For the second time this year, Yahoo has revealed that hackers have obtained data about a huge number of its users’ accounts. In September the company said that account information for more than 500 million users was stolen in 2014. Now the company says it was hit by an even larger hack a year earlier.
In 2013 hackers obtained information for 1 billion accounts. Yahoo learned about the hack in November, 2016 when law enforcement supplied the company with evidence.
In some cases, there’s also evidence that hackers may have used that data to forge cookies and access some accounts without a password.
All told, there’s no time like the present to change your Yahoo password and security questions… and take a closer look at how you use passwords generally.
The hackers who hit Yahoo obtained user information including names, email address, phone numbers, birthdates, and hashed passwords. Some encrypted or unencrypted security questions and answers were also stolen, but no clear text passwords or payment information were stolen.
Still, in addition to sending messages to everyone affected by the hack, Yahoo says it’s also taking extra steps to let users know if a forged cookie was used to access their accounts without a password.
Since the disclosure of this hack comes more than three years after the fact, the damage may already be done in many cases: hackers may have already accessed data from your account or used your information in other ways. And the disclosure of a second massive hack surely isn’t doing much to help Yahoo’s reputation at a time when Verizon is engaged in a deal to acquire the company for billions of dollars.
If you’ve ever had a Yahoo account, you may want to login and change your password, even if you don’t actively use that account anymore.
It’s also a good idea to change passwords and security questions for any other service where you use the same password or one that’s similar. And you should also stop doing that!
It can be difficult to remember unique, strong passwords for all the different apps and services you use. But there are a few ways you can use unique passwords without too much pain.
One is to use a password manager such as LastPass, Dashlane, KeePass, 1Password, or RoboForm. Some of these are services that run in the cloud, allowing you to access your passwords from multiple devices.
If trusting all of your passwords to a cloud service scares you at a time when we keep hearing about hacks, I don’t blame you. But you can strengthen security a bit by requiring multi-factor authentication. Many services give you the option of requiring more than just a password to login: you may have to enter a code received by text message or in a smartphone app, for instance.
If all else fails, you could do what security expert Jeremiah Grossman does: keep all of your passwords on an encrypted USB flash drive. Then you just need to remember the password to unlock the drive any time you need to view one of the long, random strings of characters. It’s not particularly convenient, and you’re out of luck if you lose the USB drive. But it’s a pretty tough-to-hack system.
Mr Grossman: “I select them quite literally by banging on the keyboard a few times like a monkey”
Which is a terrible way of coming up with a “random” password.
I deleted my yahoo last year when I found there had been log ins from random countries, and yahoo hadn’t even thought to notify me as these being suspicious. (At least I could check though – when my ISP Virgin media was hacked, they couldn’t even tell me if there were any active connections.) Now I only use emails with 2fa, asking with Keepass2.
I wouldn’t worry so much about passwords. There’s only so much security they can give you. Unless you’re really vulnerable to dictionary attack, a 98-character password isn’t going to do much better than a shorter, memorable one. I think it’s understated how important multi-factor authentication is, especially with a more robust system that doesn’t rely on SMS (which has been deprecated at least in the US).
Yeah, the image for this post is a little tongue in cheek. The main thing is to remind people to stop using the same password for multiple sites. Odds are some service you use *will* be hacked eventually, and you’re putting yourself at unnecessary risk if you use the same password for Yahoo and your bank, for example.
But the problem is they may have let out “secret answers” too. It’s hard not to use the same ones on different sites where they only offer a limited choice of questions.
I was checking this out earlier because I noted they got security questions. Apparently Yahoo is doing away with those altogether because the option is to “disable security questions to improve security.”