3 Things to Consider After the Latest Yahoo Breach

Here's how to protect yourself in the wake of Yahoo's latest data breach.

No payment card or banking information was compromised in the latest 1 billion-user breach at Yahoo, according to expert reports. But what if there had been? The truth is that for most users it would be annoying, but not the end of the world.

So, why is this big news?

First of all, Yahoo can now claim two of the biggest security breaches in history. It is noteworthy that such a distinction should be attributable to a single entity. The response to the latest breach news has been huge. Ask any three experts and you’ll probably get three different figures, but according to ZDNet, the users exposed in the two Yahoo breaches exceed the total number of records compromised between 2005 and 2013 by nearly double. (Yahoo did not immediately respond to Credit.com’s request for comment.)

The post-breach news commentaries have been many and various. There are some experts who advocate foregoing any digital connection to the security-challenged giant. Others predict that the latest bad news will negatively impact Yahoo’s sale to Verizon further, if not kill it. Within days of the breach, there were various articles advising how you could replace Yahoo services and delete your Yahoo account. That said, Yahoo is not the problem per se.

First of all, let’s be crystal clear: This latest news does not refer the to 500 million Yahoo users who were affected by the breach reported this September. While there may be some overlap, this is a different breach with different issues. It occurred way back in 2013, but that’s not really even the bad news here, though, yes, it is less than awesome that user information — including poorly encrypted security questions and passwords that could be used in an account takeover — has been out there for three years.

The bad news here is not limited to the fact that Yahoo didn’t know about this breach until law enforcement officials told the company that their stolen user data was offered for sale on the dark web. The bad news is not even, as PC World reported, that in a separate incident an intruder was able to crack Yahoo’s proprietary code and forge cookies, which would allow a hacker to get access to user information without a password. This last frightening bit of news seems to be related to the state-sponsored hack reported in September.

The bad news here is that this unsettling state of affairs — of having your information out there at the fingertips of bad players looking to make a quick buck — is not confined to Yahoo users. The real bad news is that we are all willing and/or unwitting conspirators in the exploitation of our own information, which has been sloshing around the hold of a virtual — and somewhat unmanned — freighter for years.

It Always Already Happened

There is, however, a bit of good news here. There are ways you can better protect yourself. All the subscriptions to identity theft monitoring cannot replace your active participation in your own defense. You are your best guardian.

Whether or not you choose to stay with Yahoo, it’s a good idea to change your behavior to stay safe, and that means changing your outlook and approach to the digital world. The main point is this: We are always about to “get got.” You don’t need breaking news coverage to know that you are exposed. With literally billions of compromised files floating around, you have to be exceedingly lucky not to be within easy reach of a sticky-fingered thief looking to make bank at your inconvenience.

While there is no way out of the information inferno we all inhabit, there is a way to live in it peaceably. I go into the details more thoroughly in my book, “Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves,” but the basics of the practice I explain there can be summed up by three Ms: Minimize, Monitor and Manage.

Minimize Your Risk of Exposure: This can be anything from how you use the internet to what you choose to carry in your wallet. The goal is to decrease your attackable surface.

Monitor Your Identity: Get a free copy of your credit reports from each of the major credit reporting agencies at least once a year (some states permit more than one) at AnnualCreditReport.com. Consider subscribing to a credit and identity monitoring service. Set up transaction notices with your bank and credit card accounts, and pay attention. If you stay on top of things, you make it harder for crooks to get a foothold into your financial life. And if you have reason to believe you’ve been the victim of identity theft — unexplained accounts and mysterious addresses are two warning signs — don’t ignore it. You can view two of your free credit scores, updated every 14 days, on Credit.com.

Manage the Damage: Notify the authorities if you have become a victim. Get an identity theft incident report that you can use to straighten out your credit and identity issues. Check with your insurance agent, financial services rep or the human resources department where you work to see if they offer an identity theft protection services program and if you are enrolled. You may be pleasantly surprised to learn that they do and you are enrolled free, or can access it at a discount as a perk of your relationship. You may also want to consider freezing or placing a fraud alert on your credit as well, depending on what’s been compromised.

Never forget — the ultimate guardian of the consumer is the consumer, and no one has a bigger stake in protecting your economic security and well-being than you.

