These days, if your passwords and login credentials have been exposed in a public data breach, chances are you’ll know: Apple, Google, password managers, web browsers and more will alert you if the details which are. storage has been detected in a breach. The next question is: what should you do about it?
While every situation will be different, there are some basic steps you’ll always want to follow to ensure your accounts are kept safe from unwanted intruders. Act fast enough and there’s a good chance you can minimize the consequences of having one of your login combinations exposed.
Change your password
Obviously, if your password has been exposed, you’ll want to change it before anyone can take advantage of it. This is the first step to take and you don’t want to take too long. Whichever account is affected, you shouldn’t have too much trouble finding the screen in the app or site where you can change your password.
Remember the password setting rules, which are that your passwords should be both impossible for anyone to guess and impossible for you to forget. This last rule is less important in the age of password managers, which will keep track of long and complex passwords for you.
Instagram is an app that offers two-factor authentication. Screenshot: Instagram
If you use a password manager or web browser to organize all of your login information and you can get strong password suggestions through it, then you’re in good shape. The strings of letters, numbers, and special characters these tools present are often much harder to crack than anything else you could come up with yourself.
As we always say, if two-factor authentication (2FA) is available (and it usually is), turn it on: it means you need a code generated by your phone, as well as a username and password to log in to your account. Having 2FA enabled can keep your accounts secure, even if your passwords should be leaked, because another authentication method is still required.
Sign out of all your devices
After you’ve changed your password, it’s time to sign out of all devices connected to your account. If someone else gained access to your account before you changed your password, they may be able to keep you signed in for a period of time; apps and sites don’t always automatically kick users out after a password change.
Phones, web browsers, and anything else will often stay connected to accounts for convenience, saving you from having to enter your password every time you launch Snapchat or Reddit. But while this approach makes life much easier most of the time, it means that imposters can stick around longer than they would otherwise.
Don’t let anyone hack your accounts. Screenshot: Netflix
How you do a mass logout will depend on the app or site that was compromised, but most digital accounts make it pretty easy to log out of all your devices. To take Netflix as an example, go to your account page on the web, then choose Sign out of all devices. Confirm your decision and a new login will be required everywhere you have Netflix installed.
If your Google Account has been compromised, to give you another example, go to the security section of your Google Account on the web, then select “Manage all devices” to see all phones , laptops, tablets and other linked hardware. to your Google Account. You can click any of the items in the list and then choose Sign Out to force the device to reconnect and go through the password validation process again.
Check third-party apps
You may not always realize it, but your busiest digital accounts are likely connected to a variety of third-party apps and services; consider the desktop email client that works with access to your Outlook account or the third-party collage maker. that you have given permission to access your Instagram photos and videos.
When one of your digital accounts is compromised, third-party apps can stay connected, sometimes even after you’ve changed your password and signed out on all your devices. Bad actors can sometimes connect through these utilities to maintain a path to your accounts that you might not notice.
Checking connections of third-party applications to Twitter. Screenshot: Twitter
You can disconnect these apps without too much trouble and again, the method is different for different apps and sites. If Twitter experiences a leak, you can go to the web-connected apps page to see everything that has access to your Twitter account; click any entry in the list, then select Revoke App Permissions to kick it out.
You may also have one or more apps connected to your Facebook account – go to the Facebook Apps & Websites page on the web to see what you’re dealing with. Clicking Remove will disconnect a specific app or service from your Facebook account, and you can also choose View and edit to see the data and permissions that a specific connected app can access.
Get ready for next time
So you’ve managed to avoid disaster and your accounts are safe again, but there’s no telling when more data may be found online, including passwords and login details. It tends to happen fairly regularly, and there’s only so much you can do about it when you’re entrusting so many other companies and services with your personal data.
Much of what we’ve already mentioned will set you in good stead for the next data breach, including choosing complex passwords that can’t be guessed or brute-forced and enabling two-factor authentication where available. If you haven’t already enlisted the help of a password manager, it might be time to think about doing so, too.
Firefox Monitor will watch for data breaches for you. Screenshot: Firefox Monitor
As we said earlier, most password managers will notify you if your credentials appear in a public leak. But there are also other early warning services. Firefox Monitor, for example, can check if your data has been exposed, as well as watch for future data breaches.
Other than that, we recommend that you follow all known guidelines: avoid repeating passwords across multiple sites and services, keep account and password sharing to a minimum with family and friends, and close accounts you no longer actively use. (the fewer active accounts you have, the less target surface you give hackers who want to access them).