Last week Yahoo confirmed that it experienced a huge data breach in 2014, in which 500m accounts were compromised. This is the biggest known breach in terms of number of records. The information exposed includes names, email addresses, telephone numbers, dates of birth, encrypted passwords and the answers to security questions, some of which were unencrypted. I’ve been talking to the media about the breach and its wider implications and wanted to share some top tips to better-protect your accounts.
The information stolen could be used by criminals for financial cyber crime, identity fraud and social engineering. The breach is a couple of years old, but people should still do what they can to minimise any potential damage.
Here are the Risk Avengers top tips:
1. Even if you are not a Yahoo user, this breach may still affect you. People who use some other email services (including Sky and BT) could be at risk because those services use Yahoo to manage their webmail service. Apparently 572,162 domains are using Yahoo as their email provider. You can use this tool to check whether your domain is affected.
2. Change your Yahoo password and if there’s any danger that you’ve used the same password elsewhere, change the password for those accounts too. The passwords stolen have been encrypted, mostly with bcrypt, but this does not mean they are un-crackable. This leaves your Yahoo account, and any account where you’re reusing the password, vulnerable. My research suggests 62% of people in the UK reuse their passwords, so this could be quite a problem.
3. Make passwords long and complex. Use numbers and special characters as well as upper and lower case letters, and don’t use the obvious combinations for your p@ssw0rds! Consider a password manager so that you can maximise security whilst maintaining usability.
4. The compromise of unencrypted answers to security questions is worrying. You may well be using this information for the security questions on other accounts, possibly even for your online banking accounts. Whilst you are going through your accounts to strengthen the passwords, update your security answers to something unique for that account. You could use the password manager for storing answers to your security questions that are as random and complex as your new passwords.
5. Set up two-factor authentication on your Yahoo account to add a double-layer of security. Two-factor authentication is much, much, much more effective at protecting your accounts than simply having a password and yet, only 19% of people in the UK use it. At the same time as setting it up for Yahoo, set it up on your other online accounts, too. Scott Helme wrote a really helpful guide on how to set it up for most websites.
6. Watch out for social engineering attacks over email, messaging services and the phone. Having your email address and telephone numbers exposed means attackers could use that information for phishing, smishing and vishing. These social engineering attacks could be attempts to get your login credentials for other accounts or to infect your devices with malware.
7. A lot of people have commented that they used to use Yahoo and still have an account, but can’t remember their password. This year has seen some huge historic data breaches come to light, including MySpace as well as Yahoo, which highlights that online accounts we no longer use can still come back to haunt us and the importance of shutting down these ghost accounts.
This may seem like a tedious task list, but it’s a lot better than dealing with identity theft, infected machines or further data loss.