Facebook, PayPal, and Google Users</a>, which made me think about how you can keep yourself more safe online. <h>What happened?</h> The article is not very good, in that it makes a lot of extra noise to sound alarming but that doesn't actually contribute to the conversation. For example, <iq>database of 184,162,718 records across more than 47 GB of data</iq> is good. Writing <iq>massive trove</iq> and <iq>massive</iq> in two consequent paragraphs, or writing <iq>Apple, Facebook, PayPal, and Google logins</iq> and then, in the next paragraph <iq>no clues about who owns the data or where it came from</iq> is just sloppy as hell. It keeps going with <iq>a cybercriminal’s dream working list</iq>, probably because it contains <iq>usernames and plaintext passwords</iq> and the author <iq>speculates that the database belonged to a cybercriminal</iq>. This is all designed to make you worry without giving you any information about what to do about it. <h>Did this actually happen?</h> I can tell you right now that no company of the size of those mentioned above is likely to be losing user accounts with passwords <i>in plain text</i>. No-one does that anymore. That was twenty years ago. There are still ways to screw things up but the awareness that you store passwords with encryption is at or near 100%. This is either very old data, or it doesn't actually exist---there are a lot of scams with "security researchers" trying to make themselves look good---or it's a collection of passwords that had already been cracked. At any rate, this kind of thing <i>can happen</i> and it <i>has happened</i>. One of the worst was the <a href="https://en.wikipedia.org/wiki/2017_Equifax_data_breach" author="" source="Wikipedia">2017 Equifax data breach</a>. <h>How do I find out if I'm affected?</h> Throw your email(s) into the <a href="https://haveibeenpwned.com/" author="Troy Hunt" source="">Have I Been Pwned</a> search box to see which <i>real</i> and <i>verified</i> leaks have included it. If everything's OK, then it looks like this: <img src="{att_link}zero_data_breaches.webp" href="{att_link}zero_data_breaches.webp" align="none" caption="Zero data breaches" scale="50%"> If you might have a problem, then it looks something like this: <img src="{att_link}email_breach_history.webp" href="{att_link}email_breach_history.webp" align="none" caption="Email Breach History" scale="50%"> If you have an email that's been included in a breach, then make sure you've changed your password more recently than the most recent leak of it. Read on for <i>preventative measures</i>. <h>Preventative measures: Your plan of action</h> What can you do about a "break" like this? There’s not a lot you can do about this kind of leak now. It’s already out there. However, you can use <i>preventive</i> measures, like using a password manager (like Proton Pass or LastPass; Gary, Karen, and I are using ProtonPass; Kath still uses LastPass, but we’re going to migrate her over). What does that do? It means you have a single <i>strong</i> password that unlocks all of your other, completely random passwords. I don’t know any of my passwords. Each site has a different password. ProtonPass even generates unique emails for you, so sites don’t even have your real email! How does that all help? Well, when there’s a data-breach, only a single password and an email are leaked. <ul> You can change that single password without worrying that a lot of other accounts have been affected. You can filter out that email address in the future to avoid the spam that will ensue </ul> <h>More information on password managers</h> I last wrote about this at length in <a href="{app}/view_article.php?id=4804" date="December 2023">Password managers: LastPass and ProtonPass</a>. That article includes an evaluation of several password managers, as well as a section called <a href="{app}/view_article.php?id=4804#justification">A layman’s thoughts about password-manager security</a>, which explains why a cloud-based password manager is a good balance between usability and security. That is, a technology being more useful can also make it more secure, even if it opens the attack surface a bit more. As long as the encryption is sound, you're OK.