As you’ve probably heard by now, Yahoo says it suffered a massive data breach that compromised 1bn accounts. The breach, dating back to 2013, is separate from another disclosed in September, in which 500m user accounts were hacked.
Compromised user information included names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password, according to The New York Times. Yahoo is now taking steps it declined to take previously – making affected users change their passwords and scrubbing unencrypted security questions.
Yahoo discovered the 2013 compromise after analyzing data files law enforcement provided after an unnamed third party claimed to be in possession of Yahoo information.
For users, the question now is what to do about it. Sophos senior security advisor John Shier outlined six steps you can take to protect yourself from this and all other data breaches:
- Consumers need to be aware of targeted phishing scams, a socially engineered attack that cybercriminals use to lure people into clicking malicious URLS with malware. This is extremely important, now that personally identifiable information (PII) is in the wild as a result of this breach.
- Change your Yahoo password and security questions immediately, especially if you use them on multiple accounts. As a rule of thumb, don’t use the same security questions and answers for all of your accounts.
- Make all new passwords different and difficult to guess. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
- Include upper and lower case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos How to Pick a Proper Password video for creating stronger passwords.
- Be careful with your security questions: information such as your mother’s real maiden name is easy to track down. You don’t have to give the actual answer to the question: “what’s your favorite food?” – you only have to give an answer that you will remember.
- Use two-factor authentication wherever possible: instructions for Yahoo users are here.
Though it’s unclear if phishing played a part in enabling the 2013 Yahoo breach, the attack method has been the spark hackers used to breach other systems. Unfortunately, consumers remain easy prey when it comes to this type of scam.
In a recent Sophos survey of 1,250 consumers, nearly half of the respondents admitted they’re not familiar with phishing or perceive it as a low threat. More than 30% of those surveyed rated themselves as being extremely unprotected, unsure of being protected or completely unaware of phishing attacks.
ejhonda
Why no love for urging the use of a password manager, Sophos?
Paul Ducklin
Did you watch the video on picking passwords that we link to?
https://nakedsecurity.sophos.com/2014/10/01/how-to-pick-a-proper-password/
Stephen Hartley (@dcifoyle)
Totally agree. With the volume of sites and services requiring passwords, using a password manager is the only pragmatic solution. Why isn’t this #1 on the “what to do list”??
Paul Ducklin
I see #3 and #4 as two sides of the same die, and “using a password manager” as a third side of that. So I’d have made them into one tip that urged good passwords and simply referenced the “How to Pick a Proper Password” video to provide the details (though I may be biased because I made that video :-) In the video, we cover that whole “good password” die, including the what/why/how of password managers.
Anonymous
If I just changed my password after the last notification of a breach (Sept. I believe?) am I going to be made to change it again?
Stephen Hartley (@dcifoyle)
Don’t wait for someone else to tell you to change your password. Any time you feel vulnerable (if not more often…) you should take steps to change your password. Again, use a good password manager to do the heavy lifting.
Peter Kirwan (@PeterDKirwan)
Regarding no.2: looks like Yahoo has stopped using security questions some time back. Love the blog by the way.
Anon
How on earth do you change yr password & username I just can’t get onto the right web site to do it’s so complicated it not even accepting my original ones surely Yahoo could have explained it more clearly would like to go to a diff Email provider.