What Yahoo users can do to protect their data after billion-account breach
Yahoo, Inc. was subject to the largest breach in history, the company announced Wednesday, when hackers compromised one billion accounts in August 2013.
Yahoo has urged users to reset their passwords, acknowledging that the newly discovered hack may have included names, email addresses, phone numbers, birthdates, hashed passwords, and security questions and answers. The incident dwarfs the company鈥檚 other record-breaking hack, which exposed 500 million accounts in 2014.
鈥淵ahoo has now won the gold medal and the silver medal for ,鈥 Hemu Nigam, CEO of online security consultancy SSP Blue, told CNN.
The new breach was likely separate from the 2014 incident, which Yahoo attributed to state-sponsored cybercriminals. At that time, hackers also accessed the company鈥檚 proprietary code for generating 鈥渃ookies鈥 鈥 a code that would, in theory, allow them to break into accounts even without a password.
As the 海角大神 Science Monitor鈥檚 Jaikumar Vijayan reported聽in September:
In Yahoo's case, the company's failure to disclose the breach for nearly two years suggests that it did not have adequate breach detection and response capabilities or that it remained mum despite knowing about it.
Either way, the consequences are likely enormous. The leak has given hackers 500 million new keys to try and break into organizations, says Rajiv Gupta, chief executive officer of security vendor Skyhigh Networks.
Many of the username and password combinations may not work or lead nowhere. But some of them will lead to sensitive information, as users tend to reuse login credentials.
Fortunately, users have several ways to protect themselves. Experts recommend using different passwords for different accounts. Even an exceptionally strong password can prove useless if it is tied to multiple sites, since hackers can target the least secure of the bunch.
You should also avoid opening or answering strange emails, say experts. Cybercriminals will sometimes target users who have already been hacked, asking them to confirm their answers to security questions, in an attempt to appear legitimate and access more information.
Users should also consider blocking access to their credit report, Mr. Nigam said. That way, if hackers try to open a credit card in your name, your bank will flag the attempt as suspicious.
Though credit card data and bank account numbers are not believed to have been breached, users should still exercise caution as the extent of the hack is still unclear.
鈥淵ahoo badly screwed up,鈥 said Bruce Schneier, a cryptologist and respected security expert. 鈥淭hey weren't taking security seriously and that's now very clear. I would have trouble trusting Yahoo going forward.鈥
This report includes material from Reuters.