Image: sturti

The post 3 Things to Consider After the Latest Yahoo Breach appeared first on Credit.com.

Yahoo Confirms Massive Data Breach: What You Need to Know

yahoo-data-breach

Yahoo confirmed a massive data breach Thursday that compromised an estimated 500 million users’ personal details.

The announcement follows a Yahoo investigation into claims that a hacker going by the name “Peace” was trying in early August to sell the usernames, passwords and dates of birth of Yahoo account users on the dark web.

The investigation found that “certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” Yahoo said in a news release. “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”

The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected, Yahoo said. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.

Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven’t changed their passwords since 2014 do so.

Keeping Your Information Safe

If you ever have reason to believe a password to any of your accounts has been compromised, it’s a good idea to change it immediately. And you’ll want to do that across any account that shares the same password (not a best practice, by the way) as the affected one since hackers who obtain one username and password may try to use it to gain access elsewhere.

Remember, to keep passwords long and strong by using alphanumeric characters and phrases that can’t easily be guessed via social media (like, say, your pet names.) And, if you ever have reason to believe your personal information was hacked, it’s a good idea to monitor your credit for signs of identity theft. You can view a free credit report summary, updated every 14 days, on Credit.com.)

Image: Nicolas McComber

The post Yahoo Confirms Massive Data Breach: What You Need to Know appeared first on Credit.com.

The Target Data Breach Changed Nothing About How We Use Credit & Debit Cards

Remember a couple of years ago when the Target data breach was in the news? Here’s a refresher if you don’t. In December 2013, Target announced that hackers may have accessed 40 million credit and debit accounts used in their stores late that year.

With so many people affected, it would seem logical that consumer behaviors around card usage might have changed. Turns out, that isn’t the case, according to a recent report by Claire Greene and Joanna Stavins of the Federal Reserve Bank of Boston.

Greene and Stavins looked at survey data collected by the Survey of Consumer Payment Choice (SCPC) before the breach and then after consumers were made aware of the hack. In the survey, consumers were asked about the security of their personal information tied to debit cards and, on average, they saw it as 11.3% less safe after the Target breach.

Based on this information, the authors expected to see a decline in debit card usage. However, the authors reported “no statistically significant change in the adoption or shares of payment instrument use of debit cards in the long run.” Meaning, they don’t believe the Target breach announcement caused any long-term affects on how people use their plastic.

What to Do If Your Information Is Stolen

It’s generally a good idea to keep a close eye on your credit card statements for any suspicious activity. (Tip: make sure you’re doing this through a secure Internet connection so you don’t open yourself up to any additional threats.) If you spot fraud, report it to your issuer right away and, if your card gets lost or stolen, it’s in your best interest to call up your issuer and have the card replaced with new account numbers.

If your personal information gets compromised during a data breach (or otherwise), it’s a good idea to check your credit scores for sudden changes, like a sudden score drop or unfamiliar accounts in your name, as these are signs of identity theft. You can see two of your credit scores for free, updated each month, on Credit.com.

[Offer: If you need help fixing your credit, Lexington Law can help you meet your goals. Learn more about them here or call them at (844) 346-3296 for a free consultation.]

Image: Steve Debenport

The post The Target Data Breach Changed Nothing About How We Use Credit & Debit Cards appeared first on Credit.com.

Own an Acer Computer? You Might Have Been Hacked

acer hack

If you purchased something on computer manufacturer Acer’s website over the last year, your credit card information may have been stolen.

Hackers made off with the names, addresses, card numbers, expiration dates and three-digit security codes of a reported 34,500 customers. So far, there is no reported evidence that usernames or passwords were compromised during the unauthorized third-party access.

Acer acknowledged the data breach, which reportedly happened more than a year ago, in a letter prepared for customers. Customers who purchased products on the site between May 12, 2015 and April 28, 2016 might have had their data compromised.

“Safeguarding your personal information is important to us,” Mark Groveunder, vice president of Acer customer service, wrote in the letter. “We took immediate steps to remediate this security issue upon identifying it, and we are being assisted by outside cybersecurity experts. We have reported this issue to our credit card payment processor. We have also contacted and offered our full cooperation to federal law enforcement.”

