Disney+ login accounts are already popping up on the Dark Web. The headlines started popping up almost immediately. “Thousands of hacked Disney+ accounts are already for sale on hacking forums,” ZDNet proclaimed last week. The BBC followed up with “Disney+ fans without answers after thousands hacked.” Well, I’ve got an answer for you, and it’s one you’ve probably heard before. Stop reusing passwords across multiple services and websites.

Both reports found thousands of Disney+ logins available on the Dark Web—just over 4,000, in the BBC’s case. When the publications reached out to affected customers, some admitted that they reused existing passwords for Disney+, while some denied it. But given the low number of so-called “hacks”—a few thousand confirmed for a service that already boasts over 10 million users is a drop in the bucket — it seems likely that bad password practice is more to blame than a breach on Disney’s part.

Data breaches are shockingly common these days. If you reuse your login credentials across sites and services, a breach of just one site can grant hackers access to all your accounts. CyberInt researcher Jason Hill told the BBC that this indeed seems to be the case with the Disney+ credentials for sale on the Dark Web. These accounts weren’t “hacked,” rather, their owners probably just got sloppy.

I get it. Memorizing dozens of passwords is not fun, and everything needs one these days. Fortunately, there’s a solution: Password managers. These programs keep track of all your logins, input them when needed, and can even create randomized passwords for each site and service you use. They’re great, and they make using unique passwords a breeze. Better yet, password managers are pretty cheap, and many even come free if you only need a device or two covered.

Activating two-factor authentication—which demands a text or app-based code in addition to your password—is a good idea for critical accounts too. If you’ve been reusing passwords and want to batten down the hatches, use a password manager to generate unique logins for your accounts.

I have a warning about using 2FA though. Many people have chosen to use Google’s two-factor authentication app and why not. One would think a company as large as Google would be a good bet for two factor authentication. The thing that most of us don’t think about is what happens if your phone is lost, stolen or broken — there goes your access to all the sites and services you’ve set up to use 2FA. The primary weakness with Google’s implementation is that you can’t backup and restore your codes – so if you didn’t print out the codes when you first set them up – you’re pretty much out of luck. You’ll need to reach out to all the accounts and hopefully be able to convince them that you are who you say you are and see if they will remove the 2 factor so you can log in and set it up on a replacement device.

Bottom line: don’t use or re-use weak passwords and get on the two-factor security band wagon with all the sites and services that support it.