OK, now it's really time to change your password.
With news that as many as 1.2 billion user names and password combinations had been stolen, security experts are urging consumers to be more vigilant online.
A Russian cybergang injected malicious code into at least 420,000 websites to gather the data. The attack "looks absolutely enormous," said Geoff Webb, senior director of security and strategy at NetIQ, a computer security company based in Houston. "It's yet another example showing that there's lot of work to be done in making the Web-based applications that people use secure."
Because people tend to use the same password on multiple sites, "when a medium-sized breach occurs, it can have major repercussions because those passwords are used on so many systems," Webb said. "And this is a huge breach."
Some of the e-mail and password combinations may be old and no longer in use, so it may not be necessary for users to change their passwords, said Alex Holden, founder and chief information security officer for Hold Security in Milwaukee. "The last thing we want is to panic the marketplace," he said. "That won't be productive."
Potential victims can register at HoldSecurity.com to see whether their e-mail addresses are among those compromised. The company says it will let users know for free if their credentials have been found in possession of the gang, which Hold Security has deemed CyberVor ("vor" means "thief" in Russian).
"The takeaway from all of this: It's time to change your password again," says security expert Phil Lieberman, CEO of Lieberman Software.
Beyond that, here's some other tips for more secure online conduct:
- Mix it up. Create passwords that are 10 characters or longer and include uppercase letters, lowercase letters, symbols and numbers, says Adam Tyler, chief innovation officer for identity protection firm CSID.
- Be more creative. Use a unique password for each account, Tyler says, and vary the e-mail addresses you use for accounts.
- Split social media and money. Do not use the same password for credit cards and bank accounts that you use for social media or websites, Lieberman says.
- Revise record-keeping. Don't store your account information in an unsecured document on your computer or network.
- Keep data close. Don't share your password, even with friends and family.
- Stay informed. Beyond changing passwords and creating better ones, Tyler recommends that users stay informed as the details of the breach become released.
Poor password practices can make a breach like this one exponentially troublesome, he says, because "the reuse of passwords across multiple sites, means that the bad guys effectively have the keys to the door of multiple personal accounts once they have login credentials for just one site."