Yahoo! Confirms Theft of Data of 500 Million Users

About a month ago, it was reported that Yahoo! was investigating a possible data breach affecting 500 million users from 2012 (the New York Times is reporting 2014). Since then, the company has confirmed the breach. The same hacker that claimed responsibility for the breaches of MySpace and LinkedIn has claimed this one too. Information accessed included user names, birthdates, contact email addresses, and poorly scrambled passwords.

The advice is the same as it was before. If you haven’t changed your Yahoo! password in a while, it’s a great time to do it. Also change passwords on any accounts for which you reused that one. Use strong passwords that:

• are at least eight characters,
• include at least one number,
• include at least one special character, such as a number sign,
• are not dictionary words or names,
• cannot be easily guessed,
• are not used on any other online site.

It is difficult to remember so many passwords. However, it is important to have different ones for all the sites you visit. Password reuse happens more often than ever and is being blamed for breaches and account access regularly. If the thief (or thieves) figures out that some of the contacts in those Yahoo! accounts are related to financial sites or people, they could try them on banking sites.

Jim Stickley of Stickley on Security recommends having a core password or phrase of at least six characters such as “Xu8*V@” and adding letters from the URL to your password in some manner you can remember. For example, if you were visiting Yahoo, your password would become “Xu8*V@YO” or some other derivation of that. It is highly unlikely a password would be reused this way.

Another way is the “dice” method. This is when you take dice with words on them (create your own dice if needed) and roll them to combine words into a password.

If you have to write down passwords, try to use clues to trigger your memory as opposed to writing down actual passwords. Then keep the list in a place separate from your computer; in a locked cabinet is preferred. And never put your passwords on sticky notes and attach it anywhere on your desk or monitor at work. This leaves your accounts vulnerable to a physical security breach.

In addition to changing your password, keep an eye out for additional email showing up in your in box that includes links or attachments that you don’t expect. These could be phishing. Even if the email comes from a known sender, the theft of such a large number of email addresses means that spam and phishing messages may appear to come from Yahoo! account holders and/or from any email address in their contact lists.

Some news sources have reported the perpetrator is a state-sponsored actor. However, this information has not been confirmed by Yahoo! or the U.S. Government.

© Copyright 2016 Stickley on Security