You used to need a little bit of technical clue to steal people's logins to insecure sites like LiveJournal, Facebook, etc. There is now a Firefox extension called Firesheep that makes this extremely user-friendly: absolutely any random loser at the coffee shop, the airport, work, or school can take over your accounts if you're using wireless. (For the record: using Firesheep can get you fired, kicked out of school, or sent to jail if you're caught, so don't.)
Some advice follows. Follow it and get your friends to, too. If you have any friends who are unlikely to follow this advice, you will want to drop them from your friends list on any social networks, because it is a near certainty that somebody else is going to be controlling some of their accounts soon.
Use HTTPS Everywhere to mitigate the problem.
HTTPS Everywhere protects Facebook
Since this is a Firefox-only extension, you'll want to avoid using other browsers. I'd delete or rename them or move them aside.
HTTPS Everywhere isn't enough.
Most services won't work with HTTPS Everywhere (though it's possible that the ones you care about do). For example, I crossed out LiveJournal up above because, contrary to rumor, HTTPS Everywhere doesn't help. You want to use an SSH Proxy.
This is a decent way to get privacy from work/school too. Quick guide for Mac and Linux/Unix users:
- Run your own SSH server on port 443 on a remote host somewhere safe or find a friend who does. (I'm happy to set any of you up with an account on mine, though of course that requires trusting me.)
killall ssh; ssh -p 443 -NnfD 8888 yourusername@yourserver(naturally, if you use ssh for anything else, you'll want to replace "killall ssh" with some cleaner way of killing running copies of this process)
- In your browser preferences or System Preferences, set your proxy to SOCKS at localhost on port 8888.
Privacy is something you often don't realize you need until it's too late. If you don't understand this, ask for help; if I know you, I will happily spend some time with you to reduce the chance that somebody I know will have their account taken over.
In the long run, I think this is a good thing. Sending personal traffic, much less login information, unencrypted over the internet makes a joke of privacy, but most people just haven't been noticing. The noise about this stands a good chance of closing that particular hole.