This is everything we know about Yahoo’s massive data breach, which has affected more than 500 million accounts. Also, here are tips to secure your accounts
Yahoo announced on Thursday that as a result of a 2014 security breach, now believed to have been state-sponsored, over 500 million of its users’ accounts have been compromised. At that time, Yahoo reported that “a third-party database compromise” resulted in the theft of user information. U.S. officials are also now investigating and Verizon – in the process of acquiring Yahoo – issued a terse statement but declined to say if this would influence the sale.
Now, the company reports that “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers” were compromised. That hashed passwords have been compromised means that hacks can break them open by brute force, as was similarly the case in the 2015 Ashley Madison hack, despite their supposed greater level of protection. The hack “did not include unprotected passwords, payment card data, or bank account information,” but it does affect Tumblr, Flickr, and Fantasy Football accounts since those properties are all part of Yahoo, including Rivals.com.
As of yet, Yahoo has not named the alleged state actor and/or hacking collective(s) sponsored by it. A Yahoo user for the U.S. Democratic Party recently complained of her account being compromised earlier this year while conducting opposition research, but that incident – possibly connected to Russian intelligence services – appears to be unrelated to this one due to the timing.
Yahoo has suffered large-scale breaches before: At least one of them was directed by state actors according to the Guardian based on Edward Snowden’s files, specifically the U.S. and UK, that detailed how Yahoo webcam chats were collected and stored. In 2012, Yahoo user data was posted for sale online by backers – apparently unrelated to the 2014 hack. Further breaches took place in 2013 in which multiple accounts were hijacked for weeks on end. This helped prompt the company to fully implement HTTPS within a year for all of its server traffic.
Steps to protect your accounts and money
“The vast majority of people are not safe using the internet everyday,” is what former Yahoo CISO Alex Stamos told Motherboard in 2015, who dubbed him “paranoid-in-chief.” This is certainly the case when any actor with enough resources and legal impunity sets their mind to it. Just because you’re paranoid, as they say, does not mean someone isn’t out to get you – and someone got Yahoo very badly in 2014, if not before.
The first thing you should do is a thorough password review. Not simply for the hacked email account, which needs a new password now, but for any accounts that are connected to it. This would include a recovery email, PayPal, or your Cloud services. Financial data is especially vital.
In a statement provided to Geektime, Generali Global Assistance’s (GGA) Identity and Digital Protection Services Unit warns, “Account holders should still be concerned about the stolen data being used fraudulently in ways that could have a financial impact on them.” Additionally, hackers could use the stolen data “to try to break into other accounts to find or trick relatives into revealing additional personally identifiable information, like a social security number, that identity thieves can use to steal funds,” including billing, credit card, and even tax fraud because criminals “only need your name, birth date and social security number to file, so individuals who may have had their social security number in any messages or attachments they sent via their Yahoo! email accounts should be especially concerned about this type of fraud.” One measure to take against this, per GGA, is to file taxes early so any duplicate returns filed thereafter can be flagged as soon as possible. GGA has noted a significant uptick in such false account registrations for fraud since 2013.
GGA also notes that your passwords should also be as randomly generated as possible, and not stored on any of your electronic devices where they can be read. The temptation to set security questions at all, especially with “real” answers only “you” know should also be resisted. Republican Vice Presidential candidate Sarah Palin had her Yahoo Account hacked just before the 2008 election by a college student who was able to compile enough biographical data in public domain to answer her security questions.
Two-factor authentication is another basic step that can be taken to help secure your account, along with checking where your emails are being forwarded and if your account is open anywhere else at the same time. And users should observe basic common sense to not proceed to websites flagged by your browser, download manager, and email client – and be wary of networks with no passwords like bus, airport, or hotel room Wi-Fi.
And in general, users should assume that no matter how secure they think their communications are, what they have written in the strictest confidence may one day be compromised.