Two months ago I was presented an opportunity to escape living with my parents and take over a tenant’s lease at a complex in the suburbs of Seattle. Since I was recovering from a self-inflicted financial disaster, I didn’t have the funds for first, last or deposit, which are typically required for most rentals. The only fee required was the application fee, which was paid by the 25 year old medical student who had placed the ad on Craigslist desperately looking for someone to help her out as she had decided to shack up with her boyfriend.

As part of this process, I didn’t sign a new lease; rather, I took over her lease, and all of the related bills – including the separate water, sewer, and gas bill (WSG) managed by a third-party. My name was added to her account using this third party (which I’ll omit, since it’s irrelevant to the story), which also allows users to manage their payments online.

This is where trouble starts

After finding I couldn’t login to the account online without knowing the username and password the previous tenant used, I called the third-party and asked how I could login. The only information I had was my bill with the account number and both of our names on the account – information that can easily be obtained by dumpster diving, mail theft or simply forgetting to forward your mail when you move. The customer service rep didn’t hesitate to tell me the username for the account – and then after informing me she could forward me the password, told me to my dismay the email address she was forwarding it to.

This is where things get ugly. Not only was I told the email address of the account holder, but upon informing the customer service representative that I needed to change the email, I was sent their password. Not a reset. The current account password.

I thought I was crazy – there is no way that in 2012 a company could be this dumb. But when I repeated the process again after changing the password to my own, I was sent my exact password upon asking for a reminder.

As many Americans use the same password for most of their logins – whether it’s email, Facebook, iTunes and even online banking – it can be incredibly easy for someone who illegitimately accesses a bill with your account number to find out both your email address and password – which is all they need to find the information they need to effectively steal your identity.

So what do you do?

Easy! Use online billing for as much as you can, and shred everything else. Make sure all of your addresses are up to date. And whatever you do, don’t use the same password twice. One effective method is using a secure base password using symbols, letters and numbers (such as “M0nkeybutt!”) with the name of the website, (so your password is “M0nkeybutt!FB” or “M0nkeybutt!gmail”).* Don’t write your passwords down, or store them in an easily accessible email or shared document. Applications like LastPass and 1Password are great as well.

Finally, if you think one of your account numbers has already fallen into the wrong hands, close that account and open a new one. Then, call all three credit bureaus and place a flag for potential identity theft. Flagging your identity with a credit bureau makes it harder to apply for new credit accounts, but also makes it harder for someone else to assume credit in your name.

And if you ever consider subletting, be sure that the new tenant opens new accounts for all necessary things in their name. It might seem like extra work at the time, but it might save you from exposing your personal data down the road.

*note – that is not my password, so don’t even try.