It is being widely reported that internet company Yahoo was breached by hackers, back in 2013. Yes, you read that right, 2013. Here we are three years later, and it is just now being revealed that account information for a record-breaking billion accounts may have been compromised. If this sounds familiar that is because it is. In September of this year, Yahoo reported a breach resulting in data for over 500 million accounts stolen. However, according to a Tumblr blog post from Yahoo, this attack is separate from the attack that took place in 2014.
Yahoo’s blog post goes on to say that; “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers” may have been obtained. It seems that in some cases not just account information was stolen, but the hackers may have studied Yahoo code and created forged cookies, which could actually enable them to gain access to accounts. The forged cookies may have a link to the “same state sponsored actor” responsible for the 2014 attack.
This comes at a bad time for Yahoo, who is currently in the process of being acquired by Verizon. The security breach could devalue, or otherwise damage, the $4.83 Billion deal. It should also be noted that Yahoo was reportedly snooping on all users’ incoming emails for the NSA, according to an article at Reuters, published back in October. This has been a lot of serious incidents, and bad press, for a company that wants to maximize value from this acquisition. According to an article at the Huffington Post, Verizon is taking a wait and see approach. Verizon issued a statement that they “will review the impact of this new development before reaching any final conclusions”.
Hacking: The New Norm?
It’s been a rough year for Yahoo. If I was a regular user of Yahoo I would certainly be at the point where I would reconsider using their services. Then again, it seems that every few days or so there is a new report of some form of hacking, malware, or nefarious government surveillance at one of the major internet companies. Perhaps this is the world we live in, and we should just start to expect this sort of thing. We live in highly connected society, and companies like yahoo provide the tools for those connections. Sadly, security is simply not there yet, if someone is dedicated enough they will likely get in. This is the cost of living in a connected world.
What Can You Do?
Yahoo says they will notify affected users, however even if you don’t receive notice you should take action. Make sure that you change your Yahoo password, if you have one, and anywhere else that you may have used that password or the security questions.
The following security tips are not really specific to Yahoo, but general tips that can be used with many services. As I mentioned earlier in the post, if someone really wants in they will get in. Regardless, these tips will at least improve your online security posture a bit:
- You should make sure that you are using different passwords for every account you use online. At the very least, make sure any accounts with important information have unique passwords.
- Consider enabling two-factor authentication (2FA) on sites that offer it, it can offer some level of protection, but even that isn’t a guarantee.
- Monitor your accounts for strange or suspicious activity.
- For services that allow you to do so, setup alerts to tell you when your accounts have been accessed or certain actions take place.
- Be wary of emails asking you to take an action of any kind, whether it is changing your password, visiting an unknown website, or to collect free money from a prince in Africa. (don’t know, don’t click)
- Keep an eye on the news, when news of a breach breaks, check your accounts for anomalies, and change that security information.
Here’s the bottom line, this is just another hack in a long history of hacks. Next week, another will be discovered, be it at Yahoo, or some other internet company. There are some things you can do, including making the switch to more secure (but sometimes less convenient) services. This, of course, involves trusting the service providers, and still may have exploitable holes. The best thing that we can do is assume that anything we do on the internet could end up in the hands of governments, hackers, and possibly become public. By keeping that simple fact in mind you can decide for yourself how much risk is appropriate for you, and act accordingly. Stay safe out there folks.