We try our best to keep Lifehacker readers aware of recent data breaches and security vulnerabilities that might have compromised their data. Any good website or service should tell you what’s up, too. Sometimes, though, you get an email out of the blue that your account credentials have been compromised—even though the company sending you that information is just fine.
What gives?
As internet security reporter Brian Krebs points out in a recent blog post, a company asking you to change your password doesn’t necessarily mean your account has been specifically targeted, nor that your data was seized by hackers due to poor security measures. It may simply be a proactive measure on behalf of the company to help you maintain the security of your account.
Large companies actively cross-check their hashed user data—like your secure password—by using these same hashing mechanisms to convert plaintext passwords found in various data breaches. If these hashed passwords match up against the hashed data already found in the company’s database for a user, that person is asked to update their password.
It’s also important to note that these notifications are not the same as unrecognized login attempts or password change requests, which are an indication that someone is trying to actively access your account. While the latter scenario requires a more urgent response, both should be taken seriously—change your password and update your security measures whenever asked, and do it with haste.
That said, passwords are notoriously poor security measures on their own. When you get a note from a company that your password was compromised in an unrelated data breach, consider it a great opportunity to brush up on your password security—as well as all the other security techniques that can keep you safe:
• Use this guide for tips on creating strong passwords, and make sure each account you have uses a completely unique password. Creating all those different passwords means extra work, sure, but it pays off. And if you’re worried about how to remember them all...
• ...use an encrypted password manager or store them physically in a safe space.
• Even the most unique password is vulnerable to hacks or accidental leaks. Luckily, you can check if your passwords have ever been stolen.
• Use two-factor authentication/multi-factor authentication whenever the option is available (here’s a list of services that provide 2FA, as per Krebs’ blog post). Doing so can keep folks out of your accounts/devices even if they have your password—just make sure it’s proper 2FA/MFA and not two-step authentication, which is much less secure.
• Don’t forget that many hacks start with physical access to a device or login info. Use guest modes when letting others borrow your devices, if available, and be wary of stalkerware and other forms of spyware, too.
• And finally, sometimes these emails are actually fake emails with phishing links. Don’t click suspicious links, and consult our guide on modern phishing scams for more help.