Marriott just announced one of the biggest data breaches to date. Data from up to 500 million accounts from its Starwood reservation system were exposed. Even more alarming is that hackers had access to this information over four years. Cool.

What information was exposed

Hackers copied information from the Starwood guest reservation database. According to Marriott's frequently asked questions about the breach, the following personal information was exposed:

  • Names

  • Mailing addresses

  • Phone numbers

  • Email addresses

  • Passport numbers

  • Payment card numbers

  • Payment card expiration dates

  • Starwood Preferred Guest ("SPG") account information

  • Dates of birth

  • Gender

  • Arrival and departure information

  • Reservation dates

  • Communication preferences

If you made a reservation at a Starwood property between 2014 and September 10, 2018, your personal data was likely exposed. Marriott hotels operate on a separate reservation system and were not affected. Starwood is beginning to notify people via email if they were affected.

What to do about the Marriott breach

There's a laundry list of actions you should take to protect yourself.

  • Monitor your Starwood account for suspicious activity.
  • Keep an eye on your bank statements for strange charges.
  • Some security experts are recommending you freeze your credit, which would prevent anyone from applying for loans or credit cards in your name.
  • Don't click emails asking for your personal info, even if they look official. (Any official emails coming from Marriott will come from

Marriott is also offering a free year to a service called WebWatcher, which will monitor the internet for your personal info. You can sign up on the Marriott breach information page.

Above all, do 1 thing to better protect your online accounts

If you have a Starwood online account, changing your password is also smart move. But if you do one thing, it's this: Change your password in every single place where you've reused that same password. Use a different and unique password for every account. And definitely create a password that's not on the most commonly used passwords list.

Hackers love when you use the same password on multiple accounts. Because now they can try to log in to all sorts of websites -- and often times they will succeed.

If someone got their hands on your email address and password from the Starwood breach, they can write a simple program to try that same combination on thousands of websites at once. Bank websites. Email clients. Anything really.

This is called credential stuffing, and it's not technically hacking because cyber criminals are using credentials that are already out there. If you know a password got exposed and continue to use it, you're opening up your accounts pretty easily unauthorized access.

It's time for some digital housekeeping

Most of us have hundreds of online accounts. Who's going to remember hundreds of passwords? No one.

That's what a password manager is for. The beauty of a password manager is that you don't have to remember any of your passwords. The software does it for you. You just need to remember one: the password you use to log in to your password manager.

A password manager saves all your passwords, then autofills them into websites and apps for you. It can also generate strong, unique passwords. Troy Hunt, a security expert who manages the a large database of data breaches, says the most secure password is one you can't remember.

Wirecutter has tested several password managers and recommends 1Password ($26 per year) and LastPass ($24 per year) as the best options.

Getting set up with a password manager and changing all your passwords isn't hard. It just takes time. But it's really one of the best things you can do to boost the security of all your online accounts -- and give you better peace of mind. There's little you can do to prevent data breaches from happening, and unfortunately they're becoming more common. But you can take steps to protect your data, starting with better, unique passwords. 

At the very least, do it for all accounts that contain any deeply personal information or financial information, such as your email accounts, bank accounts, and retirement accounts. You'll feel much better that you did. ?