These days, if your passwords and login credentials have appeared in a public data breach, you’re most likely going to know about it: Apple, Google, password managers, web browsers and more will all warn you if the details that they’re storing have been spotted in a breach. The next question is: what should you do about it?
While each situation will be different, there are some basic steps that you’re always going to want to follow to make sure your accounts stay safely locked against unwelcome intruders. Act fast enough, and there’s a good chance that you’re going to be able minimize the fallout from having one of your login combinations exposed.
Quite clearly, if your password has been exposed, you’re going to want to change it before anyone can take advantage. This is the very first step to take, and you don’t want to take too long on it. Whatever account is affected, you shouldn’t have too much difficulty finding the screen in the app or on the site where you can change your password.
Remember the rules of password setting, which are that your passwords should be simultaneously impossible for anyone else to guess and also impossible for you to forget. That latter rule is less important in the age of password managers, which will keep track of long and complex passwords for you.
If you’re using a password manager or a web browser to organize all of your login details, and you’re able to get strong password suggestions through it, then you’re in good shape. The strings of letters, numbers and special characters that these tools come up with are typically much more difficult to crack than anything you would be able to come up with yourself.
As we’re always saying, if two-factor authentication (2FA) is available (and it usually is), switch it on: It means that you need a code generated by your phone as well as a username and password to log into your account. Having 2FA enabled can keep your accounts safe and secure even if your passwords should get leaked, because another authentication method is still required.
After you’ve changed your password, it’s time to log out on all the devices connected to your account. If someone else has gained access to your account before you changed your password, it’s possible that they’ll be able to stay logged in for a period of time—apps and sites don’t always automatically kick users out after a password change.
Phones, web browsers and whatever else will often stay logged into accounts for the sake of convenience, to save you having to enter your password every time you fire up Snapchat or Reddit. But while this approach makes life much easier most of the time, it does mean that imposters can hang around for longer than they would otherwise.
How you go about a mass logout will depend on the app or the site that’s been compromised, but most digital accounts make logging out across all your devices pretty easy. To take Netflix as one example, go to your account page on the web, then choose Sign out of all devices. Confirm your decision and a fresh login will be required everywhere that you have Netflix installed.
If it’s your Google account that’s been compromised, to give you another example, head to the security section in your Google account on the web, then select “Manage all devices” to see all the phones, laptops, tablets and other pieces of hardware linked to your Google account. You can click on any of the items in the list, then choose Sign out to force that device to reconnect and go through the password validation process again.
You might not always realize it, but your busiest digital accounts are likely to be connected to a variety of third-party apps and services—think about the desktop email client at work with access to your Outlook account, or the third-party collage maker that you’ve given permission to get at your Instagram photos and videos.
Whenever one of your digital accounts becomes compromised, third-party apps can stay connected, sometimes even after you’ve changed your password and logged out on all your devices. Bad actors can sometimes connect through these utilities to keep a route into your accounts that you might not notice.
You can disconnect these apps without too much trouble, and again, the method is different for different apps and sites. If Twitter experiences a leak, you can go to the Connected apps page on the web to see everything that has access to your Twitter account—click on any entry in the list and then select Revoke app permissions to kick it out.
You might have one or several apps connected to your Facebook account as well: Head to the Apps and websites page for Facebook on the web to see what you’re dealing with. Clicking Remove will disconnect a particular app or service from your Facebook account, and you can also choose View and edit to see the data and permissions that a particular connected app can access.
So, you’ve managed to avert disaster and your accounts are safe and secure again—but there’s no telling when more of your data might find its way online, including password and login details. It tends to happen on a rather regular basis, and there’s only so much you can do about it when you’re entrusting your personal data to so many other companies and services.
A lot of what we’ve already mentioned will put you in a good place for the next data breach, including choosing complex passwords that can’t be guessed or brute forced, and turning on two-factor authentication wherever it’s available. If you haven’t already enlisted the help of a password manager, it might also be time to think about doing so.
Like we said earlier, most password managers will warn you if your credentials appear in a public leak. But there’s also other early warning services out there. Firefox Monitor, for example, can check if your details have been exposed, as well as keep an eye on future data breaches.
Apart from that, we’d recommend following all of the familiar guidelines: Avoid repeating passwords across multiple sites and services, keep password and account sharing with family and friends down to a minimum, and close down accounts that you’re no longer actively using (the fewer active accounts you’ve got, the less of a target surface you’re giving to hackers who might want to gain access to them).