When the computer security company Hold Security reported that more than 1.2 billion online credentials had been swiped by Russian hackers, many people were worried—and justifiably so. Hold isn’t saying exactly which websites were hit, but with so many credentials stolen, it’s likely that hundreds of millions of ordinary consumers were affected. Some of these may be incredibly complex passwords—with lots of jumbled numbers and symbols. And some may be incredibly simple—using just the simplest of English words, like, say, “password.” But after the hack, most all of them have left their users vulnerable to attack. According to Alex Holden, Hold Security’s founder, the “vast majority” of the passwords he uncovered had been stored in plain text on company servers.