It seems like the bigger they are, the harder they fall. At least, that's the lesson some security experts are taking away from the latest revelations about Yahoo's serious security breach. More than 500 million Yahoo accounts have been compromised, according to the latest reports. As a result, the company is facing a civil suit for gross negligence in allowing an unknown group of assailants to steal login information from a large contingent of its users.
The security breach, which began in 2014, was limited to username and password information for Yahoo's various sites, including webmail, news and fantasy sports services. Fortunately, no financial information is believed to be included in the stolen data. Still, there's reason to be concerned if you're a user of one of Yahoo's sites.
The stolen data
This breach, thought to be the largest of its kind, was confined to usernames and passwords for Yahoo services. It was discovered after FBI officials detected hackers attempting to sell the personal information of Yahoo users. Would-be buyers of such data have several reasons they find value in this information.
First, stealing an email account can be a first step to identity theft. By taking command of an email address, a thief can access password retrieval services at websites linked to that email. For example, a hacker could gain access to a Yahoo account, then use password retrieval to gain access to online shopping, banking and even employment or government accounts.
Second, thieves can use what's called "credential stuffing." Many people recycle username and password combinations across several services. Thieves take advantage of this by trying stolen usernames and passwords at other common sites. Think of it like finding a locker combination on the ground and trying it on every locker in the hallway. This strategy works, on average, for about 0.5% of stolen information. With 500 million possible options, though, that still represents a lucrative payday for the thief.
While Yahoo has been attempting to get in contact with victims, sorting through a breach of this size takes a lot of time and energy. It's safest to assume that all Yahoo login information was stolen. If you do use or have used a Yahoo site for any services, assume it's compromised. Fortunately, two of Yahoo's most popular platforms, Tumblr and Flickr, were unaffected by the breach.
Steps you should take
The first step after any breach like this one is to change passwords. Even if you don't have a Yahoo account, it's not a bad idea to use events like these as reminders. For high-security accounts, like your primary email address, credit cards, brokerages and online banking, change passwords every 6 months, regardless of their safety. If you have a Yahoo account, you'll need to change that password right away. And of course, if you use your Yahoo password at other sites, you'll want to change those as well.
If you use a Yahoo account to access your finances, consider changing the email address connected to those accounts, as well. The service provider may have been negligent in protecting information in this instance, and there is no telling what other security vulnerabilities still exist in their systems. While it may be a hassle to change accounts, it may be worth it for peace of mind.
Another less examined aspect of the data breach is security questions. Questions and answers used in the password reset process may have been compromised, too. If you use information like your favorite author, book or sports team to secure multiple accounts, that data could also be at risk. Worse yet, this data is frequently unencrypted, since it represents only one part of the password reset process. This means it may be widely available.
If you use the same personal information question(s) at multiple websites, now is a good time to review and change that information. Wherever possible, switch to a two-step authentication method. These processes use your cellphone number as a backup password option. If you try to reset your password, the service will call or text you with a code to use as a verification method. It puts another step between potential thieves and your information.
Finally, this is a good time to check your credit. This information has been leaking since 2014, so it's possible you could already be a victim of identity theft. Getting a credit report will let you know if any new accounts have been opened using your personal information. Similarly, this might be a good time to consider a credit monitoring service. Such services keep an eye on your credit periodically, and can help protect against identity theft.
YOUR TURN: Have you been burned by Yahoo or in another security breach? What did you do to keep yourself safe? Let us know in the comments!