Mitchell Consulting | Tech & AI for Non-Profits

A Simple Security Guide for Nonprofits After the Big Password Leak

You may have seen the headlines this week: a massive list of 16 billion stolen usernames and passwords was found online. It’s a staggering number, and it’s natural to feel a little anxious about what it means for your organization.

But before you worry, let’s talk about what this is and what it isn’t. This isn’t from a single company getting “hacked.” Instead, it’s a giant collection of login details gathered over time from many different sources, likely by malicious software that quietly steals information from infected computers.

The big takeaway? Many of these passwords are new and actively in use, making this a serious tool for online criminals.

Why This Is a Wake-Up Call for Every Nonprofit

As a nonprofit leader, you’re focused on your mission, often with a tight budget and a small team. Cybercriminals know this. They see nonprofits as attractive targets because you handle a treasure trove of sensitive information:

• Donor Information: Names, addresses, and donation histories are valuable.
• Volunteer & Staff Details: Personal information that can be used for identity theft.
• Client & Community Data: Depending on your work, this can be deeply personal and confidential.

Think of your security like the locks on your office door. If a criminal gets a key (a stolen password), they can walk right in. They might try to trick your team into sending money, hold your data for a ransom, or steal the identities of the very people you work to support.

The good news is that you don’t need a huge budget or a team of tech geniuses to protect your organization. You just need to build a few smart, simple habits.

Your Simple 8-Step Security Checklist

Here are straightforward, low-cost steps you can take right now to make your organization dramatically safer.

1. Rule #1: Use One-of-a-Kind Passwords for Everything The single biggest mistake people make is reusing passwords. If a hacker gets your password for one site, they’ll try it everywhere.

• Your Action: Insist that every staff member uses a unique password for every single work-related account. A password manager (like 1Password, Bitwarden, or the free ones built into Google and Apple) makes this easy by creating and remembering strong passwords for you.

2. Rule #2: Add a Digital Double-Lock (MFA) Multi-factor authentication (MFA) is like requiring a second key to open a door. Even if a thief steals a password, they can’t get in without the second piece of verification—usually a code from an app on your phone.

• Your Action: Turn on MFA for all your important systems: email, donor databases, accounting software, and social media. Using an authenticator app (like Google Authenticator or Authy) is a great, free option.

3. Rule #3: Keep Your Tools Healthy Malicious software often gets onto computers through outdated programs. Keeping your software updated is like giving it a vitamin shot to protect against the latest threats.

• Your Action: Make sure all your computers have antivirus software running. Turn on automatic updates for your operating systems (Windows, macOS) and web browsers whenever possible.

4. Rule #4: Check If Your Info Has Been Leaked It’s helpful to know if your organization’s email addresses have been exposed in a past breach.

• Your Action: Visit the free, reputable website haveibeenpwned.com. You can enter your work email addresses to see if they’ve been compromised. If they have, change those passwords immediately.

5. Rule #5: Give Access Only Where It’s Needed Not everyone on your team needs the keys to every room. Limiting access reduces the risk if one person’s account is ever compromised.

• Your Action: Review who has “admin” access to your key systems. Make sure people only have the level of access they truly need to do their jobs.

6. Rule #6: Build a “Human Firewall” Your team is your best defense. When people know what to look for, they can stop an attack before it starts.

• Your Action: Hold a quick team meeting. Remind everyone to be suspicious of unexpected emails asking for money or login information. A good rule of thumb: “When in doubt, check it out” by calling the sender or asking a manager.

7. Rule #7: Check on Your Tech Partners If you use outside companies for things like fundraising platforms or data storage, their security is your security.

• Your Action: Don’t be shy about asking your key technology partners what they do to protect your data.

8. Rule #8: Have a “What If?” Plan What would you do if you suspected a security breach? Thinking through the steps ahead of time prevents panic and helps you respond effectively.

• Your Action: Jot down a simple plan. Who do you call first? How will you communicate with your team and your board? Knowing the first few steps makes all the difference.

Your To-Do List

This week, focus on these quick wins to immediately boost your security.

Action Item	What It Means
Check for Leaked Passwords	Use haveibeenpwned.com to check staff emails and have them change passwords if needed.
Turn on Double-Locks (MFA)	Audit your most important accounts (email, CRM) and make sure MFA is required.
Run Security Updates	Ask everyone to run software updates on their computers and check their antivirus.
Force a Fresh Login	For anyone with “admin” access, ask them to log out and log back in again.
Quick Security Chat	Hold a brief team meeting to discuss spotting suspicious emails.
Talk to Your Tech Partners	Email your most important vendors and ask about their security.
Practice Your “What If?” Plan	Run through a quick “what if our email is hacked?” scenario with your leadership team.

Security is a Journey, Not a Destination

You don’t have to do everything perfectly overnight. By taking these small, consistent steps, you can build a strong culture of security that protects your organization, your donors, and the community you serve. You’ve got this.

Need a hand getting started? I can help you create and implement both a short and long term plan for your organization.