Yahoo Confirms Massive Data Breach: What You Need to Know

yahoo-data-breach

Yahoo confirmed a massive data breach Thursday that compromised an estimated 500 million users’ personal details.

The announcement follows a Yahoo investigation into claims that a hacker going by the name “Peace” was trying in early August to sell the usernames, passwords and dates of birth of Yahoo account users on the dark web.

The investigation found that “certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” Yahoo said in a news release. “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”

The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected, Yahoo said. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.

Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven’t changed their passwords since 2014 do so.

Keeping Your Information Safe

If you ever have reason to believe a password to any of your accounts has been compromised, it’s a good idea to change it immediately. And you’ll want to do that across any account that shares the same password (not a best practice, by the way) as the affected one since hackers who obtain one username and password may try to use it to gain access elsewhere.

Remember, to keep passwords long and strong by using alphanumeric characters and phrases that can’t easily be guessed via social media (like, say, your pet names.) And, if you ever have reason to believe your personal information was hacked, it’s a good idea to monitor your credit for signs of identity theft. You can view a free credit report summary, updated every 14 days, on Credit.com.)

Image: Nicolas McComber

The post Yahoo Confirms Massive Data Breach: What You Need to Know appeared first on Credit.com.

Why Hillary Clinton’s Emails Matter This Year

Hillary Clinton

There is no shortage of punditry about former Secretary of State Hillary Clinton’s homebrew server, and the resulting fallout, aka “Emailgate.” Whether you read the commentary dedicated to killing her candidacy, or calmer voices focused on the bigger picture of national cybersecurity, Secretary Clinton gets failing marks — and rightly so.

Unlike some of Secretary Clinton’s critics, I don’t believe that the email controversy is, first and foremost, proof of some deep character flaw that will spell the end of our great nation should she become our 45th president. To be fair, she was not the first Secretary of State (indeed the first public official) to engage in this risky behavior. Instead, I view it as the tragic manifestation of where we find ourselves as a nation when it comes to cybersecurity, and precisely why breaches have become the third certainty in life.

President Obama recently unveiled a $19 billion cybersecurity budget for the next fiscal year. This represents a 35% increase over the previous year. The White House blueprint is called the Cybersecurity National Action Plan (CNAP). Among many initiatives too numerous to detail here, the White House roadmap includes $3.1 billion for an Information Technology Modernization Fund — money specifically earmarked to provide a much-needed upgrade to the federal government’s woefully outdated legacy IT systems.

According to ABC News, the typical private server can cost anywhere between a few hundred dollars to several thousand. If you could choose between the government’s protections, however flawed, and a private server (and you were a world leader), which would you pick?

While the news media and pundits on both the left and the right have focused on the character issue — namely, Secretary Clinton wasn’t forthcoming about her rationale for opting not to use government systems (Was it a Nixonian desire to control and hide information or simply a matter of convenience?) — a larger more important point went, shall we say, “misunderestimated.” Former President George W. Bush’s “new word” is precisely the right word choice here, because while it is forgivable — or at least to be expected — that a new threat may be underestimated at first (in this case the rise of hackers and mega data breaches), doing so creates vulnerability. Misunderestimation gets at the gooey center of the cybersecurity problems we now face — a lot of them springing from an “It Can’t Happen to Me” attitude. Of course, that is the very thing hackers need their targets to think. As long as the danger of attack is underestimated, the potential for expanding attackable surfaces causing critical exposure of information will remain unchecked.

A Teachable Moment?

There is no getting around a simpler, and at least on the surface, damning fact. A world leader maintained a private email server that stored top secret information. The revelation of this terrible state of cyber affairs in the State Department can only be viewed as an appalling oversight, betraying an imperfect understanding of the threats we currently face as a society. (You can see where all the presidential candidates stand on cyber security here.)

While no one is perfect, data security is an area that requires something verging on perfection. A homebrew server comes nowhere near that level of perfection. The fact that Secretary Clinton thought this was an acceptable practice suggests a very concerning interpretation of the cybersecurity problem, as well as an institutional issue, since there should have been a way to force protocol at the State Department.

Here’s the deal: We live in a world where the Office of Personnel Management was breached. We live in a world where the largest corporations in possession of sensitive records pertaining to tens of millions of individuals have been, and continue to be, hacked with more than a billion lives exposed to a host of bad guys in the process and untold amounts of money lost.

And it’s important to remember if you are a consumer, you need to minimize your risk of exposure and do whatever is necessary to detect victimization (for example, checking your credit regularly can be an initial indicator that something’s gone horribly wrong) and put a damage control program in place.

Having said all this, I’m not sure it means that Hillary Clinton would make a bad president. While Clinton’s mistake could be viewed as arrogant (at best) and de facto reckless, it is crucial for us to avoid finger-pointing at a time where virtually every digital mishap, data-security giveaway and metadata misfire should be looked at as being so many teachable moments.

The data insecurity quagmire is still in its Wild West infancy, and while it’s easy to throw stones in this glass house, it doesn’t serve to protect us from the dangers posed by hackers.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on Identity Theft:

Image: iStock

The post Why Hillary Clinton’s Emails Matter This Year appeared first on Credit.com.