lockYahoo confirmed on Thursday that they have experienced a historic level hack that has affected at-least 500 million users.  Knowledge of the hack first hit the news back in August, when it was discovered that 200 million user credentials were being sold on the dark web.  At the time, Yahoo claimed to be investigating the incident but declined to say if it was legitimate.

Now nearly a month later, Yahoo has finally come clean about the incident. Evidence of the hack was first revealed in August of this year, but it is believed that the data breach occurred sometime in 2014.  A sample of the stolen data showed that it contained usernames, hashed passwords, dates of birth and in some cases, back-up email addresses.  At the time of the discovery, the 200 million records were selling for 3 bitcoins, or roughly $1,860.  Yesterdays announcement shows that the security breach was even greater than was initially feared and contained at-least 500 million users instead of the originally estimated 200 million. The one good piece of news about the incident is that the breach does not appear to contain any sensitive financial information.

Given the age of the data from this leak, it may seem to have limited threat potential but it has been shown time and again that leaked credentials can be used to successfully crack other websites.  Many users are guilty of using shared passwords across multiple accounts and stolen email addresses are frequently used in phasing scams to extort further information.  All of these things are made more dangerous by the wealth of personal information many users share freely on social media websites.

While far from the first public data breach of this type, this hack will go down as one of the largest incidents in history.  In the light of this and other recent data breaches, it is important to remember to take precautions with your online accounts.  You should never use the same username and password combination on any two websites.  Many websites use your email address as the default username, while convenient, this makes it easier for hackers to discover and crack multiple user accounts with a single set of data.  A good precautionary measure it to periodically update your passwords to prevent the long term abuse of your accounts.  While this won’t prevent all damage to an account, it does limit the amount of time that leaked data is valuable.  As was shown with this data breach, information stolen back in 2014 was still being sold on the black market in 2016.  If every user involved in the breach had updated their credentials in this time, the damage from this attack would have been mitigated.

Unfortunately, there is nothing that an individual user can do to prevent a large scale data breach but ensuring that your account credentials are unique and up-to-date will limit the damage you can suffer from such an event.

– Richard Keene
IT Computer Support of New York
Webmaster and Lead Designer