Technology First Look

What Yahoo users can do to protect their data after billion-account breach

The new breach was likely separate from a 2014 incident, which Yahoo attributed to state-sponsored cybercriminals.

The company logo appears on a smartphone in Frankfurt, Germany, Thursday.
Michael Probst/AP
|
Caption

Yahoo, Inc. was subject to the largest breach in history, the company announced Wednesday, when hackers compromised one billion accounts in August 2013.

Yahoo has urged users to reset their passwords, acknowledging that the newly discovered hack may have included names, email addresses, phone numbers, birthdates, hashed passwords, and security questions and answers. The incident dwarfs the company’s other record-breaking hack, which exposed 500 million accounts in 2014.

“Yahoo has now won the gold medal and the silver medal for the worst hacks in history,” Hemu Nigam, CEO of online security consultancy SSP Blue, told CNN.

The new breach was likely separate from the 2014 incident, which Yahoo attributed to state-sponsored cybercriminals. At that time, hackers also accessed the company’s proprietary code for generating “cookies” – a code that would, in theory, allow them to break into accounts even without a password.

As the Christian Science Monitor’s Jaikumar Vijayan reported in September:

In Yahoo's case, the company's failure to disclose the breach for nearly two years suggests that it did not have adequate breach detection and response capabilities or that it remained mum despite knowing about it.

Either way, the consequences are likely enormous. The leak has given hackers 500 million new keys to try and break into organizations, says Rajiv Gupta, chief executive officer of security vendor Skyhigh Networks.

Many of the username and password combinations may not work or lead nowhere. But some of them will lead to sensitive information, as users tend to reuse login credentials.

Fortunately, users have several ways to protect themselves. Experts recommend using different passwords for different accounts. Even an exceptionally strong password can prove useless if it is tied to multiple sites, since hackers can target the least secure of the bunch.

You should also avoid opening or answering strange emails, say experts. Cybercriminals will sometimes target users who have already been hacked, asking them to confirm their answers to security questions, in an attempt to appear legitimate and access more information.

Users should also consider blocking access to their credit report, Mr. Nigam said. That way, if hackers try to open a credit card in your name, your bank will flag the attempt as suspicious.

Though credit card data and bank account numbers are not believed to have been breached, users should still exercise caution as the extent of the hack is still unclear.

“Yahoo badly screwed up,” said Bruce Schneier, a cryptologist and respected security expert. “They weren't taking security seriously and that's now very clear. I would have trouble trusting Yahoo going forward.”

This report includes material from Reuters.