Yahoo s Largest Data Hack: What You Should Do Now – Consumer Reports
Yahoo’s Largest Data Hack: What You Should Do Now
Yahoo’s latest disclosure of a data breach involves more than one billion accounts, making it the largest in history. And however the attack—which actually happened in 2013—is only now being reported, it’s not too late for Yahoo users to protect themselves.
Very first off, it’s most likely a good idea to stop using your mother’s maiden name as a security question.
According to Yahoo’s announcement on Wednesday, the information stolen in the two thousand thirteen attack includes names, phone numbers, encrypted passwords, and, in some cases, unencrypted security questions that can be used to reset a password not only on Yahoo, but on other sites as well.
The answers to security information may be the most sensitive data. Many online social, banking, and shopping services use the same security questions, and if consumers response the questions honestly, the Yahoo data breach could enable hackers to switch the passwords for non-Yahoo accounts.
“The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information,” Yahoo wrote in a statement on its website. “Payment card data and bank account information are not stored in the system the company believes was affected.”
Wednesday’s announcement comes just three months after Yahoo exposed that more than half a billion accounts had been targeted in two thousand fourteen in what it called a state-sponsored attack.
“We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” wrote Yahoo’s Chief Information Security Officer, Bob Lord on the company’s website.
Yahoo is stepping up its response to this most latest data breach, forcing users to switch their passwords. In the attack announced in September, the company urged, but did not require, users to switch their passwords.
“We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to switch their passwords,” Yahoo says on its website. “Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.”
Whether your Yahoo account has been hacked or not, all users should go after these steps to boost their online security. (There are more tips on protecting your privacy and security in our extensive guide.)
Kill Ghost Accounts
One of the very first questions about the massive hack is whether Yahoo even has a billion users to hack. Some users may have had numerous accounts, driving up the number.
But it’s also true that many people who presently have Gmail or other accounts may once have created a Yahoo account, one that has been unused for years.
Such accounts are a security liability: Consumers are getting no value from them, but can be victimized by a data breach. It’s wise to delete unused accounts, not just at Yahoo, but everywhere.
And that’s not just about email accounts. The same advice applies to mobile apps and accounts for shopping, household budgets, social media, and so on.
Keep in mind that terminating a Yahoo account doesn’t lead to your individual information being deleted right away. Yahoo’s website explains that user data remains on the company’s servers for about ninety days, and that backups of that data may be retained indefinitely.
Switch Security Answers
The “basic security questions” that websites use for password recovery are a feeble link in your digital defenses. Why? Because the answers don’t switch from site to site.
Some of the answers—what’s your mother’s maiden name?—can very likely be gleaned from your Facebook postings. And they could be the most valuable data stolen in a data breach like the one Yahoo just reported.
And, by the way, this is the same kind of data stolen in the previous Yahoo data breach.
“What’s disconcerting to me is the breach of the password-recovery data,” Lujo Bauer, a security researcher and associate professor at Carnegie Mellon University, told us at that time.
You can use a password manager to generate random strings of characters to insert in the security reaction boxes. Or, simply make up fake information that you record somewhere.
The general principle is to treat the security answers with the same care you apply to your password. Writing down your real hometown is like using the same password for every account, and making it a bad one, at that.
Beware Phishing Attacks
Hackers armed with information from this data breach may send out e-mails or even call on the phone hoping to lure consumers into providing up passwords or other private information.
If past data breaches are a guide, consumers may even receive emails that show up to be from Yahoo, asking for further data to help fix the problem. Never provide passwords or PINs over the phone or through email.
And if you want to check the activity on a bank or other online account, type the URL into the browser yourself; don’t go after a link from an email.
This article has been updated with extra information.
