Even though the passwords were hashed, since Havenly used the older MD5 algorithm with no “salting” or randomness added to the password before hashing, it is extremely fast and easy for attackers to crack the hashes and recover the passwords using even modest computing power. Then they could use that password to try to login to other websites with the same email address and password, a common attack known as credential stuffing. Users should immediately change their password to a strong and unique one. A best practice for picking a password is to let a password manager choose a completely random sequence of letters, numbers and symbols, or use a long passphrase instead of a simple word if it must be remembered. Even a physical notebook with passwords written down is better than using dictionary words or names as passwords. Passwords should also never be used on more than one site or service, to guard against credential stuffing. There are several password managers available that can help keep track of all the passwords used.

Source Article: https://www.bleepingcomputer.com/news/security/havenly-discloses-data-breach-after-13m-accounts-leaked-online/