The theft of more than 1 billion passwords and 500,000 email addresses by Russian hackers is another reminder that consumers need to take preemptive action to avoid being victimized, experts say.
"Change all passwords immediately, and start thinking about actively protecting your identity and your information," warned Adam Levin, chairman of identity theft protection and remediation firm IDT911.
He recommends checking with trusted institutions that consumers commonly interact with, such as a bank or insurer, to find out if they offer free or low-cost identity theft-monitoring services.
"At this moment, we are way beyond prevention," Levin told CBS MoneyWatch. "Monitoring and damage control are more critical to thwarting a personal economic extinction-level event."
Consumers are urged to keep a close eye on their online accounts and, in addition to changing passwords, to immediately report any suspicious activity.
Indeed, McAfee Online Security Expert Robert Siciliano said it's vital to change the way we do business online.
"This is no ordinary breach," he said of the most recent attack, in which criminals attacked 420,000 websites of companies large and small. "Without a doubt this is the largest breach ever, and may be in the future, too," he said.
Siciliano goes so far to say that consumers themselves are "directly responsible" for the breach. That's because millions of computers in homes and offices are infected and become linked together through a network of robots, or botnet. The botnet collects user information and transmits it to criminals. "So the problem and the solution is often in the users' home PC," he said.
Here's what Siciliano recommends to minimize the risks of using the Internet:
- Never leave a router on its default password.
- Never trust free, third-party free WiFi hotspots. Consider using a service to protect your devices and what your transmit. One free service to consider using when you're out and about is Hotspot Shield.
- If you're using a website to conduct a financial transaction, be sure you see a padlock icon and "https" before the URL. That indicates the site is secure.
- Be sure you keep your antivirus, browser and operating system updated. If you don't, you run the risk of both getting viruses and having a thief who uses a keylogger track your keystrokes, potentially capturing your passwords.
- Never click on links in emails, even if it's supposedly from your bank.
- Use two-step verification for email, social networking and any other account that offers it. That involves typing in a password that gets texted to you for one-time use.
- Use a password manager to help you create more secure passwords and organize them so you don't have to remember them.
For those who suspect they are a victim of of a data breach, New York Attorney General Eric Schneiderman issued these tips:
- Create an identity theft fraud report. To do this, file a complaint with the Federal Trade Commission and print your Identity Theft Affidavit. You can also call the FTC at 1-877-438-4338. Use that affidavit to file a police report and create your identity theft report.
- An identity theft report will help you deal with credit reporting companies, debt collectors and any fraudulent accounts that a thief opened in your name.
- Put a freeze on your credit report by notifying each of the credit reporting agencies (Equifax, TransUnion or Experian) of the breach. This will block someone from obtaining credit using your name or personal information. You won't be able to apply for any new credit cards or loans while the freeze is in effect, but you can continue to use your existing cards. To freeze your credit file, you must notify all three credit bureaus. You can remove the freeze temporarily or permanently by contacting the agencies. There is no fee if you have been the victim of identity theft. The freeze can be removed only by you.
- Get a copy of your credit report from each of the three credit agencies. You are entitled to free reports once you post a fraud alert to or put a freeze on your account. Read the reports carefully to see whether other fraudulent transactions or accounts are listed, and then take steps to correct those errors.