No, don’t panic. Although the discovery of 700 million stolen email addresses and passwords sounds pretty bad, there is little reason to panic.
Brian Krebs, a journalist kind of in his own little niche covering cyber for real-world people, has a great article on this so-called “Collection #1.” Read that right here.
Do follow my basic security for normal people. (Normal meaning you don’t walk around with high-level intelligence or industrial secrets, you’re not a celebrity, you’re not currently the target of hackers… you’re just a normal, lazy person.)
A site called haveIbeenpwned.com is a great resource that checks email addresses against archives of stolen credentials found on the dark web. But it can only check your email address against known archives of stolen data, so if there’s a breach that the company hasn’t disclosed and the site hasn’t encountered those archives yet it doesn’t do anything.
The smart thing to do is use a password manager (like LastPass, which I use and recommend highly) to generate long, unique, strong passwords for everything.
It may be tempting to keep a paper list of all your accounts and passwords, except that losing the list or not having it on you all the time is a pain. LastPass is a standalone app for mobile and a browser extension, giving you access to every account login on any device.
Physical list-making will not encourage you to use long, unique, randomly-generated passwords, and a password manager will with some gentle nagging. LastPass does allow you to export a spreadsheet of all you accounts and sign-in creds, which you can print and keep safe. (You can even show other people this list and they’ll be able to read what it says, unlike with handwritten lists.)
Never use the same password for more than one account.
Do NOT keep a list on your computer!
Change every password for every account when the clocks change twice per year. I heard some financial fraud investigator say that he even has a unique email address for every service he uses–so his banking he has “firstname.lastname@example.org” or whatever, and his netflix is “email@example.com” or whatever. A little excessive maybe but not at all unreasonable.
If you hear about a data breach at a company you have an account with, change your password no matter what that company says. Most companies take months to disclose these breaches, and we don’t really know if everything breached is ever disclosed.
Finally, check in with KrebsOnSecurity.com once in a while.