What to Do When your Password is Shared, Compromised or Breached

March 3, 2023

Recent news events have increased the attention on password use and how users can protect their accounts and passwords.


Last week, while talking with a neighbor who doesn’t work in tech, I was asked what to do after one of their streaming accounts had been compromised. My first question was, “Were you able to restore access and change your password?“ They beamed with pride as they answered, “Yeah, it took a few minutes, but I kicked the hacker out.” So, I posed the next question, “Where else did you use that same password?” Slowly their proud smile faded and turned to a look of confusion. They proceeded to list several services where they had used the same generic password. As they listed off those services, it began to dawn on them that the “hacker” may not be as “kicked out” as they thought.


This lesson is one we in the information security world have been espousing for years: “Don’t reuse passwords.” We’ve recommended the use of password managers to enable the use of unique passwords. But what happens when our advice is now the source of a new question: “Have you heard of the LastPass breach? What do I do now?” The answer becomes more complicated, but here are three tips to keep in mind.



Change Your Passwords

The easy answer to give, which is harder to accept, is to change all your passwords. This can be daunting enough, but in the face of recent events, we can’t stop there. We need to teach the principle of defense-in-depth.


We at Optiv recommend guidance to Secure Your Password, focusing on diversifying your passwords. But every user needs to take a few more steps to ensure that their accounts remain secure.



Enable Multifactor Authentication

We in the information security industry have been advising to enable multifactor authentication (MFA) everywhere that you can. But out of all the authentication methods, we recommend using tokens or fobs over than the typical text message or emailing of a code. There are several solutions here, including YubiKey, Google Authenticator, Microsoft Authenticator and OnlyKey. The challenge can be that different services may support different solutions. For any services where the only option for MFA is choosing answers to security questions, it’s better to lie through your teeth. After all, malicious hackers can research you on social media and find the correct answers to many of these questions.



Monitor Account Access and Services

It is important to monitor access to our accounts. Many services offer to send notifications when a user logs into the account. You should enable this feature to enhance your account security. You may receive more emails or text messages as a result. But in the event of a compromised account, knowing is half the battle. Numerous other solutions offer some type of tracking of account access or trusted devices. Review these lists periodically to ensure that there are no unexpected logins or devices.


Finally, monitor the services you use for public breaches so that you are aware when a password may have been compromised. Creating an alert through https://haveibeenpwned.com/ is a great place to start raising your awareness to the constant stream of breaches that seem to occur.


By raising your security awareness and by practicing a defense-in-depth strategy, you can significantly increase the security or your accounts. In light of all the recent data breach headlines, take a proactive approach instead of solely a reactive one when it comes to your password security.

Doug Rogahn
Senior Security Consultant | Optiv
Doug Rogahn is a Senior Consultant within the Application Security group of Optiv’s Threat Practice. With more than 10 years’ experience in Information Security, Doug has worked with a variety of businesses from large global enterprises to small sole proprietorships. Doug is a subject matter expert (SME) on application security and application penetration testing. Doug also enjoys branching out of the virtual world into the realm of physical security, where he runs lockpick villages for small and mid-sized security conventions.

Heather Hall
Threat Demand and Delivery Manager | Optiv
Heather is a retired Army Cyber Warrant Officer. After dedicating 22 years to public service, she jumped into industry and held roles securing companies ranging from the nation’s largest casino chain as well as the second largest privately held company and most interestingly a niche market of a private wealth family. Heather applies knowledge gained from earning 14 cyber certifications and a Master's in Cyber as a Threat Demand and Delivery Manager at Optiv Security. Heather’s role has her interacting with Fortune 100 clients to secure the United States most important resources – data and people.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.