Review Your Credit For Signs of Identity Theft

The company is urging customers to review their accounts for any signs of identity theft.

If you are concerned that your credit card data was stolen in the Acer hack, it’s a good idea to check your credit scores and credit reports for any signs of unauthorized activity, such as new accounts you don’t recognize. Thieves often get credit cards, buy cars or take out a loan, and when they don’t repay it, the victim’s credit suffers. Until the victim realizes what’s happened, files a police reports and gets rid of the fraudulent accounts, the negative information reported to credit bureaus continues to do damage. (You can get free annual credit reports on AnnualCreditReport.com and you can check two of your credit scores for free every month on Credit.com.)

You can also consider freezing your credit until you’re certain you’re in the clear. When you freeze your credit, no one can open a new credit card or loan — not even you. Once you need access to your credit, you have to thaw it before a potential lender has the ability to review your application. You can continue to use your existing accounts, and a freeze won’t keep you from getting your free credit reports or credit scores.

More Money-Saving Reads:

Image: scyther5

The post Own an Acer Computer? You Might Have Been Hacked appeared first on Credit.com.

Could Your Campaign Contribution Expose You to Identity Theft?

campaign-identity-theft

Over the past few years, we’ve experienced more ginormous data breaches than any of us can, or would even care to, remember. Against this backdrop, reflect upon the fact that political campaigns know as much, if not more, than advertisers about us — what inspires us and what will move us to vote.

The Wild West

Consider the various kinds of information a campaign crunches to determine who might be persuaded into voting for their candidate and the parallel to advertising and marketing becomes instantly clear.

Many campaigns don’t “only” (and I use the term advisedly) collect things like your name, email address, postal address, phone number, mobile number, credit card information, location, what you’re called on social media sites (your handles) and other contact or identifying information you choose to provide when you go to make a donation or sign up for their emails. There’s also often a cornucopia of data collected when you use a campaign’s site — cookies, your IP address and other digital no-see-ums. While that information would be horrible to leak, it’s nothing compared to the granular details that campaigns purchase from data mining companies.

“This is the Wild West,” Tim Sparapani, a data privacy consultant and former director of public policy for Facebook, recently told the Los Angeles Times, “There is nothing that is off-limits to political data mining.”

They Have WHAT?

This is not just about social media, but it definitely starts there. Data mining companies have long scoured social media to glean information about potential customers, proponents, fans, outraged citizens and any other manifestation of subjective choice “out there.”

There are too many instances to bring up here, but a report in Bloomberg late last year can serve as a general example. It was about a data mining firm that was working for former presidential candidate John Kasich’s Super PAC to create “a ‘social graph’ of possible supporters by scanning high school yearbooks, small-town newspapers, and sports-team rosters.”

If a yearbook is OK in the land of deep dives, what other records could be put to use? Like rose petals in the wind, data is scattered about everywhere, and there is no place too insignificant for a data mining company to potentially send employees to scour for useable bits.

What’s the Big Deal?

What may not be as obvious is that the type of information they collect is often of significant value to hackers and their clientele. Hackers, advertising executives and political operatives constantly search for ways to move a person to take a particular action. With hackers, the action is to click a link that downloads account or sensitive personal information-grabbing malware or otherwise provides access to money or services using your information. Politicians simply want your vote.

Concern that hackers will compromise political campaign databases seems like a prudent response to the current information security landscape, yet disappointingly, at least for those of us in the data security community, the conversation between candidates about security has been largely focused on the “Great Wall of Mexico” and whether or not ISIS should be nuked.

Were a major campaign hack to go down, it would not only create a very unfortunate political situation, but also the information of millions of voters would be at risk for phishing attacks and identity theft. If one of these data-heavy campaign databases were to fall into the wrong hands, there is no end to the scams that creative, sophisticated and persistent fraudsters could pull off with it, or the havoc they might wreak.

The attacks could be based on a familiarity with the target and/or target group—phishing, spearphishing, picking purchases that go unnoticed, cooking up scams involving known networks of friends gleaned from voter data married to social networking accounts — but I digress.

The Solution

As things stand, there is no solution. Data breaches are the third certainty in life, right behind death and taxing presidential elections.

