This year we have witnessed Yahoo acknowledge the greatest data breach in history. In September, the Internet giant admitted to the theft of at least 500 million email addresses, passwords, usernames, dates of birth, phone numbers, and, in some cases, security questions with their corresponding responses. Shortly thereafter, in December, the company announced that up to 1 billion accounts may have been compromised in a different breach.

This wasn’t the only major security crisis of 2016. The personal data of Snapchat employees (names, Social Security numbers, salaries…) fell in the wrong hands because of a con known as “whaling”. Cyber criminals impersonated Evan Spiegel, the company’s CEO, in order to obtain the data in question.

The credentials of 117 million LinkedIn users, 68 million Dropbox users, and 1.5 million Verizon customers also fell into the hands of cybercriminals, some of which went up for sale on the dark web. There are a few lessons we can learn from this and other unsettling news items we’ve seen in 2016.

1- No Password is Safe

At this point, following the theft of such an enormous quantity of information, one can assume that any password that is a couple years old is compromised. There is no service that is significantly safer to use than others, and none that we should trust blindly. It follows that the most sensible thing to do is to change all passwords that have been in use for a period of time. Reusing passwords unnecessarily puts the user at risk.

2- Security Questions Are Part of the Problem

As soon as they learned about their data breach, Yahoo disabled security questions like “when is your mother’s birthday?” and “what color was your first car?”. It’s no longer only a matter of whether the answers can be found by digging into potential victims’ profiles on social networks, but also of the fact that many answers have been directly stolen. Unlike passwords, this kind of data does not change. Substituting it for false data would be tantamount to creating a second password. In other words, the risk of forgetting it is still there, which obviously defeats its purpose as a means of password recovery. The remedy becomes worse than the original problem.

3- Delete Registration Emails

Cybercriminals place increasingly more value on web users’ emails and passwords. This comes as no surprise, since emails can be the door to many other things. If your password is stolen from one service, and you use the same one for email, intruders will have access to whatever recovery email they need for any other service you have an account at. What’s more, they can look through old messages for registration emails to find out where you’ve been signed up before. This is easily avoided by deleting registration emails as soon as you receive them.

4- Bigger Fish to Fry?

If you’re running a company, however small, don’t make the mistake of thinking that data theft only affects the giants. In fact, it’s easier and more profitable for cybercriminals to target small business. Not only have attacks on small businesses been on the rise, but also their consequences are much more severe. The smaller the company, the greater the risk of a security crisis wiping it out.

5- Be Transparent and React Quickly

If the worst should happen, notifying your customers or users that their confidential information has been stolen should not be taken lightly. It’s important to let them know right away, with as much detail as possible and without downplaying the potential risks. Hiding or disguising the truth can only make things worse. For starters, those who have been affected will not be able to change their passwords as quickly as they should. Finally, your credibility is at stake. The damages done to it will grow the more time that passes between the breach and your announcement of it.