Most of the time I only hear from my credit card companies when I owe them money or when they want to sell me a new service. That's changed; \n\nnow I'm being bombarded with notes telling me that a company I never heard of has been successfully hacked and these still unknown bad guys now have my name and e-mail address \u2014 and maybe more. If you've been paying any attention to the news lately, you know I'm talking about Epsilon, a \n\nhuge outsourcer that sends e-mail of all kinds to customers of major financial services and retailers. Say you get an offer for a new card from Capital \n\nOne, or for a special vacation deal from Marriott Rewards; that e-mail was actually sent by Epsilon. To do its job, Epsilon stores data about the \n\ncustomers of its customers \u2014 in other words, you and me. A partial list of companies whose data was compromised (that's the polite term) includes JPMorgan Chase, Capital One, Marriott Rewards, \n\nMcKinsey Quarterly, US Bank, Citi, Ritz-Carlton Rewards, Brookstone, and Walgreens. Larry Ponemon, a security expert interviewed by the New \n\nYork Times, estimates that thieves obtained the names or e-mail addresses of 100,000 customers at each of 50 clients. No doubt there's \n\noverlap in those lists, but that's still millions of people. Epsilon E-Mail Breach: 4 Unanswered QuestionsBy and large you're hearing that you shouldn't panic if you get a note from one of your credit card providers saying they've been hacked. That's \n\nbecause Epsilon has stated that only e-mail addresses and names were stolen. By themselves, that's not enough information to obtain really \n\nsensitive information like the password to your checking account. I won't question the truthfulness of Epsilon's disclosure, but I'm not entirely convinced of its accuracy. The really skilled hack is invisible to the \n\nvictim. But let's assume that all that was stolen was what Epsilon said was stolen. There's still reason to be concerned.Adam Levin, chairman and cofounder of Credit.com and Identity Theft 911, calls e-mail addresses the "social security number of the digital age." \n\nBy that he means that many Web sites use an e-mail address as the user name. If that's the case, the hackers are half way into your account simply by \n\nknowing your e-mail address. (Remember, they know you're a customer of say, Chase, because that information was stolen from Epsilon.)It's important to note that hacking has long since ceased to be about juvenile fun and games. Modern hackers are generally out to make money, \n\nand often work as part of organized, international gangs. You can be sure that whoever stole that information is hoping to make a substantial profit. \n\nHere are two ways the bad guys may make use of that information, and what you can do to protect yourself. Spear Phishing AttacksYou've probably heard of phishing. Simply put, that means luring a user to a site that's either a spam advertisement or one that has been infected \n\nwith malware. It's called phishing because the hackers are fishing for victims. Spear phishing, though, is more insidious. Rather than send out an \n\nutterly random email to random victims, the spear phisher targets (or spears) a specific class of people, or sometimes even specific individuals, by \n\nusing information about them to make the bogus pitch seem genuine. Spearphishing Worries Follow Epsilon BreachSo if the hackers who broke into Epsilon learned that you have an account at Chase, you might well get an e-mail that looks like it came from \n\nChase. Typically, that type of fraudulent e-mail would ask you to supply some sort of personal data, like your birthday or even a password to "verify" \n\nyou account info. Often those e-mails are breathlessly urgent, saying that your account will be shut down immediately if you don't respond. The defense is simple: Ignore e-mails asking you to supply personal information. No reputable company or e-mail provider will ask you for it. Password HackingGuessing someone's password isn't always very hard. As a backup for forgetful users, many sites have so-called security questions, like "the \n\nname of my high school was" or "my favorite pet is." As Credit.com's Levin points out, "In the Facebook age, it's not difficult to figure out someone's \n\nhigh school or mother's maiden name." That's a great point. Levin suggests answering those question prompts with information that's totally unrelated, like: "My pet's name is --- Omaha, Nebraska." But how \n\nwould you remember that? At the very least, though, make those answers a lot tougher, or even decline to give yourself those hints. Serious hackers don't sit around guessing your password; they use automated programs to do the hard work. That means you've got to stop \n\nusing the same password over and over. As bad as it would be to have your checking account hacked, how would you like it if that same password \n\nopen the door for hackers to access your retirement and investment accounts?As you've no doubt heard, you should use strong passwords, which means they should be long, have letters, numbers and characters (like % or \n\n#) scattered randomly within them. And do not use your birthday or the names of your kids. Drowning in Passwords: Tips and Tools to Stay Safe and SaneOf course, you'll never remember those strong passwords, so I suggest using a password manager. I've recommended Roboform in the past and \n\nhave recently heard good things about Last Pass, though I haven't tried it yet. When you visit a site and fill in the username and password, the manager will remember them, and fill them in for you the next time you're there. \n\nYou only have to remember a master password. Some of those programs will even generate a random password for you. Use it; it's likely to be \n\nstronger than anything you dream up. San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach \n\nhim at email@example.com.Follow Bill Snyder on Twitter @BSnyderSF. Follow everything from CIO.com on Twitter @CIOonline.