Don’t Pay to Find Out if You’re Affected by the Super Hack

Yesterday’s New York Times story about a super-sized data leak got a lot of attention because of the huge numbers in it: 1.2 billion username and password combinations, including half a billion email addresses, have been gathered up from 420,000 websites by a small gang of Russian hackers.

It certainly sounds impressive, and it’s the sort of thing that often generates a bit of panic about the security of people’s personal information. And it’s entirely reasonable to wonder if your information is in there, and which passwords you might want to change.

But then the firm that claimed to have made the discovery, a Milwaukee-based outfit called Hold Security, announced a “breach notification service” that it said would cost $120 a month, and the entire thing took a turn for the sketchy. (More from Kashmir Hill at Forbes here.)

Putting aside the appearance of a company that seems motivated to profit from the panic it has sought to create (there are some smart thoughts about that from The Verge here), there are a lot of reasons why you shouldn’t pay, especially if you’re a U.S. resident. Most states — starting with California, which passed a law about this in 2002 — require that when a company finds out that customer data has been compromised, the customers have to be told.

The laws vary from state to state about how long a delay there can be between when a company discovers a breach and when it has to tell you. A total of 47 of the 50 states, plus the District of Columbia and the territories of Guam, Puerto Rico and the Virgin Islands, have these laws on the books.

What this means is that if any company or government agency has your personal information and has been notified of a breach in connection with this incident, you will eventually find out. It’s the law. So don’t panic and start forking over cash to Hold Security.

Most of the major and minor companies with whom you do business on the Internet will respond to this disclosure as the various laws require and tell you if something happens. As for some of the “very small sites” affected by this, which may or may not have been notified yet and may never tell you, you probably don’t care about them anyway.

Naturally, whenever one of these high-profile data breach incidents takes place, it doesn’t hurt hurt to revisit your username and password management techniques. Take a look at Dashlane, 1Password (which is what I happen to use) and LastPass. They can take the pain out of changing compromised passwords when needed. Above all, stop using the same password over and over for different sites. That’s just asking for trouble.

But generally people aren’t doing much when these things happen. The disclosure earlier this year of the Heartbleed vulnerability provided the world with the potential for a worst-case cyber security scenario that, at least as far as is known, hasn’t materialized. For all the chatter in the media, most people did nothing about it. People did get upset about the Target breach because it involved their credit and debit card numbers, and so hit them right in the wallet.

Ignoring the threat isn’t the correct response, but neither is paying for information you’re otherwise entitled to for free, by law.

This article originally appeared on Recode.net.