I think my cynical take is to not actually care. Very few people in the whole security industry actually bother to care because it's mostly box checking regulatory requirements and/or certifications because security beyond the absolute minimum just isn't important to the job. Most places aren't being attacked or broken into, and in the slim chance it happens there's less money to say "sorry for being breached, we're $worthless_cert compliant, nothing else we could do" because customers will believe it.
The corollary of this is that, as a user, you need to do your best do ensure that when your account is broken into, that it doesn’t matter to you either.
To get there though, we need better email hiding (Apple’s Hide My Email is great for this, you can get unlimited randomly-generated @icloud.com addresss that forward to your real one) and for sites to not actually need your real name or personal information.
If done right, if randosite.com gets all emails and (even if plain-text) passwords leaked, it wouldn’t matter because only Apple can tie the email to my account, and the password would only be good on that site anyway.
If a website actually needs my real address and name for billing information, that’s another matter maybe, but even then who really cares? The existence of my home address and name doesn’t much matter if they can’t tie it to any other online identities. My address is in the phone book too… it doesn’t really give anybody new information.
Fun fact: We are being shown how dangerous this internet is. With scary looking numbers of attacks per quarter. Until one scrutinizes the slides to see that not our mothership is the target of these attacks, but that these numbers (somewhat in the range of 350 - 500) are global numbers on companies of any size.
Since seeing this I became even more of a cynic. If they want to scare us - at least they should do it intelligently.
