Search yourself.
You may be surprised by what you see when you type your (or your child’s) name into a search engine—a three-year-old wedding registry full of photos and identifying details, a professional website you’d forgotten you made, marathon results with your name and birthday, a public school directory with your kid’s photo. Where possible, update these pages to remove or password-protect information that you don’t want to be public. If the page allows a login but you’ve forgotten your password, try resetting it; if that doesn’t work, or someone else maintains the site, look for a contact page and try emailing the site administrator or customer support.
Assess the damage.
If you’ve ever filled out an online form or made an account on a website, chances are good that data have been exposed in a hack. Have I Been Pwned? is a database of these breaches, searchable by phone number and email address. Once your information has been taken, you can’t get it back—but you should definitely search your results page for the word password and update the compromised ones everywhere they were used. Yes, that means resetting your login credentials on any site where you might have used the same password: You wouldn’t want someone getting into your bank account just because it shares a password with some fly-by-night website you made an account on years ago.
Use private browsing—or better yet, a trackless browser.
Most desktop and mobile internet browsers offer private browsing—sometimes called “incognito” or “private” mode—which essentially scrubs your history from the device itself. This is a great tool when using a shared or public computer. But it doesn’t hide your browsing or search history from websites, internet-service providers, advertisers, system administrators (like your employer), or subpoena-empowered authorities. A privacy-focused browser—such as DuckDuckGo, Ghostery, Brave Browser, or Tor—prevents your activity from being stored locally and minimizes this second type of tracking.
Audit your apps.
Many browser extensions and phone apps are designed to suck up your data. The information absorbed can include the ads you click or your precise location while using the app, but it can also mean your photo roll, contacts, microphone and camera use, keystrokes, private messages, IP address, device type, and even your behavior (such as sites visited) outside the app. This information can be used to make the service work better—for example, a food-delivery app might use your location to tell you what’s available nearby—but some apps, especially free ones, also make money by selling your data to advertisers, data brokers, or the government. The good news is that you can manage access to your data by going to your phone’s privacy and security menu and looking for “Safety Check” (on an iPhone) or “Permissions Manager” (on Android). Go through app by app and disable any permissions that seem overreaching. (You may decide that you’re happy manually entering your address when you want takeout.) Pay special attention to what you’ve allowed apps to do “in the background” (that’s a slightly obfuscatory way of describing apps’ tracking you even when you’re not using them) and anything that makes reference to “third parties” (that can be another term for data brokers). Then do the same with your browser extensions. And if you’re not using an app or extension regularly, just delete your account and remove it from your device entirely.
Consider a burner email address.
Use a free service to set up a second email address and use it every time you set up a new social-media account, shop online, or otherwise interact with brands, not people. Your primary inbox will be clearer of junk, and companies will have a harder time tracking you.
Protect your devices.
Any device that can be protected—your computer, phone, tablet, router—should be. On your phone, face or fingerprint ID is good enough for most people, though, of course, using either means turning over your biometric information to a tech giant. A PIN or password is even more secure—the more characters the better.
Start changing your online passwords.
You’ve heard this one before because it’s really true: The single most important thing you can do for your security is use strong passwords everywhere—even on sites you think you’ll use only once, even if you’re not sharing personal information. Two things can make this easier.
Be NICE: The best passwords are New (not reused between sites), Impersonal (don’t include birthdays, addresses, names, etc.), Complex (contain lots of special characters and mixed-case letters), and Extensive (at least 8 characters). From now on, whenever you enter a password, check to see if it meets these requirements—and if it doesn’t, change it. Do the same with your security questions: The answer to “Where were you born?” (which is easy to figure out based on public information) should be gibberish, as though it were another password field.
Get a password manager. If strong passwords are the key to online security, a password manager is the key to keeping track of all those strong passwords without losing your mind. These work by storing all of your passwords in a single password-protected vault that connects with your phone and computer browser—so as long as you know that one master password, every other username and password will autofill as you travel around the web.
Enable two-factor authentication.
Two-factor is an extra layer of security standing between you and bad actors. It works by sending a unique, instantly generated code (or other prompt) to your phone or email when you try to log into an account, which you then enter in addition to a password. The result is that if, say, someone has your password but doesn’t have access to your phone itself, they won’t be able to get into your bank account. Turn this on wherever you can, and when possible use an app like Authy or Google Authenticator to do it (instead of text messages, which are more vulnerable to hackers).
Focus on what matters most.
Remember: The internet is real life. Think about what information you’re most protective of—not so you can panic, but so you can prioritize. Now think about which websites, gadgets, and apps have that information, look at their privacy policies, and see what permissions you can revoke. Privacy Not Included, a project by the nonprofit Mozilla Foundation, offers plain-English assessments of the privacy policies for hundreds of companies, focusing especially on high-stakes arenas such as wearables; dating, prayer, fertility, and mental-health apps; and kids’ products.
Make a date with digital privacy.
You’re already in a much better position than you were before—congratulations! But policies and regulations change, so after you’ve done all this, set a reminder for a year or so from now to update your devices and spin through the preferences in your apps. Now that you’ve laid the groundwork, it shouldn’t take long.