Yahoo is in the spotlight again, this time over the security breach of more than one billion user accounts. Most alarming is that this breach is separate from the data theft event that was disclosed back in September, which on its own consisted of 500 million accounts. This latest breach couldn’t come at a worse time for Yahoo, as the email giant is currently looking at buyout offers from Verizon.
Yahoo has been the center of security problems in the past but none have reached quite the heights of this week’s revelation. Yahoo’s own IT security officer has stated that it is unlikely that the breach included payment information but that it did feature, “names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers”. At this time it is unknown how the data was stolen in the first place but it is under investigation by law enforcement. Security breaches of this type are always troublesome, but the scale of the attack on display here is hard to fathom. At over a billion compromised accounts, that is roughly 1/7 of all the people in the world.
Before you start to panic there are a couple things to consider. This security breach occurred back in 2013 and has only now been discovered. That means that the majority of the damage that could have been done has likely already occurred. Yahoo is sending notices to all effected users and will require a password reset, but given the age of this breach and the similar breach in September, your password has probably already been changed. However, this should not be an excuse to ignore the seriousness of this and other security breaches.
One of the biggest dangers from security breaches is that stolen information can be used on other websites. For this reason, users should never use the same password on multiple websites. A common tactic for hackers is to create programs that will automatically test username and password combos across multiple websites. Major security breaches will often also result in another problem; because users expect to receive password reset notifications, many cyber criminals will attempt to prey on this fact with targeted phishing scams. Phishing scams exploit any information a hacker might already know about a user to create a convincing fake email that will fool them into disclosing more data or downloading malware. A common tactic is to give the answer to a security question in an email and then ask the user if the data is still up to date or if they would like to change it. No matter how the user responds, they are either confirming a piece of information or giving away info that can be used to crack their account.
Regardless of if you are directly connected to this Yahoo breach (and statistically you probably were) or not, it is important to keep an eye on all of your online accounts. If you do happen to receive a password reset email, regarding Yahoo or any other company, it is always recommended to visit the website directly instead of following links in an email. During the holidays, when people do much of their shopping online, it is especially important to remember how easy it is to fall prey to phishing scams or misdirected links. If you suspect that something is not right, don’t be afraid to report it to your IT provider.