500m Yahoo users have had their account details hacked. What does this mean? Users need make some sensible moves and make them fast.
Claiming the origin of the hack is “state-sponsored”, Yahoo’s breach is a big one – perhaps the largest of such kind ever recorded.
Originally believed to affect some 200m user accounts, by the time Yahoo revealed the scale of the problem, that number had risen to 500m.
The company said the attack happened in 2014, with personal information such as names, email addresses, telephone numbers, dates of birth, unencrypted security questions and answers, and even encrypted passwords being stolen.
In Ireland, the Data Protection Commissioner has already sought added detail on the breach, with Yahoo now firefighting for the foreseeable future.
So, if you’re a Yahoo user, what should you do?
Change your password, make it strong
This should go without question. Whatever password you have been using all this time, change it and make it better. Cybersecurity expert Graham Cluley was quick to respond to the hack with telling advice, pointing out the need for “complex” passwords.
This is nothing new. Every year we find out a plethora of dreadful passwords used in accounts that were ultimately hacked.
Tips to improve passwords are always the same, but that still doesn’t make them less important. Using long passwords with multiple cases and character types (for example, use #, €, or £ –) is the way to go.
The passwords accessed in the hack were hashed in a strong bcrypt algorithm, which is something positive for Yahoo, at least.
Use different passwords on different sites
If your Yahoo account was hacked and you use the same details on other websites, or for other services, then they could be accessed pretty easily as well.
“If you were using the same password in multiple places, you need to get out of that habit right now,” said Cluley.
“Reusing passwords is a disaster waiting to happen, and could allow hackers to crack open other accounts using the same credentials.”
Update security questions
This piece of advice is perhaps a little less common: update your security questions. Yahoo has confirmed that security questions were hacked, posing a different threat to users.
For example, if one of your Yahoo security questions is the same as your bank’s security questions, the answer could ultimately reveal far more than you originally considered.
If it’s as simple as your pet’s name, or your favourite football team, that information is really easy to find from scrolling through your social media. Try to think ahead in this regard.
Enable two-factor authentication
Passwords are one line of defence and, depending on their length, complexity and the housing structure in which they are secured, they vary in success. But adding more layers is never a bad idea. Yahoo, like many services, provides a two-factor authentication tool for anyone interested in taking it up.
If ever this offer exists, take it. Essentially, it will send an SMS to your phone with a unique code each time you log into your account.
What costs you a few seconds of your time, every time, could add sufficient security to your account to deny certain hack attempts.
Watch out for Yahoo-like emails
Yahoo has said it is emailing all affected users, which is a good thing. Although, it also creates a massive red light for any criminals looking to use social engineering as a tool in a major phishing scam.
If Yahoo has emailed you, verify it first. And expect plenty of Yahoo-like emails in future, asking you to fill your details into a suspicious, ultimately dodgy link.
Cybersecurity expert Troy Hunter runs the Have I been pwned site, which lets people investigate if their emails have ever been hacked. It’s always a good idea to regularly visit the site and check your details.