That incident was separate from one that Yahoo had disclosed in September involving a breach of at least 500 million accounts in 2014. The company is notifying the account holders who have been affected, and those users will be required to change their passwords.
Advertisement
And yours might be among them.
Yahoo said that for the compromised accounts, the user account information that could have been stolen include names, contact details, email addresses, birthdays, hashed passwords, and in certain cases, encrypted or unencrypted security questions and their corresponding answers.
“I would strongly recommend it, even if you don’t have a Yahoo account”, Nigam said.
“We believe this incident is likely distinct from the incident we disclosed on September 22, 2016”, Bob Lord, Yahoo’s chief information security officer, wrote in a blog post.
New York Attorney General Eric Schneiderman urged anyone with a Yahoo account to change their passwords and security questions, and said he is examining the breach’s circumstances and the company’s disclosures to the legal authorities.
Type your password, if asked (it wouldn’t if you are already signed in). This kind of encryption can potentially be broken with enough persistence, said Brett McDowell, executive director of the FIDO Alliance, a nonprofit group that vets login systems.
Make all new passwords different and hard to guess. Given the size of the two hacks, many Yahoo users are likely to have had their information stolen a few times. It tells you where “you” tried to sign-in from, using your password, and suggests that you create an app password to verify your identity.
It’s a common habit.
Never share any account information or passwords over email. If this breach has anything to teach you, it’s that this is a awful idea. It’s becoming increasingly clear that no company is immune from attack and as more companies are breached, more data will be up for sale in the public domain, making further attacks more likely – in essence, this means that preventative security solutions are no longer enough. The company has also invalidated security questions and answers that were unencrypted to prevent attackers from using them. You don’t have to give the actual answer to the question: “what’s your favorite food?” – you only have to give an answer that you will remember. That’s a high expectation for most normal folks, so instead.
Companies need to step up security measures to protect themselves not only against hacking, but also against the aftereffects of hacking like credential stuffing attacks, according to Ghosemajumder. “With Yahoo unable to explain how the breach occurred, this points towards inadequate security log data to track malicious activity”. “What about the people who are in your contact list that may still use their yahoo account?” Even if you haven’t been victimized, you still could be. Are you still using that wedding planning website, five years after your nuptials? “Whether or not it’s legally supported or possible I think is still unclear”.
Advertisement
FREE TOOL: Check your credit report today for signs of unauthorized accounts in your name.
