Yahoo confirmed Thursday that more than 400,000 user e-mail addresses and passwords have been compromised and posted online. The hackers claim to be do-gooders, breaking into Yahoo to shine a light on its potentially lax security.
Regardless of their intentions, the passwords are now online for everyone to see. The strike comes just a month after millions of passwords leaked onto the Internet. LinkedIn, the business-oriented social network, confirmed that nearly 6.5 million user passwords had wound up on websites frequented by criminal hackers. The same week, dating site eHarmony and the Internet radio service Last.fm acknowledged additional breaches that exposed the passwords of at least 1.5 million users.
If you use any of these sites, change your passwords immediately.
This rapid-fire series of announcements raises the question: Why would hackers target these sites? What could possibly be culled from someone's online résumé and dating history?
A lot, says Marian Merritt, Internet-safety advocate for the computer security company Symantec. People on LinkedIn share all kinds of information about their career history – names, associations, and department titles. Armed with details about someone's past, a hacker might pose as a former co-worker or pretend to be that person in order to scam people out of money.
"Oh, remember? We worked on this project back in '82," says Ms. Merritt, playing the part of a hacker who's laying the groundwork for a con. "I'm looking for X. Can you help me?"
This kind of scheme, called "spear phishing," requires a lot of effort, but going after the right target can be very lucrative. "The definition of a 'big fish' isn't necessarily the CEO of a corporation," says Merritt. "People often forget that churches manage money, membership dues, and whatever fundraisers. They have millions of dollars going through transactions, and it may be managed by somebody that doesn't have good security training because they're a volunteer or [work] part time."
Exposed passwords could also unlock other parts of a person's digital life. At the moment, it's unclear whether the ill-gotten passwords came with the corresponding usernames. Just in case, Gary Davis advises people to change passwords not only on the breached networks, but also on any website where they used the same login information.
"If I use the word 'password' as my password, and I use the e-mail address 'normangdavis,' well they can try that [combination] at my bank and see if that gets them in," says Mr. Davis, worldwide product marketing lead for security firm McAfee.
Fed up with remembering different passwords? Symantec and McAfee offer password managers. The paid services create unique logins for every site you use. You memorize a single password for the service – the software takes care of the rest.
For more on how technology intersects daily life, follow Chris on Twitter @venturenaut.
[Editor's note: This is an updated version of an article that appeared in the June 25 issue of the Monitor weekly magazine.]