WASHINGTON — Yahoo’s data theft — involving about half the company’s one billion users — is no joke.
At a time of increasing breach fatigue, when big data exposures sometimes elicit little more than a yawn, this incident sets a new bar for massive leaks of account information.
The break-in, which Yahoo attributed to a state-sponsored actor, presents a serious problem for users, because the data the hackers got isn’t just a partial look at people’s profiles; it’s as close to a full haul as they come from a company like Yahoo. The cyber-thieves stole account details including user names, scrambled passwords, birth dates, security questions and other personal information, but apparently not payment card and other financial data.
Hackers may have accessed millions of Yahoo accounts for years undetected. While Yahoo stressed that the passwords were encrypted, the re-use of passwords across the Internet and thriving sale of hacked databases on the black market means that hackers may easily connect the dots for many other accounts.
Here’s what to do if you’re one of the unlucky Yahoo users whose account was compromised:
- Yahoo says it’s alerting affected users and asking them to change their passwords. Even if you’re not notified, you should do this anyway. The reason: Companies generally only report information that they can prove was taken from them. And it’s trivial for hackers to cover their tracks. So even if digital-forensics investigators strongly suspect or believe that certain data was accessed or taken, if it’s not verified, it may never be reported.
- This is a good opportunity for Yahoo users to turn on login verification, which will implement a text-message alert or phone call when someone tries to access your account from an unrecognised computer. This is a wonderful feature that all major internet companies now offer. If you want to go the extra mile, call your cellphone provider and add a verbal password to your account there; that will prevent hackers who are seriously dedicated to hijacking your e-mail account from tricking your cellphone service provider into routing the alerts or calls to phones under their control.
- Now is also a good time for users to try novel authentication services such as Yahoo’s Account Key, which links the Yahoo mobile app to your phone to prevent anyone from logging in without having access to that device. Tech companies are increasingly rolling out useful authentication services that reside on smartphones and add extra layers of log-in security — Google has Google Authenticator, and there’s another app from Duo Security called Duo Mobile, both of which generate onetime login codes that exist only on your phone and the company’s servers. BLOOMBERG