Modern field guide to security and privacy

How should 1 billion users respond to epic Yahoo hack?

The scope of the breach is a harsh reminder how everyone on the web needs to be vigilant about protecting their data in an era of widespread criminal and government hacking.

|
Denis Balibouse/Reuters/File
A Yahoo logo is pictured in front of a building in Rolle, Switzerland on December 12, 2012.

Just three months after it said a "state-sponsored actor" compromised data from 500 million user accounts, Yahoo revealed Wednesday another incident that exposed an estimated 1 billion people to criminal hackers.

The size of the intrusion is historic. Other recent hacks have affected hundreds of millions of people, but not anywhere near 1 billion. Yet, the havoc wreaked on Americans' computer networks over the past few years – whether by criminal hackers or meddling intelligence agencies – makes even the Yahoo hack seem like little more than the latest plot development in a long-running drama about digital insecurity.

Yahoo hasn’t identified the intruders, who are said to have taken email addresses, encrypted passwords, names, dates of birth, and potentially unencrypted answers to security questions, but the company suspects a government-supported group is involved. Yahoo said it doesn’t believe that credit card information or bank account data was affected by this breach, and is careful to note that unencrypted passwords don’t seem to have been taken.

So what should the many people affected by this massive hack do to protect themselves now?

Responding to hacks can sometimes feel like an exercise in futility. Most people have had their information exposed in one way or another from the many data breaches that have affected government agencies, global retailers, popular websites, and seemingly every other business connected to the internet.

For many, digital security malaise has set in. Even so, these hacks shouldn’t just be ignored, because there are still ways to mitigate their impact.

Yahoo said in an email to users that it has already responded to the intrusion by requiring affected users to change their passwords and invalidate security questions. This should prevent whoever compromised these accounts from continuing to access them.

But even if criminals can't reuse passwords on other accounts, they may use information gained from security credentials to target Yahoo customers with scam emails. Experts have cautioned vigilance against fake tech support scams that have duped Yahoo users in the past

Whoever gained access to Yahoo accounts could also use stolen information to tailor attacks to other targets, too. This approach is known as spear-phishing: Instead of sending a generic email to many people, attackers can increase their odds of success by going after specific individuals. In fact, experts say the Office of Personnel Management hack may have led to spear-phishing attacks. 

Attackers can also take information from emails about family members or coworkers to design sophisticated phishing attacks. That's why cybersecurity experts often caution against writing about sensitive issues in email services that are stored in perpetuity.

Instead, many experts suggest, people may want to use encrypted messaging apps such as Signal, take advantage of ephemeral features in tools like Facebook Messenger, and save truly private chatter for in-person meetings. 

Data breaches also tend to have ripple effects across other internet platforms because people tend to reuse the same username and password combinations. If that's something you've been doing, now is a good time to change that habit.

Of course, after a data breach it's always good to reevaluate online security practices. One easy way to prevent someone from accessing an online account with stolen credentials is to set up two-factor authentication.

The tech advocacy group the Electronic Frontier Foundation published directions for enabling two-factor authentication on Yahoo accounts just two days before Yahoo disclosed this latest data breach.

But some experts say even that's not enough, especially in regards to Yahoo. Bret Lowry, chief executive of the WinPatrol security company, said in an email to Passcode that it’s time for Yahoo users to stop trusting the company with their data and delete their accounts.

"Especially disturbing is the time it has taken Yahoo to realize and announce the attacks," Mr. Lowry said. "Three years is forever in terms of computers and the internet. Yet that is how long it has taken Yahoo to make this information public, thus putting at risk every single account all of their users have on any site on the Internet, their [personal] computers, and at every business where people access their Yahoo accounts."

Lowry recommends manually deleting every email and folder, changing the answers to security questions, and generating a unique password for a Yahoo account before deleting it. That’s because deactivated accounts aren’t always removed from Yahoo’s servers, according to WinPatrol’s findings, and it’s better not to trust Yahoo to delete information before it can be compromised again.

He also said that people who connect their mobile phones to their Yahoo accounts – something the company has been pushing in recent years – should be on the lookout for mobile phishing attacks. Even deleting your account isn’t enough to be safe.

It’s going to take some time for the full effects of Yahoo’s data breaches to be known. Perhaps the only thing anyone can do now is operate under the assumption that if something can be hacked it will be hacked.

Going forward, Adam Levin, founder of the identity protection IDT911, people should actually be more dishonest when setting up security for sites they use. When asked your mother's real maiden name, make one up, Mr. Levin suggested.

"Changing the answers to your security questions on Yahoo and all other accounts is a good first step, but it’s far from enough," he said. "Users should lie when providing new answers. It's not about veracity. It's about consistency."

But, he cautioned, "Just make sure you aren't so creative in your answers that you can't remember them and lock yourself out."

Security Culture

This journalism empowers people to understand the bigger picture of cybersecurity as it connects to some of the most personal parts of their lives: their job, their education, the evolving digital culture around them, and the technology they use on a day-to-day basis. As part of the Monitor’s overarching commitment to chronicling human progress, we see these very human issues within cybersecurity to be critical and overlooked parts of the conversation.

This initiative is generously supported by

  • Northrop Grumman
  • ISC
You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to How should 1 billion users respond to epic Yahoo hack?
Read this article in
https://www.csmonitor.com/World/Passcode/Security-culture/2016/1215/How-should-1-billion-users-respond-to-epic-Yahoo-hack
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe