Pick a better password: "Passwords have to be easy to remember but hard to guess," said Parry Aftab, an attorney specializing in Internet privacy. Her trick: Pick a sentence (not a common phrase or saying) that can be boiled down to a string of letters, numbers and symbols. For example, "On Jason's fourth birthday, he ate cake!," which might boil down to "OJ4thbh8c!"
Even then, it's not smart to use the same password for your bank login as you do for a retailer's site or social networking account. Pick a different phrase, she said, or at least consider sneaking in a site-specific abbreviation somewhere (FB for Facebook, say, to make it "OJ4thFBbh8c!") to make it unique to the site, without overburdening your memory.
Try a password manager: Services such as LastPass, Dashlane and KeePass create and manage complex passwords for you. "They make it a million times easier to create complicated passwords," Tyler said. The catch: you'll need a very secure password or authentication as a master password for that account. Basic versions are free, while premium versions covering more accounts and devices can run up to $20 per year.
Beef up authentication: Some sites, including Gmail and Twitter, offer two-step verification—which requires users logging in from a new device to enter a code sent to the mobile phone linked to the account. When that technology is available, enable it, said Webb. "If you have that kind of step, it doesn't matter if someone steals your username and password," he said. "They still can't get in, unless they stole your phone, too."
Limit your financial risk: Don't use a debit card to make purchases online—credit cards offer more comprehensive protection against fraud. It's also smart to limit your online buying to just one card, said Sergey Lozhkin, senior security researcher at Kaspersky Lab. That makes it easier to monitor for potential problems, and cut off criminals' access if the number is compromised. Some issuers, including Bank of America, still offer temporary card numbers to keep your information safe.
Secure your devices: Password-protect your phone and computer to thwart prying eyes, Aftab said. If you're not the only one using a device, don't set sites to automatically log in or save passwords. Password-protect any files containing sensitive information.
Use social identity: Given the option to create an account or log in through a social networking site such as Facebook or LinkedIn—an option more retailers and other companies offer—consider the latter, said Webb. Doing so gives you fewer passwords to remember, and narrows breach worries to just a few sites. Of course, go this route and you'll want to be sure that social networking password is very secure, he said.
Scan for problems: Corporate data breaches aren't consumers' biggest concern. "Malware steals much more data than that each year," said Tyler. If there's malware on your personal or work devices, other password protections won't help at all. "It will just grab the updated passwords," he said. Install software to scan for viruses, spyware and other potential problems, and then use it regularly. This step is particularly important if you have kids—who tend to be less discerning about browsing and downloading, increasing the risk of contracting malware, said Aftab.
Stay vigilant: "You have to be on high alert now," said Levin. Take any email alerts about the breach from companies you do business with, with a grain of salt. "No institution will ever ask you to provide information via email," he said. Don't click on any links in the email, or call any numbers listed there. If the threat is legit, you'll be able to take any necessary steps by logging into your account in a new browser window, or calling the company on its main listed customer service number.
Consumers should also keep an eye on their accounts in coming months to ensure their financial information hasn't been compromised.
Read MoreRussian gang holds 1.2B stolen Internet logins
—By CNBC's Kelli B. Grant