Yahoo reported last Thursday at least 500 million user accounts were affected by a massive data breach. The hack happened in 2014, when hackers stole account information, including names, emails, passwords, telephone numbers and answers to some security questions from Yahoo servers.
According to reports, in July Yahoo began investigating claims by hackers who were offering to sell what they said were 280 million Yahoo usernames and passwords. Yahoo said it concluded the information for sale wasn't legitimate, but the company decided to broaden its probe, eventually determining that it had been breached by “a state-sponsored actor.”
The claim of a state-sponsored attack may be solely based upon the timing of the attack, 2014. In 2014, several alleged China sponsored intrusions occurred, Anthem and OPM for example, stealing millions of recorded identities. Also, by claiming a highly sophisticated state sponsored attack, this helps alleviate some corporate security management responsibility. Schneider Downs has doubts as to state sponsored origins of the attack in that organized crime, not nations, offer stolen data for sale over the Internet.
In a proxy filing related to the Yahoo-Verizon deal on Sept. 9, Yahoo said it wasn't aware of any “security breaches” or “loss, theft, unauthorized access or acquisition” of user data. The Yahoo breach appears to be the largest ever disclosed, based on the number of users affected.
What should you do if you have a Yahoo account?
First, you'll want to change your password immediately.
Second, all Yahoo account holders should also change their security questions and answers.
Third, take some overall security precautions when it comes to Internet accounts:
- Never use the same password twice on same type of accounts
- Use different passwords
- Make social media passwords different from banking passwords
- Pick better passwords
- Password phrases are longer and easier to remember
- Utilize a capital letter, number and control character (@,!#) when possible
- Better yet, use a password manager - A personal password manager technical product may be a good idea. Password manager software is a system that allows users to both create complex passwords for different sites and remember them. A password manager is just software that creates, stores and organizes all your passwords for your computers, websites, applications and networks. Password managers generate passwords and double as a form-filler, and have the ability to enter your username and password automatically into login forms on websites. So, if you want super-secure passwords for your multiple online accounts but do not want to memorize them all, a password manager is the way to go. Some leaders are:
- LastPass Password Manager
- Keeper Password Manager (has self-destruct feature)
- Dashlane Password Manager (cloud based with auto password changer)
- LogMeOnce Password Manager (Good Mac Product – Mug Shot Feature)
- KeePass Password Manager (Open Source – local stored)
- Update those security questions
- Use different security question for different sites.
- Try not to use well known facts (like your high school mascot).
- Try not to use information that can be determined by Facebook, Twitter or other social media accounts.
- Turn on two-factor authentication
- Where possible, have a text code to phone as an additional authenticator.
- A second option would be to use some authenticator tool like Google Authenticator or RSA token.
As always, contact Schneider Downs if you have more specific or detailed questions about IT Security or securing your personal information online.