This post was originally written and posted on Gizmodo by David Nield on March 4, 2020.
The unfortunate truth is that your data is likely to leak somewhere, sometime, especially as you sign up for more and more apps and services. You’re basically at the mercy of the security protections put in place by the companies you’re dealing who have leaked your data, and those protections aren’t always going to be 100 percent foolproof.
That doesn’t mean you should just sit back as your email addresses and passwords appear in public data dumps, though. Take a few extra precautions and you can maximize the chances of keeping your information safe. Having your login credentials show up online is never good, but you can make sure it’s not a complete a disaster, either.
Turn on two-factor authentication
A point we turn back to again and again: Enabling two-factor authentication (2FA) on your accounts means that would-be hackers need something besides your email address and password to gain access. Usually the second factor is a code sent to your phone or generated by a separate app. It’s not a foolproof security measure, but you’re a lot better off with 2FA enabled.
Most major accounts now offer 2FA as an option, including those run by Google, Apple, Microsoft, Facebook, Twitter, Instagram, Dropbox, and Tumblr, and many of those will actively encourage you to get it set up as soon as possible. The process should be fairly easy to find in whatever accounts you use, somewhere in the security settings.
Use multiple logins
Yes, we know it’s a pain to keep track of numerous email addresses and passwords. But from a security perspective it pays to have different login credentials for each account. If you’re really struggling to remember everything, then a password manager can help. You can also use the password management tools built into most modern web browsers.
Switching up email addresses and passwords means that the details for your most well-protected accounts (like Google or Apple), aren’t mixed up with the details for the less protected ones that you’ve probably already forgotten about. Email aliases are an option, so you can set up multiple addresses that all get routed to the same inbox.
Change your logins
Another useful bulwark against the threat of data breaches is to change your passwords regularly—with the modern day password managers and browser tools that we’ve already mentioned, keeping track of these changes is much easier than it used to be. You can even get strong passwords suggested for you too, if you’re stuck for inspiration.
This does take a little bit of time and effort, and it means having to log in again on all your devices, so you don’t need to go crazy here. Maybe just stick to changing the passwords on your major accounts every few months or so. The benefit is that by the time your password leaks out on the web, there’s a good chance that it’s already out of date.
Disconnect your accounts
On a related note, try and keep as few of your accounts connected as possible—otherwise, if hackers get access to your account on that recipe library website you used once five years ago, they might also find it leads straight to your Google or your Facebook account. With data breaches, the more separated your various online accounts are, the better.
These connections happen when you use Google, Facebook, or any other existing account to set up a new account somewhere else. It’s convenient, but it’s not very safe. You should be able to disconnect third-party apps and services from your major online accounts fairly easily: You can do so here for Google, here for Facebook, and here for Twitter, for example.
Close down your accounts
It’s all too easy to let unused accounts and apps just fade into the background. That language learning service you never made full use of, that weird Facebook quiz you signed up for, the email sorting app that you used to pay for but now don’t... you’ve probably got dozens of these zombie accounts lying around, dormant but still technically active.
When you’ve given up on an account you previously used, don’t just delete the app from your phone and forget about it. Make sure you go through the full account deletion process so your details are wiped from existence. Keep on top of this and it means your exposure to would-be hackers and data leakers is much less than it otherwise would be.
Monitor the web for breaches
If important, current login credentials belonging to you should leak out somewhere on the web, you need to know about it as quickly as possible, so you can change your details before anyone else can. You’ve got a growing number of tools and apps for checking up on this now, not least the long-standing and comprehensive Have I Been Pwned? website.
Both Google’s Chrome and Apple’s Safari now double-check the passwords they’ve stored against public data breaches, and should warn you if your credentials have leaked out. You can also make use of Firefox Monitor from Mozilla, which will ping you immediately if it discovers that one of your registered email addresses has appeared in a major breach.