On September 22nd, Yahoo! announced the largest breach of private account information we’ve seen to date. You can read their statement here. A state-sponsored attack compromised account data from 2014 for over 500 million Yahoo! accounts.
What’s happening? Why does it matter?
Whenever you create an account at most websites, your password will be encrypted as a “hashed password” and stored. When you log in again, it will compare your password against that hashed password to see if it matches.
The problem with the Yahoo data breach is that criminals don’t need to compromise your account by logging in repeatedly. With a massive database of hashed passwords, they can test it against common passwords at will, looking for anything that matches. As shown in the simplified example below, they’ll start with simple dictionary attacks and common passwords. When they get a match, they will attempt to log in to Yahoo and other websites using those same passwords.
What should I do?
Change your Yahoo! password.
You never know that a hacker found a match for your password in the database until it’s too late.
If you’ve used your Yahoo password at other websites, change those passwords as well.
Hackers know that most people share passwords across multiple websites.
Don’t use the same password on multiple websites.
There are several modern applications, including KeyPass, that can manage multiple website passwords on your behalf.
Don’t use predictable passwords.
Sophisticated hackers can single out your account and take an educated guess at your password. Using variations of words and numbers that are important to you, they can test your password without having to face multiple layers of security.
Expect Weird E-mails
Never send personal information to people you don’t know over e-mail. Any profile changes should be done directly on the website, and they should always have a certified security certificate. Expect a flood of scammers to come out of the woodwork over the next few months.
In Yahoo’s own words – “The company further recommends that users avoid clicking on links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information.”
Turn on two-factor authentication.
2FA generally requires password or PIN in conjunction with something you have, such as a mobile phone, OTP keys, or a smart card. This extra factor of authentication greatly improves the security of any of your accounts.