You can spot a Nigerian email scam without opening it. You know what you’re doing when it comes to keeping ID thieves from conning you. And if someone tried to get the kind of personal information needed to open credit in your name, well, it just wouldn’t happen.

Except it would.

Credit gets stolen using personal information all the time. In the wake of the Equifax breach it’s happening even more than usual.

The Identity Theft Resource Center tracks data breaches every year and publishes a year-end report (full disclosure, my company CyberScout, sponsors it). Last year, the ITRC found that of the 174 million records breached last year, more than 91 percent came from corporate databases.

There are data breaches every day, and while they do not rise to the level of the Equifax event, they still add up in a big way. In fact, it would be a miracle if your data were not somewhere available on the dark web, which is a sort of digital black market.

It Can Be Anything

Consider the December discovery of an enormous cache of unecrypted, searchable login credentials that the dark web analysis firm 4iQ discovered on the dark web.

“This dump aggregates 252 previous breaches, including known credential lists such as Anti Public and Exploit.in, decrypted passwords of known breaches like LinkedIn as well as smaller breaches like Bitcoin and Pastebin sites,” Julio Casal, co-founder of 4IQ explained in a blog post.

The total number of credentials: 1.4 billion. The discovery added 385 million new credential pairs, 318 million unique users, and 147 million passwords to what was already out there.

That’s a big number. It’s the kind of number that should make you take certain precautions. But the easiest one is most often disregarded, at least according to Time Magazine: maintaining good password behavior.

The worst passwords of 2017 were pretty bad: 123456, Password, 12345678, qwerty, 12345, 123456789, letmein, 1234567, football, iloveyou, admin, welcome, monkey, login, abc123, starwars, 123123, dragon, passw0rd, maste, hello, freedom, whatever, qazwsx, trustno1.

Not hard to guess, because they’re not long and strong, or better yet created by a random password generator. But there’s something worse than using weak passwords. The re-use of passwords across accounts is far more dangerous—and common. Hackers know if they find your credentials for LinkedIn (one of the contributing sources to the above-cited credential dump on the dark web), there’s a good chance they will be able to use something similar or identical to hit your financial accounts.

Be Vigilant

But go ahead and check your accounts right now. You have that all set up so you can do it quickly, right? If you are like most people, you don’t.

How about transaction alerts? You’ll know if this is set up, because a text or email is delivered to you every time you use a credit card or move money from a bank account.

If that sounds like a hassle, it isn’t. There’s something reassuring about those alerts following a purchase, and if something ever pops up that you didn’t trigger—well it’s even more reassuring that you’ll know right away.

But the above only helps with existing accounts, and that’s not the only danger when it comes to credentials being “out there.”

When you “win” the ID theft lottery, and an ID thief locks onto your credentials stored on one of those massive dark web data bases, a criminal can open a new credit account of any kind—a mortgage, a car loan, a new smartphone with wireless or a credit account. They can dip into your email, and figure out what they need to know to do almost anything: take over your healthcare, con your friends, even become you.

According to Javelin Strategy and Research, 2017 saw a new trend. “While credit card accounts remained the most prevalent targets for new account fraud, there was significant growth in the opening of new intermediary accounts, such as email payments (e.g. PayPal) and other internet accounts (e.g. e-commerce merchants such as Amazon) by fraudsters. Although not as easily monetized alone, these account types are invaluable in helping fraudsters transfer funds from the existing accounts of their victims.”

What can you do?

Practice the 3 Ms

1. Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t over-share on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit.

2. Monitor your accounts. Check your credit report religiously, keep track of your credit score, review major accounts daily if possible. (You can check two of your credit scores for free every month on Credit.com.)

3. Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises–oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions and employers.

In this Wild West of information insecurity, you are the most qualified person to protect yourself from the dangers that lurk “out there.” But remember, you have to stay on your game, because the bad guys definitely are.