To be completely honest (isn’t that a refreshing concept in a presidential election?) in order to be almost cyber bulletproof, you would have to live in a log cabin on Loon Lake and never associate with anyone or anything. That said, there is a point in the drive to be careful with your information where you have to also live life.

Bottom line: As I mention in my book “Swiped: How To Protect Yourself In a World Filled With Scammers, Phishers and Identity Thieves” – practice the 3Ms: Do everything you can to minimize your risk of exposure, monitor aggressively so that you know as quickly as possible if you have a problem and have a plan to manage the damage. (You can check for signs of identity theft by viewing your free credit report summary each month on Credit.com.)

Don’t assume that your candidate of choice, no matter how much you think you can trust him or her, actually has your back. Frankly, in this decidedly insecure digital world, they don’t even have their own.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on Identity Theft:

Image: EdStock

The post Could Your Campaign Contribution Expose You to Identity Theft? appeared first on Credit.com.

The LinkedIn Password Breach Is Way Bigger Than We Thought: Here’s What You Need to Do

linkedin

Quick, what was your LinkedIn password in 2012? OK, now think of every password you use for every service, and make sure that LinkedIn password isn’t reused anywhere.

If ever you needed a reminder not to reuse passwords, here it is. We knew that LinkedIn got hacked in 2012, but at the time we thought only 6.5 million passwords were stolen. Now, we’ve learned the real figure was more like 100 million-plus. That means your old LinkedIn password — and any derivations of it — should not be used anywhere else. You already knew that, but now you really know.

A security researcher found an ad yesterday posted by a hacker offering a list of 167 million LinkedIn passwords for sale for about $2,300. LinkedIn confirmed to Ars Technica on Wednesday that it knows an “additional set of data has just been released.” It’s working to invalidate any passwords on the list that might still be in use. Because of duplicates, etc., the real number is probably far less than 167 million, but it’s certainly much larger than 6.5 million.

Of course, LinkedIn can’t help with other services where you might re-use its password. And you probably forgot it anyway. (Sadly, computers never forget these things.) Even if you only signed up for LinkedIn once, back in 2012, and never used it again, the password you set at the time is now poisoned.

There is no need to panic. No doubt, whoever had this list had wrung all the value out before offering it for sale – probably many times over. If it were really a gold mine, it likely wouldn’t be for sale at $2,300. Most of the user/password combinations in there have no doubt already been tried at other websites.

Still, your job today is to think about all the critical sites you use — places where you keep and spend money (banks, Amazon) — and make sure those passwords are clever and fresh. Then let your mind wander to places where hackers might make bank by scrolling through your digital life: Hacking into your email account, for example, or even your Facebook account. Using your email, they could reset passwords at your bank. Using Facebook, they could trick friends into sending money — or just embarrass you.

Doing that kind of security inventory is a good exercise at any time. But today presents a great reminder.

“There needs to be a sense of heightened security every day when it comes to cyberattacks and thinking passwords could be stolen,” said John Peterson, Vice President of Enterprise Products at cybersecurity company Comodo. “Consumers, small businesses and large enterprises all need to understand that criminals have established, working organizations with paid hackers, spammers and phishing experts who think of ways to steal and leverage passwords, bank records, Social Security numbers, company trade secrets and data, and credit card and financial data every minute of every day.”

[Editor’s Note: Remember, if you has reason to believe you’ve been a victim of fraud, it’s crucial to check your credit. Specifically, you should keep an eye out for sudden drops in your credit score, mysterious accounts opened in your name and unknown addresses. You check your credit by pulling your reports for free each year at AnnualCreditReport.com and viewing your scores, updated monthly, for free on Credit.com.]

More on Identity Theft:

Image: KIVILCIM PINAR

The post The LinkedIn Password Breach Is Way Bigger Than We Thought: Here’s What You Need to Do appeared first on Credit.com.

Nearly All Data Breaches Happen in Minutes, Report Finds

identity_theft

Most data breaches happen fast — in a matter of minutes, according to a new Verizon report — but the impact on you and your credit report could make for a very long lasting financial headache.

Cybercriminals institute data breaches to steal your Social Security number, credit card number, bank account information and many other forms of personal financial information. And according to the latest Verizon 2016 Data Breach Investigations Report, these thieves still find success with phishing emails. Per the report, 30% of phishing messages were opened. This compares to the previous year figure of only 23%. Meanwhile, 13% of those clicked to open the malicious attachment or nefarious link.

