So that happened. This week brought the disclosure of a breach measured in the billions of accounts, a figure so large it stops meaning anything. You read it, you nod, you sigh, and you carry on. Which is exactly the problem.
I want to be careful here, because the specifics are still settling and I would rather be vague than wrong. The exact dates, the precise mechanism, who knew what and when, all of that will be picked over for months. But the broad shape is familiar enough: a very large service, a very old compromise, hashes that were not stored anywhere near well enough, and a disclosure that arrives years after the horse left the building.
The headline number is the part everyone fixates on, and it is the least interesting part. A billion accounts is not a billion problems for you personally. One of them might be.
Here is the bit that actually matters, and it is not glamorous. The danger from a breach like this is almost never the breached service itself. By the time it is in the news, that account is a write-off, you change the password and move on. The danger is credential stuffing: someone takes the email and password pairs from this dump and tries them, automated and at scale, against your bank, your email, your cloud provider, everywhere you reused that same password. The breach is the match. Password reuse is the petrol.
I have lost count of the times I have explained this to people who are perfectly competent in every other respect and yet still have one "good" password they use everywhere because it is hard to remember more than one. That is entirely rational human behaviour, and it is exactly what these dumps are built to exploit.
The fix has not changed and is not exciting. Use a password manager. Generate a long random string per site so a breach of one is a breach of one, full stop. Turn on two-factor wherever it is offered, because even a leaked password is far less useful when there is a second factor in the way. And if you are the one running a service, store passwords with a proper slow hash like bcrypt or scrypt, salted per user, so that "we were breached" does not automatically become "and now everyone's password is on Pastebin."
None of this is new advice. We have been giving it for years. The depressing thing about each fresh mega-breach is not that it teaches us something, it is that it teaches us nothing we did not already know, and we still have not done the boring work. I changed a couple of passwords this evening that I had been meaning to rotate for ages. Consider doing the same, and then go and set up the password manager you have been putting off. Future you, reading the next one of these headlines with a shrug instead of a cold sweat, will thank you.