Huge Hack Hits Yahoo! What Do You Do?
It's almost becoming part of the daily news, or so it seems. You check the weather forecast, the sports scores and see who was the latest victim of an attack by hackers.
In September, the latest news and by far the biggest victim was Yahoo, who announced that the account information of 500 million users was stolen in 2014.
Five hundred million. The size of the breach is so immense that it immediately got the attention of the U.S government. Six senators wrote to the chief executive of Yahoo why it took two years to disclose a hack of this size. They said, "That means millions of Americans' data may have been compromised for two years. This is unacceptable."
Who did it?
It's quite likely the biggest breach by a hacker group on a single company's computer network. Yahoo seemed to be fuzzy on the details about it. They could only say that they believed it was a (foreign) state-sponsored hack, meaning a foreign government (maybe the Russians) was behind it, but they didn't name the culprit because they simply don't know.
However, an independent information-security firm called InfoArmor says that it wasn't a foreign government, but criminal hackers who steal databases and sell the information online to buyers. That hacker group, which calls itself Group E, has stolen two billion records from a dozen websites, including MySpace and LinkedIn.
It took two years for Yahoo to discover and announce they'd been hacked so severely. They had supposedly notified the FBI in 2014 that there had been a breach but at that time they said it affected only about 30 to 40 user accounts. They upped that by 500,000 when the size of the hack was revealed. One European cyber security advisor said the hack "will cause ripples online for years to come."
Stolen: Yahoo customer data.
The data breach provided a treasure trove from the 500,000 affected customer accounts. The stolen information included:
- Email addresses
- Telephone numbers
- Encrypted and unencrypted security questions and answers
How will you know if you have been affected?
You will likely get an email from Yahoo if they feel you've been affected by the hack
What should you do with your Yahoo account?
All Yahoo customers who haven't changed their passwords since 2014 should do so. It might simply be a good idea to change your password at this time anyway.
Also, users who have been affected by the breach should consider changing passwords on all of their online accounts (beyond Yahoo) and to change the security questions and answers tied to those accounts too.
Why are they so concerned? Because many people have the very bad habit of using the same usernames and passwords for multiple online accounts. Hackers know this and they'll certainly, and immediately, try to use the stolen Yahoo usernames and passwords to break into bank and credit card accounts, randomly and systematically.
So don't be fooled by the passing of time. Stolen information stays on the Web a very long time. Sooner or later, some hacker may be successful with a part of the stolen data that simply hasn't been exploited...yet.
A few things you can do.
With a quick online search on Yahoo's website, you can find answers to a set of Frequently Asked Questions, which is especially important to those who find they have been affected.
Here are few simple suggestions for immediate action.
1. Take extra precautions with everything related to Yahoo.
When there's a shark sighting at the beach, signs go up saying "Swimmers Beware!" After a major hack, it shouldn't simply be "business as usual." Yahoo Users Beware! You need to be alert. If you stay with Yahoo, review all your accounts and look for warning signs. Take action where needed.
2. Be aware of scams at this time.
Scam artists come out of the woodwork when customers are most vulnerable. Look out for scam emails that may reference the Yahoo breach; an imposter may to ask you to "verify" information, and in the process trick you into giving them information. As always, should you get a suspicious email with an attachment, don't click on it.
3. Look into Yahoo Account Key.
Yahoo suggests using something called Yahoo Account Key, a sign-in tool that totally eliminates the need to for a password.
In the similar way, there's also a common feature on many online services (email, bank accounts, etc.) called two-factor authentication. This process requires an individual requesting an online transaction to first retrieve (and then submit) a code sent to their smartphone (a secondary device) in order to be able to log in. Two-factor authentication makes it harder for someone to access your account simply by claiming to be you online.
In December 2016 Yahoo announced that one billion accounts were compromised in 2013.