The largest breach ever.
Last week Yahoo announced that they had been compromised in 2014 and user account information for more than half a billion accounts had been stolen.
In Yahoo’s announcement of the breach they said stolen data “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”
Luckily, credit card and other payment data was not stolen. Yahoo stores this data in a separate system which was not affected, according to a statement by Yahoo’s CISO Bob Lord. Tumblr, which Yahoo acquired in 2013, was not affected.
Yahoo believes that the intrusion was carried out by a state-sponsored actor, though they did not explain what evidence led them to believe that, or what nation is thought to have carried out the attack. The best hint that this was executed by a nation and not cybercriminals is that the account data has not shown up for sale on the dark web.
How much of the data was properly encrypted is unknown. Yahoo’s statement is a bit vague on the specifics. They say “the vast majority” was hashed with bcrypt, a specific hashing algorithm designed for storing passwords that is generally accepted as secure. However, there were reports of other recently stolen Yahoo data that was hashed with MD5, an algorithm which is far from secure.
After the news broke, some in the security industry immediately started joking about the Yahoo breach. Who still uses Yahoo, right?
Yahoo’s ad revenue is skyrocketing, as 500 million users log in to Yahoo for the first time in years. To change their password and log out.
— Mikko Hypponen (@mikko) September 23, 2016
But we have to forget the notion that “no one uses Yahoo”. This is not just 500 million dormant accounts being hacked, these are active accounts being used by important people.
Recent FBI documents noted that Huma Abdein, who served as Hilary Clinton’s Deputy Chief of Staff, “routinely forwarded” official State Department emails to her Yahoo account, because it made it easier to print them. If a state-sponsored actor carried out this attack, they may have been specifically targeting high profile users.
Yahoo owns Flickr, which was regarded as one of the best photo-sharing sites long after Yahoo’s brand lost its luster. Many Flickr users may not realize that they actually had Yahoo accounts.
CNet also points out that a company of Yahoo’s size often has partnerships with other companies, which puts more people at risk. AT&T’s customers are able to login and manage their services with a Yahoo Mail account. “It’s the outgrowth of a partnership from 15 years ago,” which, at the time, was supposed to help the companies “combat the growing power of AOL and Microsoft’s MSN portal.” These legacy business decisions can still impact customers nearly two decades later.
Whether you use Yahoo or not, there are valuable lessons to be learned. Almost any company, at any time, can be compromised. And you may not know for more than a year – remember this Yahoo intrusion happened in 2014. Victims have potentially been seeing the consequences of this hack for more than a year with no idea how their information got out there.
So, here are a few tips for improving your online safety:
Check if you have been hacked
If you have a Yahoo account, the best way to check if you have been affected is to log-in and check your Yahoo mail account. If you have been affected, Yahoo will display a notice. You should also change your password and security questions on this page.
A high-profile breach is a good opportunity to check in on other account credentials. Have I Been Pwned? is a free service operated by Troy Hunt, a well-known security researcher. The service allows you to enter in your email or username and see if other publically disclosed breaches have affected you.
If you have been affected by any breach, make sure you change any other accounts that share the same password.
Don’t re-use passwords
Let’s say you are using the same password on a forum as you are with your banking site. Do you think both those sites are storing your password with equal security? Do you think a small forum would even know if their user’s information was stolen?
We have all re-used passwords because it’s easy. But it’s a major problem. Password re-use is one of the main reasons that stolen passwords have value on the black market. Cybercriminals know that if username/password combination gets access to one site, it probably works with another.
Password managers are software programs that let you securely generate and store account credentials for all the websites you use. They are the easiest way to manage strong and unique passwords for the dozens of accounts we all seem to have. There are many options out there, but we like KeePass (open source, only stores passwords locally) and 1Password (a more user friendly option with convenient password syncing across devices).
Set a strong password on your email
Ideally, you would adopt strong passwords for every service in your life. This means using a password manager and generating random passwords for every site and for your security questions. However, we all know that for many people, this is more work than they are willing to do.
So, at the very least, you need to be using a strong and unique password for your email. It is one of the single-most important online accounts you have. That’s because the majority of other accounts can be controlled once a hacker has access to your email via password reset requests.
Set up 2FA
2FA, or Two Factor Authentication, is an optional security measure that helps you maintain control over your account. 2FA is the practice of requiring two different methods in order to log-in to an account.
Normally you log-in by just entering your username/password. But with an account configured to use 2FA, that would only be the first step. You would then be required to confirm the log-in through a second method, usually an SMS message or confirmation email. Even if your password is compromised, 2FA can prevent an attacker from gaining access to your account.
For instance, say a hacker got a hold of your Facebook password but your account had 2FA enabled. After entering your password, Facebook would send a random code to your cell phone which you would have to enter on the website. Unless the hacker had also stole your cell phone, they would be foiled.
Many major sites – including Yahoo, Google, Facebook, and most major banks – support 2FA. It’s quite easy to use as well, adding only a few seconds onto your normal log-in.
Security conscious users can use a “hardware token”, which is literally a physical dongle (usually a special USB key) containing a digital authentication key. This offers the most security at the cost of convenience. Mainstream services are starting to support hardware token, in fact the latest version of Mac OS allows you to log-in with one.
We hope you will pick up at least one of the good habits listed above. Good security practices are something that people avoid until they have been affected, at which point it can already be too late.
Learning to use a password manager, or generating secure random passwords for all your account is time consuming. But recovering from a serious hack is even more time consuming.