NEW YORK (CNNMoney) — Russian criminals have stolen more than 1.2 billion Internet usernames and passwords, and the odds are decent that some of yours might be among them.
There’s no need to panic at this point — Hold Security, the firm that discovered the theft, says the gang isn’t in the business of stealing your bank account information. Instead, they make their money by sending out spam for bogus products like weight-loss pills.
That means you need to stay on your guard. If you see strange messages being sent from your email or social media accounts, you might be among those affected.
Here are a few things you can do to protect yourself:
Change your passwords and make them smart: When it comes important services, including email, banking and social media, you’ll want to change those passwords. As a rule, create different passwords for different services,and change them every six months or so.
There’s a lot of debate about what makes for the best password. Some experts recommend using a password manager — a single service that you log into which then generates random passcodes for all your accounts.
But the danger with password managers is that they create a single point of failure: if the password manager itself is compromised, all your accounts become vulnerable.
Another solution is to use long sentences or phrases. The more characters you add to a password, the more difficult it is for a computer program to crack — even if your password is a simple sentence that’s easy to remember (“I Need 2 Spend Less Time On Social Media”).
Be careful what you store electronically: Never email your Social Security number, because it’ll stay in your archives. Erase old messages with your bank account information and credit card numbers. And never keep a saved document that serves as a master list of passwords. For hackers, that’s a treasure map.
Use protection: While they’re not foolproof, there are a number of tools available to improve your digital security. Download antivirus software. Be diligent about software updates. Whenever possible, use two-factor authentication, a system available on many services that requires both a password and a one-time code generated by a mobile device.
Lastly, when connecting to any website that uses your personal information, make sure you’re using a secure, encrypted connection. Here’s how to spot it: Look at the address bar above. Does the website URL start with HTTP or HTTPS? There’s a difference. The added “s” stands for “secure.”
Make a throwaway email address: In this latest hack, the Russian gang gathered their trove of digital credentials from websites that make you register with a password and username (often an email address).
For accounts that you wouldn’t be concerned about having hacked — say, your profile on a news site that you don’t read often — you can make a throwaway email address and password that you use strictly for registration purposes.
Reusing this password shouldn’t be a problem, provided you limit it to services from which you won’t be getting any important communications, like personal messages or details of financial transactions. Then you can focus your mental energy on securing the accounts that really do matter.
Don’t be stupid: Much of protecting yourself online comes down to using your common sense. If you can use the Internet well enough to read this article, you probably know the basics: Don’t download files from unfamiliar sources. Check where a link will take you before clicking on it. Don’t respond to wildly ungrammatical emails offering access to Viagra or secret Nigerian bank accounts.
None of these tactics are completely fail-safe, but taken together, they’ll make you a much less attractive target to scammers online.