%28.8 of current USD233 employees have used their email address with an internet service or app that has been part of a data breach in the last 10 years.
(source: haveibeenpwned.com search 11/11/2019)
Why this matters:
This isn’t a threat to you now because every 90 days we force everyone in the district to change their passwords but people need to be aware that a service they have used in the past has been breached. This means that your username and the password you were using for that service is now available for public scrutiny.
It’s a bigger problem if you re-use passwords on other services which opens you up to “password stuffing” where attackers spray other services with known usernames, email addresses and passwords hoping someone has re-used those credentials on multiple services. There has been fraud emails circulating which attempt to frighten you by showing you an old password you used in the past that was part of a data breach.
Things you can do to prevent this from becoming a problem:
- Use a password manager (https://1password.com/ , https://keepass.info/ , https://www.lastpass.com/ )
- Use Multifactor authentication tokens when they are available
- Don’t re-use passwords
- Choose passwords which are long and easy to remember but not easy to guess (Example: https://xkcd.com/936/ )
- Keep track of data breaches using a notification service such as Firefox monitor or haveibeenpwned.com
What to do If you are notified that a service you have used has been breached:
- Close the account if you don’t use that service any more
- Change your password for that service if you intend to use that service in the future
- If you re-used that password elsewhere, change your passwords on all services that use that password and never use that password again
- If you suspect that someone has stolen your identify consult the Federal Trade Commission Identity Theft Website for steps to recover your identity