This week’s revelation is just the most recent in a series of breaches
. One breach happened in 2013, and another, from 2014, was reported back in September. The key takeaway: The 2013 breach wasn’t detected during investigation of the 2014 event. And while Yahoo says both the 2013 and 2014 breaches had nation state origins, that doesn’t mean they had the same actor behind them both. The short answer is we don’t really know who caused either of them.
Second is the lack of Yahoo’s encryption and authentication prowess.
This takes on several dimensions, not the least of which is Yahoo’s long history of exploits over the years. If we look at the latest hack that happened in 2013, they were deploying MD5 hashes. This wasn’t state of the art then and is certainly not now. To give Yahoo partial credit, they switched over to using a more secure solution since the breach. (Brian Krebs explains this in more detail
if you are interested.) To make matters worse, according to reports, they were not salting their MD5 hashes, which made them even more vulnerable.
But that is not all. Another reason for poor security at Yahoo is their use of the Yahoo Account Key
, a simple authentication method that eliminates the need to use a password on Yahoo altogether. While other SaaS vendors are beefing up their authentication with multiple factors, Yahoo has gone to essentially zero factors
. This has made it easier for attackers to figure out a way to log into targeted Yahoo accounts without even supplying the victim's password.
Another issue: Yahoo’s notification to its customers and the public was sub-par
. They sent out this security update
and Bob Lord, their CISO, posted this message
. Neither had very actionable information and both lacked specific details that would help to improve customer trust. Lord has been in that job for a little over a year: you might recall in 2015, Yahoo went through three CISOs
. Lord has a tough job, no doubt. He gave a talk shortly before he took the Yahoo post
where he said “It is unreasonable to show up at the Wall St. Journal and say that my customer data is now on BitTorrent.” Yes, but how about when you have to show up multiple times?
Finally, there is the issue that given how long this information has been available to criminals, many fraud detection systems are now useless
. As IdentityMind blogger Jose Caldera has written
, "you must detect breached email addresses and apply enhanced due-diligence to ensure that the individual is who they say they are."
What you can do
So if you are one of the billion unfortunates that have a Yahoo email account, here is a plan.
First, make sure your know who is actually behind your email provider
. If you have an account @att.net, just to pick a random example, that is actually being supplied with Yahoo technology. Every AT&T DSL or Uverse customer needs such an account to access AT&T services. You can’t easily get rid of these accounts.
Second, if you are reusing your Yahoo password anywhere else
, now is a great time to change those other account passwords too. While you are at it, change your password and security questions of your Yahoo or Yahoo OEM email accounts now. And if you have duplicated your “secret questions” at other accounts, then change them as well. This may seem like a big burden, because it is. If you haven’t yet set up a password manager, now is a really good time to download and start using one. (I use Lastpass, but there are numerous others, and most are free or inexpensive.)
Next, this also might be a good time to change your “online birthday” to something that isn’t your actual birthday
. There is no reason to have this information anywhere online. You can have different ones sprinkled throughout the year if you are in need of e-greetings.
Next, don’t delete that Yahoo account – at least, not immediately.
This is because it could be tied to your identity for numerous other logins that you might not immediately remember, such as your DSL service for example. But you should delete your emails and export and then purge your contacts now before some hacker does any more damage to your reputation. When Yahoo first started having compromises to their email system many years ago, I had forgotten about an email account that I had set up, and also forgot that I had used it to test its contact import feature. All my contacts (at least current to that point) received spam messages when my account was compromised.
One suggestion is to switch to Gmail. Here is how
. You can also setup your Gmail account to read your Yahoo messages during the transition. Another email alternative is to make use of a free email encryption service (Inky.com is one that I am testing at the moment, there are many others, including Hushmail, Mailfence, Easycrypt.co, Passlok and Mailpile.is.)
At the very least, if you have an option to make use of two factor authentication on your online accounts (here is a list of some of them
), start using this feature to protect your account identity. Please start doing this now. Really.
Krebs also makes a good point about being more aware of phishing attempts, including via your phone: ”If your mobile phone number was associated with your Yahoo account, that number may receive SMS phishing or smishing attacks as a result. The standard warning about clicking links applies to unbidden text messages as well.” Thanks Brian.
And in other news
The billion-man breach at Yahoo eclipsed other breaches this week (indeed, ever) in sheer potential size. But sadly it wasn’t the only one of the week.
In breaches discovered by the company's internal security team in April and traced back to February, hackers stole project data from ThyssenKrupp's plant engineering division
and from other areas yet to be determined. – DARK READING
And Quest Diagnostics
, a medical laboratory company based in New Jersey said Monday that it was investigating a recent hack that exposed the personal health information of about 34,000 people, according to the company
. An unauthorized third party gained access to names, dates of birth, lab results and, in some cases, telephone numbers in November through a mobile health app called MyQuest by Care360. The app gives patients access to their lab results and other information. – THE NEW YORK TIMES
Just for fun
(from Brian Krebs' comments)
Another suggestion from Gizmodo
“So the best option to avoid being hacked is to delete all of your accounts, fill up a warm bath, and throw all of your devices inside of it. Next, pack your bags and craft some hunting tools for your trek into the wilderness. Good luck.”