Reports that half a billion Yahoo accounts were hacked in 2014 “by a state-sponsored actor” were confirmed today by the tech giant.
This hack of “names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions” is the largest in the company’s history and one of the most consequential breaches of all time.
Our security advisor Sean Sullivan told CNN what Yahoo users need to know right now:
He also gave a longer interview to Data Breach Today about the wider implications of the hack.
The most important takeaway from this attack is you should always use an extra layer of protection — in this case Yahoo’s two-factor authentication on all your accounts — and never reuse any important password.
Even though Yahoo’s passwords stored your passwords with encryption, it’s still possible for criminals to get access to them, especially if they are weak.
A former Yahoo employee told Reuters that the answers to security questions were deliberately left unencrypted to help catch fake accounts more easily because fake accounts that used the same answers over and over.
Sean always uses nonsense answers for so-called security questions so they aren’t guessable by anyone who knows him or follows him on social media. He recommends you do the same.
So what should you do now?
Sean recommends you “walk, not run” to your Yahoo account to disable your security questions and change your password — and change them on any other site where you’ve used them to something unique.
Make sure you create non-human passwords — not patterns like yahoo1985. Make them long and difficult to remember. If they’re between 20 and 32 characters, they are nearly uncrackable, as our senior researcher Jarno Niemelä recommends.
And to deal with all that complexity, use a password manager like our F-Secure KEY, which is free on one device. You can also store your nonsense answers to your security questions in there.
Then turn on two-factor authentication, if you haven’t already.
If you’re wondering who might have carried out such a massive attack, Sean does have a hypothesis.
[Image by Christian Barmala | Flickr]
The email subject line says “Scanned from Lexmark” and the attached file is “image2017-11-23-9292134.7z". Seems…
November 29, 2017