How to limit the impact of data breaches

Some best practices and tools.

A few days ago I read the following tweet:

Unfortunately, the only correct answer is “I’ll get hacked again”. There’s simply no way we can prevent that websites or apps get hacked and consequently our personal data get stolen.

This may sound very discouraging, but there are several things you can and should do to prevent certain types of attacks and reduce harm when a data breach happens.


Defend against password reuse and brute force attacks

It’s the same old story, but a very important one: use a unique password for all your accounts. It prevents password reuse attacks that hackers use to break into different websites and services using the same username and password. 

It’s not enough to use unique passwords. Use strong passwords that are not known to be breached. Attackers will try to brute force access to user accounts by using predefined lists of weak, often previously breached passwords. Some websites already block breached passwords, but most unfortunately don’t. If you use Chrome, Okta’s passprotect extension is worth installing. Whenever you enter a password on a website it checks against half a billion breached passwords and notifies you when the password is not safe to use.*dV6G_3a7MatCqTPMsrd9wQ.png

The best passwords are random and long ones you can’t even remember. Password managers are ideal to generate and recall these passwords when necessary.

Limit the impact of a data breach

Every time you register an account ask yourself:

How can I minimize the impact when this account is hacked?

Here are some best practices and tools to help you:

  • As discussed already, use strong, unique passwords to limit the impact of a breach.

  • Specify only strict necessary data at account creation. When asked for unnecessary data in mandatory fields, enter fake data.

  • Activate two-factor authentication when possible. Even if attackers got your password they can’t access your account unless they are able provide a second verification (typically a code received via sms or an authenticator app). is a handy site that lists sites offering 2FA. There’s also an extension available for Google and Firefox ( that uses under the hood and notifies when a site supports 2FA.

  • Often overlooked, but when you give other sites or apps access to an account they form a potential security risk for that account when they get hacked. Be very restrictive with giving a site or app access and when it’s hacked or you no longer trust it, remove its access immediately.

Data breach detection

One of password security best practices is to change passwords when there’s proof of compromise. This implies that on top of the measures discussed earlier, data breach detection services are a necessary part of your overall defense strategy. 

Although these services only cover a fraction of all data breaches, they are still very valuable. The best known is probably Have I Been Pwned? You can subscribe with a particular email address and will get notified when it appears in a data breach.

Another interesting service is HackNotice. The approach is a bit different. You can specify which companies, sites and apps you want to monitor for breaches and for which identities. Whenever your identity is found in a breach that’s being monitored, you’ll be informed.

Some password managers also offer breach detection services. When you’re about to select or switch to another password manager it’s certainly good to keep this in mind.


Security & Privacy

University Papers Still for Sale in 2019?
The Issue of selling Univiersity Papers continues to Rumble on
26 January 2019

Identity Protection

Most websites leak the presence of user accounts
How this puts users at risk and how to fix it
01 November 2018

Tips & Advice

Don’t Get Locked Out of Your User Accounts
Some account security and recovery best practices
22 October 2018