A massive hack has sent the internet security world into a frenzy this week, with as many as 2 million passwords likely falling into the wrong hands.

According to CNN, hackers used a covert keylogging software in order to steal passwords to tens of thousands of different websites. The software behaved like a malicious computer virus, installing itself on user computers worldwide and going to work in capturing usernames, passwords, and other login credentials of users.

A cybersecurity firm called Trustwave managed to track the keylogging software. They determined that the hack has been going on for about a month and that all login credentials captured by the coup have been sent back to a server located in the Netherlands.

However Trustwave also said that the Netherlands server was only a proxy, and that the hackers might still be at large. To make matters worse, the internet security firm couldn’t parse how the hackers had gotten their keylogging virus onto so many computers, nor could they use the discovered server to backtrack to infected computers. In other words, change your passwords and update your antivirus software just to be safe: you might be infected.

All told, the hackers have so far stolen passwords to 93,000 different sites scattered across the web. The most common password thefts surrounded high-traffic social media sites like Facebook, Twitter, and LinkedIn, as well as email or internet search websites like Yahoo and Google. ADP (Automatic Data Processing) and Odnoklassniki accounts rounded out the top seven. Facebook, on the other hand, was the top haven for hackers, with over 300,000 passwords stolen.

CNN says that Facebook, LinkedIn, Twitter, Yahoo, and ADP all claimed that they had notified users whose passwords had been compromised. Still, even for those who haven’t gotten a hack notification from their prime social media or email site, a password change is a good idea. In the wake of the hack, Christian Science Monitor published a stirring Op-Ed about how parents in the modern age need to teach their kids good password etiquette – in the same way, the article says, as they teach “how to cross the street and why you shouldn’t wear black shoes with brown slacks.”

The CSM article has a point: too many people don’t know how to safely manage their passwords, and either use very short, generic, or default passwords (“123456,” for instance) or use a single decent password for every site they frequent. In order to be protected, users must adopt a policy of using diverse passwords across their different internet haunts, while also creating longer, more complex passwords that are harder to hack.