Yahoo Breach Lessons for Everyone
What steps should I take if I used to have a Yahoo email account?
This question was answered on December 14, 2016. Much of the information contained herein may have changed since posting.
Whether you currently use a Yahoo email account, used to use one or have never used one, the announcement of 1 billion accounts being compromised in 2013 holds many lessons for everyone.
Yahoo says that no financial information was included in the breach, but username, email addresses, telephone numbers, hashed passwords, birth dates and in some cases answers to security questions were all part of the break in.
Why Email Hacks Are So Desirable
Your email account is the digital key to your kingdom for a variety of reasons, which is why they are so valuable to hackers.
Remember, whenever you (or a hacker) need to reset a forgotten password for just about any online account, the reset instructions get sent to your registered email account.
Another treasure trove is the accumulation of messages that you were sent when you initially signed up for any account, which is a quick way to know what other accounts can be compromised.
Lesson #1: Start getting in the habit of deleting sign-up, notification and reset email messages as soon as you are through with them.
Birthdays & Security Questions
Many sites ask for your birthday as a way to ensure you are old enough to meet their age requirements, but nothing says you have to give them your actual birthday.
Although Yahoo is moving away from security questions as a way to allow you to regain access to an account, the information gathered by the hackers can potentially be used elsewhere.
Questions such as ‘what was your high-school mascot’ are pretty easy to figure out depending on your profile on sites like Facebook and LinkedIn.
Lesson #2: Start lying more; don’t give your actual birthday or use actual researchable answers on security questions.
Additional Security Measures
If you haven’t figured it out already, virtually anything on the Internet is ‘hackable’ and it’s generally just a matter of time for any large online entity.
Setting up password fraud alerts through 2-factor authentication (https://goo.gl/0MhNLG) and using password management programs that ensure that no password is ever used on multiple sites are a good start.
Lesson #3: Assume that everyone you do business with online is going to be breached and act accordingly.
Spear-Phishing Made Easy
Spear-phishing refers to scam emails that are targeted at those that are known to use a specific service.
In this case, if you have a Yahoo email address, it’s pretty easy for scammers to send convincing but fake ‘password reset’ messages to you knowing that you actually have an account.
Lesson #4: Never click on any reset links unless you just asked for a reset message to be sent.
With all the large-scale breaches in the last couple of years, the likelihood is that any password that you’ve been using for years has been compromised.
There are lots of ‘known password’ databases that allow cyber-thieves to compare them to stolen hashed passwords, which is why one breach can lead to so many other accounts being compromised.
Lesson #5: If you’re still using a password that’s been in use for more than a couple of years, change it to something you’ve never used before.
Need Help with this Issue?
We help people with technology! It's what we do.
Schedule an Appointment with a location for help!
Posted by Ken of Data Doctors on December 14, 2016