@feorlen The problem is passwords won't provide a fix for the authentication cookies that were leaked, particularly if the site in question doesn't expire them. (Hint, hint, @matigo). "Changing passwords" may not be enough to mitigate the risk of this disclosure. Also, I can't imagine every one who ever used service X over the last several months had their information disclosed. While this event increases the risk above zero, it's not clear *by how much* so people can make an informed choice about what to

@feorlen The problem is passwords won't provide a fix for the authentication cookies that were leaked, particularly if the site in question doesn't expire them. (Hint, hint, @matigo). "Changing passwords" may not be enough to mitigate the risk of this disclosure.

Also, I can't imagine every one who ever used service X over the last several months had their information disclosed. While this event increases the risk above zero, it's not clear by how much so people can make an informed choice about what to do.

And, really, that's a problem with all these notifications. I know enough to make the assessment for myself, and I'm already doing a lot of the right things, so for me? The answer is: change maybe a handful of passwords, which is probably a good idea anyway.

For the average user, who has seen umpteen of these notifications, many of which are much more specific than this one? They're going to ignore it unless the specific site contacts them suggesting they change their password. And you know what? They're very likely going to be just fine doing so.

// @matigo @larand

2017-02-24T20:27:25Z