No security structure is infallible. There will always be a weak link in a chain, there will always be an unforeseen vulnerability, there will always be the human element that leads to catastrophic errors, there will always be the danger of infiltration. The proportions don't matter; whether it's a big or a small structure, it will never be 100% secure.
The databases of websites get breached and leaked all the time by malicious actors utilizing one of the aforementioned shortcomings of security measures. The reasons for doing so are varied, but the most frequently met and most dangerous ones are account theft, identity theft and doxxing. These information databases almost always get released publicly on easily accessible hacking forums for anyone to freely access and exploit, meaning any halfwit with an account on such a forum can suddenly turn into spooky HACKERMAN with the info extracted from such a database without needing any prior expertise. The sheer amount of sensitive information that one can obtain from a website's breached database can massively help in achieving any one of the 3 goals earlier mentioned.
From what I've noticed, people do not pay much attention to this issue even though it should be considered of the utmost priority for any netizen. There are two things at fault for this: blissful ignorance and the fact that database breaches do not get covered much by mainstream media. There are a few tech-oriented websites that cover them from time to time, but they are obscure publications and they do not provide detailed ways on how to protect yourself. All they do is acknowledge that xyz website has had its database leaked, touch on some details about how it happened and mention the categories of information compromised. The purpose of this article is to detail ways you can protect yourself from database leaks and how to mitigate security holes in the event that you are already one of the many victims of them (which you most likely are, statistically speaking).
The type and amount of information that is compromised varies significantly from leak to leak, just like websites vary significantly between each other. It can range from being a minor issue to a gigantic security risk. That is not to say that one should pay attention only to the latter kind of breach, though; small, minute security holes can still prove to be dangerous and must be patched up as well, lest they fester and grow in size. You can generally expect the following categories of information to be compromised in a database leak:
It doesn't take a lot of thought to see why this information being leaked should be alarming to anyone. It can be used for a plethora of malicious activities, from doxxing to account theft all the way to identity theft. Luckily, though, there are ways to mitigate the risks considerably.
The first security measure to take is a prophylactic one - after all, prevention is preferable to treatment. Having multiple passwords and utilizing multiple emails can go a very, very long way. Credential stuffing attacks will generally occur utilizing only the email and password contained within the leak, so the rest of your email addresses, accounts and the passwords associated with them would remain safe from any such attempts. For simplicity and ease of use, I recommend having at least 3 passwords: a low security one you use for signing up to sketchy websites and really random stuff, a medium security one you use as a general purpose one and a high security one you use to secure your emails and other such high value, high risk accounts. Of course, the more different passwords you have, the better, but then you'll encounter the issue of having to memorize them. In order to solve this issue, I recommend using an offline(!!!) password manager (recommendation: KeePass) or an old-fashioned text document in a password-protected archive. Make sure to backup your passwords somewhere so that you don't lose them - an external USB, disk or solid state drive is your best bet, but you can also go the old-fashioned way and write the passwords on a piece of paper you keep stored somewhere safe. This compartmentalization of passwords and emails can offer you a huge security boost and prevent credential stuffing attacks and dox attempts on you.
Another prophylactic security measure you can take is limiting the amount of information you use when signing up to a new website. Omitting sensitive details if offering them is optional or giving fake details if offering them is mandatory can go a long way in protecting your security by ensuring that there will be no details to be leaked in the first place if the database gets breached. Of course, none of this is feasible if you're signing up for something necessary where you genuinely need to offer your actual, real details, but outside of this it is best if you don't give away your real details. Use fake birth dates, don't put your real name and phone number in (Two-factor authentication is great but ask yourself this: is the potential risk of having my phone number leaked and exploited worth it? More often than not the answer will be no), don't use your personal, school or work email to sign up for random stuff and instead use a different email, you get the idea.
So far I have touched on ways you can minimize the effects a leak can have on your privacy and security. However, these measures are useless at patching already-existing security holes - if you've already been affected by a database leak, you need to take extra measures on top of doing what I detailed earlier for preventing further damage. The next section of this chapter will detail ways to mitigate database leaks that have already happened.
Like in any other endeavor, a vital step in taking measures to patching the security holes caused by database breaches is to gather information, lay out the facts in an orderly fashion and assess the situation at hand. Going into specifics, you need to make a list of all of your e-mail addresses and check each one through the HaveIBeenPwned (HIBP for short; an easy-to-use repository of breached databases) website. It's frequently updated with new databases that have been breached and it also displays details regarding the categories of information compromised in said breaches. While it won't protect you from obscure database leaks that haven't been publicly released and/or acknowledged, it is still an indispensable tool that will inform you of what has been compromised, where it has been compromised and when it has been compromised.
After verifying on HIBP what information has been compromised, the next step is taking measures to secure oneself. If a password is compromised, it must immediately be phased out of use and be changed with a new password wherever it was formerly used (hint: make sure your password is at least 10 characters long and has numbers, lower case characters, upper case characters and symbols). Usernames associated with your emails in leaks can facilitate dox attempts and being spammed with junk mail; therefore, I suggest using multiple usernames on the internet and changing them from time to time. If a phone number is compromised, it is recommended to change it. Patching existing security holes is extremely important and, with these measures, you can effectively nullify them.
Database leaks are a frequent occurence in today's internet and it is important to know how to combat the security issues they create. Utilizing the measures in this article, you will be able to safeguard yourself against them effectively. It does not take a lot of effort - for just a little bit of your time, in exchange you render impossible huge issues that can spark up in the future.