What Yahoo users can do to protect their data after billion-account breach

The new breach was likely separate from a 2014 incident, which Yahoo attributed to state-sponsored cybercriminals.

Michael Probst/AP
The company logo appears on a smartphone in Frankfurt, Germany, Thursday.

Yahoo, Inc. was subject to the largest breach in history, the company announced Wednesday, when hackers compromised one billion accounts in August 2013.

Yahoo has urged users to reset their passwords, acknowledging that the newly discovered hack may have included names, email addresses, phone numbers, birthdates, hashed passwords, and security questions and answers. The incident dwarfs the company’s other record-breaking hack, which exposed 500 million accounts in 2014.

“Yahoo has now won the gold medal and the silver medal for the worst hacks in history,” Hemu Nigam, CEO of online security consultancy SSP Blue, told CNN.

The new breach was likely separate from the 2014 incident, which Yahoo attributed to state-sponsored cybercriminals. At that time, hackers also accessed the company’s proprietary code for generating “cookies” – a code that would, in theory, allow them to break into accounts even without a password.

As the Christian Science Monitor’s Jaikumar Vijayan reported in September:

In Yahoo's case, the company's failure to disclose the breach for nearly two years suggests that it did not have adequate breach detection and response capabilities or that it remained mum despite knowing about it.

Either way, the consequences are likely enormous. The leak has given hackers 500 million new keys to try and break into organizations, says Rajiv Gupta, chief executive officer of security vendor Skyhigh Networks.

Many of the username and password combinations may not work or lead nowhere. But some of them will lead to sensitive information, as users tend to reuse login credentials.

Fortunately, users have several ways to protect themselves. Experts recommend using different passwords for different accounts. Even an exceptionally strong password can prove useless if it is tied to multiple sites, since hackers can target the least secure of the bunch.

You should also avoid opening or answering strange emails, say experts. Cybercriminals will sometimes target users who have already been hacked, asking them to confirm their answers to security questions, in an attempt to appear legitimate and access more information.

Users should also consider blocking access to their credit report, Mr. Nigam said. That way, if hackers try to open a credit card in your name, your bank will flag the attempt as suspicious.

Though credit card data and bank account numbers are not believed to have been breached, users should still exercise caution as the extent of the hack is still unclear.

“Yahoo badly screwed up,” said Bruce Schneier, a cryptologist and respected security expert. “They weren't taking security seriously and that's now very clear. I would have trouble trusting Yahoo going forward.”

This report includes material from Reuters.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to What Yahoo users can do to protect their data after billion-account breach
Read this article in
QR Code to Subscription page
Start your subscription today