Yahoo’s recent announcement of hacks compromising a billion or more accounts calls attention to the tenuous nature of online security. Although it’s natural to want to assume your data is safe when you sign up for a service, the perpetually connected nature of the modern world means information is always at risk. Whether or not you’re a Yahoo user, there are several protective measures you should be familiar with to prevent personal information from being compromised.
The massive amount of users affected by the Yahoo incident makes it the largest data breach in internet history, affecting both active and dormant accounts and causing the company’s stock to plummet six percent the day after the second breach was announced. Understanding what happened to cause the Yahoo attacks and implementing appropriate protection can help preserve your privacy in the future.
Two Waves of Attacks
The first report of compromised Yahoo account data came on September 22, 2016 when the company revealed 500 million accounts had been affected by hacker attacks. Law enforcement officials alerted the company to a second breach three months later, and the public was notified on December 14. This second attack affected 1 billion user accounts and was considered separate from the previously reported incident. However, the two may be linked in some way or be the fault of the same “state-sponsored” hacker.
It’s unknown how many unique user accounts were affected due to the possibility of overlap between the two events. All total, as many as 1.5 billion accounts were compromised during the periods in 2013 and 2014 in which the original attacks are suspected to have taken place.
What Was Hacked?
As a Yahoo user, you should be aware of the information the company suspects the malicious third party or parties had access to:
- Email addresses
- Phone numbers
- Security questions and answers
Financial information wasn’t part of the breach because Yahoo stores this data in a separate location. However, the information hackers did steal included data from FBI, CIA and NSA employees and other high-profile individuals. This identification information could be enough to cause serious problems if used to infiltrate accounts on additional sites. Yahoo sent notifications to all users potentially affected by the hacks, but these messages can’t undo the damage of the breach or prevent the attackers from exploiting the data for other purposes.
How Did the Breaches Happen?
To access Yahoo user data, hackers bypassed the normal login process by using Yahoo’s proprietary code to create fake cookies and authenticate unauthorized logins. Yahoo is still trying to determine who was responsible for these actions, and the FBI is also looking into the breach in an effort to pin down the perpetrators.
Unfortunately, 70 percent of data breaches take months or even years to discover, giving hackers plenty of time to steal information before an affected company identifies what’s going on and puts protections in place. Yahoo admits its breaches occurred two to three years before any announcement was made, meaning news of more affected accounts could surface in the future.
Protecting Your Account
Given the extent of the breach, it’s smart to increase the security on your Yahoo account even if you didn’t receive notice of being affected. Keep your information safe by:
- Changing your Yahoo password and any similar passwords used on other accounts
- Updating to security questions with answers hackers can’t easily research
- Monitoring your account for suspicious activity
- Logging in using a VPN when on public Wi-Fi
- Setting up two-factor authentication to require a unique code sent via SMS every time you log in
- Never clicking on links in emails from senders you don’t recognize
- Reporting all suspicious emails to Yahoo
- Checking your “Sent” folder for messages you didn’t send and notifying both Yahoo and the recipient if any are discovered
- Deleting old welcome emails, password reset notices and other messages with information linking your Yahoo account to other services
- Updating passwords and security information on dormant accounts
You may have to follow these steps even if you don’t use Yahoo as your main platform for email. Other services, including Verizon and AT&T, provide email to users via Yahoo, and these accounts may also have been affected. Contact your provider to determine if Yahoo is the basis for your email account, and take action to protect your data if necessary.
As you work to secure your account, keep an eye out for phishing emails claiming to offer account verification or protection. Malicious third parties often take advantage of the panic following large data breaches to steal more information using this tactic.
Learning from Yahoo’s Mistakes
The biggest takeaway from the Yahoo fiasco for both companies and individual users is it’s best to assume your information will be compromised at some point. Reading through the fine print in the terms of service for many websites can reveal shaky security measures, such as Yahoo’s lack of proper intruder protection, and there’s no guarantee data you enter will be shielded from attacks.
Since you can’t rely on online services to protect your information, it’s important to be proactive in keeping data safe:
- Monitor your credit activity
- Consider signing up with an identity protection company
- Use VPNs to minimize the vulnerability of information shared over the internet
- Update passwords for all accounts on a regular basis
- Never use the same password for more than one account
- Avoid repeating passwords
- Report any fraudulent activity to the proper authorities
Data breaches are a fact of life for every internet user. From the moment you enter information online, it has the potential to become compromised. No service or individual is immune to cyberattacks, and the effects of a hack can ripple out as stolen information is used to compromise other accounts. The Yahoo breaches serve as reminders to always be vigilant with personal data and do everything you can to protect your own privacy.