Like many people, I am concerned about security and privacy online but, until now, I have been too lazy in regularly changing and varying passwords or in using tools such as two-step or two-factor verification. Then I came across this article which contained this paragraph:
How might a digital EPA function? Well, it could do some of the work that individuals do today. For example, the website of Australian security expert Troy Hunt, haveibeenpwned.com (“pwned” is how elite, or “l33t,” hackers, or “hax0rs,” spell “owned”), keeps track of nearly 5 billion hacked accounts. You give it your email, and it tells you if you’ve been found in a data breach. A federal agency could and should do that work, not just one very smart Australian—and it could do even better, because it would have a framework for legally exploring, copying, and dealing with illegally obtained information.
The haveibeenpwned website allows you to check if your email has been subjected to a data breach. As far as I can assess, the website is legit (it passed by antivirus and nothing suspicious came on a Mr Google search about the website or Troy Hunt) though I cannot verify that as a fact.
Below are the number of data breach incidents from hacking by year the incidents were made public, as publicly disclosed and monitored by Privacy Rights Clearinghouse. 2016 includes high profile incidents like Yahoo and LinkedIn. Obviously, there is likely to be many many more incidents which haven’t been found out or publicly disclosed.
click to enlarge
Oh, and by the way, it looks like two-step or two-factor verification is deeply flawed also, as per this article. Nonetheless, I am told it’s better to have it than not.
This blog represents my personal views and is not reflective of the views or opinions held by any company or employer I work for currently or have worked for in the past. The views expressed herein are based solely upon publicly available data. No views expressed herein should be taken as an endorsement to take any particular course of action in the markets. The basis of this blog is that different views should be expressed and readers make up their own minds on the what they believe and act accordingly.
deconstructingrisk 
Two-factor is actually ok but… as the article says:
“In most cases, the problem isn’t two-factor itself, but everything around it. If you can break through anything next to that two-factor login — whether it’s the account-recovery process, trusted devices, or the underlying carrier account — then you’re home free.”
I think weak implementations (including over-eager customer service) pose a bigger problem. If you are serious (and honestly, I am not) get a USB token or something similar and you will be pretty safe. But if you loose it you are screwed. Which brings me to the major problem: as long as humans make no mistakes a high degree of security is possible. But you have to allow for things going wrong and these are the weak points that can (and will) be attacked.
Best
Eddie