Regardless of what method was used to compromise sensitive data, in 93% of cases, attackers were able to compromise systems in just a matter of minutes.

Verizon anaylzed more than 2,260 confirmed data breaches and more than 100,000 reported security incidents, finding that 89% of all attacks involve financial motives while ransomware attacks were up 16% from 2015. Meanwhile, 63% of data breaches were thanks to weak or stolen passwords.

Also blamed for data breaches are ‘miscellaneous errors,’ which can include improper disposal of sensitive information, misconfiguration of IT systems, and lost and stolen devices, such as laptops and smartphones. These errors also include people mistakenly sending sensitive information to the wrong person, which accounts for 26% of these errors, Verizon found.

What Can You Do About It?

When your information is stolen, thieves will typically sell it — or use it for themselves — to open as many accounts as fast as they can in your name. Unfortunately, you may not find out about it until you’re applying for a mortgage, opening a line of credit or financing a car, when it’s already too late.

You can, however, take a few simple steps to help protect yourself from cybercrime. For starters, you can implement a two-factor authentication for your applications and social networking sites, encrypt your data and limit who is authorized to access it. It is also helpful to be familiar with the signs your identity has been stolen or your credit information has been compromised.

Staying informed about your credit scores and individual credit accounts is also helpful in minimizing any damage done by data compromises. You can check your free annual credit report every year at AnnualCreditReport.com, and keep track of your credit scores by viewing your two free credit scores, updated monthly at Credit.com, to make sure there aren’t any fraudulent accounts on your file. You can also go here to learn what to do if you are victim of identity theft.

More on Identity Theft:

Image: Anchiy

The post Nearly All Data Breaches Happen in Minutes, Report Finds appeared first on Credit.com.

429 Million Identities Were Stolen in Data Breaches Last Year

loan to buy a computer

Data breaches and other security crimes surged ahead in 2015, a new study found.

A total of 429 million identities were stolen last year as a result of data breaches, according to Symantec.

The security software company’s latest Internet Security Threat Report, released on April 12, notes that is a 23% increase from the prior year.

There were also a record nine mega-breaches reported last year. Mega-breaches are defined as data breaches involving more than 10 million records.

Additionally, the report found that crypto-ransomware attacks increased by 35% last year. This type of attack involves using malicious software to encrypt a victim’s computer files and block the victim from accessing them until a ransom is paid.

Ransomware called “CryptoWall” even prompted the FBI to issue a public warning last year, calling it “the most current and significant ransomware threat targeting U.S. individuals and businesses.”

Symantec also reported that more than 75% of all legitimate websites have vulnerabilities that have yet to be patched. And 15% of legitimate sites’ vulnerabilities are considered critical, “which means it takes trivial effort for cybercriminals to gain access and manipulate these sites for their own purposes,” the report states.

Symantec, which is known for software like Norton Antivirus, offers consumers the following tips to protect themselves.

1. Use Strong Passwords

Use strong and unique passwords for your accounts. Change passwords every three months, and never reuse your passwords. Additionally, consider using a password manager to further protect your information. (Need password ideas? These are 25 passwords to immediately cross off the list of possibilities.)

2. Think Before You Click

Opening the wrong attachment can introduce malware to your system. Never view, open or copy email attachments unless you are expecting the email and trust the sender.

3. Be Wary of Scareware Tactics

Versions of software that claim to be free, cracked or pirated can expose you to malware. Social engineering and ransomware attacks will attempt to trick you into thinking your computer is infected and get you to buy useless software or pay money directly to have it removed.

4. Safeguard Your Personal Data

The information you share about yourself online puts you at risk for social engineered attacks. (You can read more about identity theft protection here.) Limit the amount of personal information you share on social networks and online, including login information, birth dates and pet names.

And, if you have reason to believe your personal information was compromised, you can keep an eye on your credit. A sudden drop in credit scores, for instance, is a sign your identity has been stolen. You can view your two credit scores for free each month on Credit.com.

More From Money Talks News:

Image: iStock

The post 429 Million Identities Were Stolen in Data Breaches Last Year appeared first on Credit.com.