Very late last night, Yahoo sent an email to Yahoo users, informing them that Yahoo user information was revealed in an attack in August 2013. The data “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”
What Yahoo understandably didn’t include in the email, but did reveal in a public statement: This data breach affected one billion user accounts, making it the largest reported loss of user information in history.
Yahoo has had a stunningly bad year when it comes to security. In September it revealed it was the target of what was, until today, the largest data breach in history, with 500 million accounts having their information taken in 2014. There was also a report that Yahoo refused to confirm that a hacker was selling information on 200 million Yahoo accounts from a data breach in 2012. A report in October also revealed that, under the instruction of CEO Marissa Mayer, it built a backdoor search engine for every user’s incoming email at the request of the NSA. As I said in September, the only reason to keep a Yahoo email account is for a dummy account to use when you need to provide an email address. But with this breach, I’d say even that perhaps places you at too much risk.
Why? The fact that hackers were able to get at “unencrypted security questions and answers.” You can always change your passwords (and you really should be using a password manager regardless). But security questions and answers tend to get reused just as much as passwords — how many different sites know your mother’s maiden name, the city where you were born, or the name of your first pet? — and allow for committed hackers to socially engineer their way into various accounts by using that information for a password reset. (Sarah Palin, you may remember, had her Yahoo email account hacked in 2008 by someone using this method.) Worse, while virtually every site will let you change your password after you learn about a data breach, many still won’t let you update your security question and answers — Facebook being a prime example of this.
So, what can you do if you were affected? You can change your password yet again. You can turn on two-factor authentication on sites that have it, meaning someone would need access to both your phone and your account information to log in. You can change your security question and answers on sites that will let you. (Set aside some time for this, as even the sites that will let you change this information don’t make it easy.) If you’re truly worried, you can put a freeze on credit checks, which can prevent malicious users from attempting to open credit cards in your name.
And, most important, you can ditch your Yahoo account altogether (sorry, Flickr users). Get my data stolen in the world’s largest hack once, shame on me. Get my data stolen in the world’s largest hack twice, time to flee.
