3 Things to Consider After the Latest Yahoo Breach

Here's how to protect yourself in the wake of Yahoo's latest data breach.

No payment card or banking information was compromised in the latest 1 billion-user breach at Yahoo, according to expert reports. But what if there had been? The truth is that for most users it would be annoying, but not the end of the world.

So, why is this big news?

First of all, Yahoo can now claim two of the biggest security breaches in history. It is noteworthy that such a distinction should be attributable to a single entity. The response to the latest breach news has been huge. Ask any three experts and you’ll probably get three different figures, but according to ZDNet, the users exposed in the two Yahoo breaches exceed the total number of records compromised between 2005 and 2013 by nearly double. (Yahoo did not immediately respond to Credit.com’s request for comment.)

The post-breach news commentaries have been many and various. There are some experts who advocate foregoing any digital connection to the security-challenged giant. Others predict that the latest bad news will negatively impact Yahoo’s sale to Verizon further, if not kill it. Within days of the breach, there were various articles advising how you could replace Yahoo services and delete your Yahoo account. That said, Yahoo is not the problem per se.

First of all, let’s be crystal clear: This latest news does not refer the to 500 million Yahoo users who were affected by the breach reported this September. While there may be some overlap, this is a different breach with different issues. It occurred way back in 2013, but that’s not really even the bad news here, though, yes, it is less than awesome that user information — including poorly encrypted security questions and passwords that could be used in an account takeover — has been out there for three years.

The bad news here is not limited to the fact that Yahoo didn’t know about this breach until law enforcement officials told the company that their stolen user data was offered for sale on the dark web. The bad news is not even, as PC World reported, that in a separate incident an intruder was able to crack Yahoo’s proprietary code and forge cookies, which would allow a hacker to get access to user information without a password. This last frightening bit of news seems to be related to the state-sponsored hack reported in September.

The bad news here is that this unsettling state of affairs — of having your information out there at the fingertips of bad players looking to make a quick buck — is not confined to Yahoo users. The real bad news is that we are all willing and/or unwitting conspirators in the exploitation of our own information, which has been sloshing around the hold of a virtual — and somewhat unmanned — freighter for years.

It Always Already Happened

There is, however, a bit of good news here. There are ways you can better protect yourself. All the subscriptions to identity theft monitoring cannot replace your active participation in your own defense. You are your best guardian.

Whether or not you choose to stay with Yahoo, it’s a good idea to change your behavior to stay safe, and that means changing your outlook and approach to the digital world. The main point is this: We are always about to “get got.” You don’t need breaking news coverage to know that you are exposed. With literally billions of compromised files floating around, you have to be exceedingly lucky not to be within easy reach of a sticky-fingered thief looking to make bank at your inconvenience.

While there is no way out of the information inferno we all inhabit, there is a way to live in it peaceably. I go into the details more thoroughly in my book, “Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves,” but the basics of the practice I explain there can be summed up by three Ms: Minimize, Monitor and Manage.

Minimize Your Risk of Exposure: This can be anything from how you use the internet to what you choose to carry in your wallet. The goal is to decrease your attackable surface.

Monitor Your Identity: Get a free copy of your credit reports from each of the major credit reporting agencies at least once a year (some states permit more than one) at AnnualCreditReport.com. Consider subscribing to a credit and identity monitoring service. Set up transaction notices with your bank and credit card accounts, and pay attention. If you stay on top of things, you make it harder for crooks to get a foothold into your financial life. And if you have reason to believe you’ve been the victim of identity theft — unexplained accounts and mysterious addresses are two warning signs — don’t ignore it. You can view two of your free credit scores, updated every 14 days, on Credit.com.

Manage the Damage: Notify the authorities if you have become a victim. Get an identity theft incident report that you can use to straighten out your credit and identity issues. Check with your insurance agent, financial services rep or the human resources department where you work to see if they offer an identity theft protection services program and if you are enrolled. You may be pleasantly surprised to learn that they do and you are enrolled free, or can access it at a discount as a perk of your relationship. You may also want to consider freezing or placing a fraud alert on your credit as well, depending on what’s been compromised.

Never forget — the ultimate guardian of the consumer is the consumer, and no one has a bigger stake in protecting your economic security and well-being than you.

Image: sturti

The post 3 Things to Consider After the Latest Yahoo Breach appeared first on Credit.com.

5 Steps Yahoo Users Can Take to Protect Their Data

Sunnyvale, CA, USA - Apr. 23, 2016: Yahoo Inc. Headquarters. Yahoo Inc. is an American multinational technology company that is globally known for its Web portal, search engine Yahoo! Search, and related services.

More than 1 billion Yahoo customers may need to come up with some super creative new account passwords. The company revealed Wednesday 1 billion customers were impacted by a data breach in 2013, the largest known data breach in U.S. history.

In an email sent out to affected users, the company says it believes the breach began in August 2013. A third party stole data associated with users accounts, including passwords, contacts, birthdays, and answers to security questions. The FBI is helping to investigate the Yahoo breach, but the culprit has yet to be identified.

If you’re feeling some deja vu, here’s why: just a few months ago,Yahoo went public about another hack, which impacted 500 million accounts in 2014. That appears to have been a separate attack entirely, meaning as many as 1.5 billion Yahoo users have been effected in total.

The company said customers’ payment information was likely unaffected, as that information wasn’t stored in the system that was breached. However, it also now believes the attacker found a way to forge their way into users’ accounts without a password.

If any of that banking information was in your emails, you may be vulnerable to identity theft, but you can take a few steps to protect yourself:

Here’s what you should do if you were impacted by the Yahoo data breach:

Change Your Password(s)

Yahoo is already requiring ‘affected’ users to change their passwords, but even if you haven’t yet received an email instructing you do so, you should change yours.

If you use similar passwords or security questions and answers for any other online accounts, you should go ahead and change all of those too. It may be a pain to do so, but it’s worth not leaving yourself vulnerable to identity fraud.

Check Your Yahoo Account for Suspicious Activity

Do a thorough review of your Yahoo accounts and look for anything suspicious like emails you didn’t send or emails received from accounts that you may not recognize. Stay away from emails asking you to click on a link or download an attachment, as these could be phishing scams. Phishing scams gain access to your device or account to get additional information that can be used to access existing credit accounts or create new credit accounts. Finally, watch out for emails asking for your personal information or refer you to websites asking for your personal information. If you see those kind of emails, delete them immediately.

Set Up Two-Factor Authentication

This breach may be a great incentive for you to take a few minutes to set up double authentication via Yahoo’s Account Key tool. You won’t need your password at all anymore if you set this up. The tool sends a notification to your cell phone asking you to authorize account access each time an attempt is made to log into your account.

Check Your Credit Report

It’s a good idea to check your credit report for any suspicious activity whenever you feel your personal information may have been vulnerable. Request your free credit reports from all three bureaus via annualcreditreport.com and look over them for any accounts you may not recognize. It may also be beneficial to you to set up alerts on your report so that you are notified and asked to authorize any requests for your report from lenders. You can find more information about how to do that here.

Close Your Yahoo Account

If two breach disclosures is your breaking point, you could terminate your relationship with the email service provider. All you’d need to do is visit Yahoo’s account termination page, and follow the instructions. After Yahoo confirms your termination was successful, it’ll take about 90 days  for your account data to be totally gone from the company’s system.

Backstory

There’s never a good time for a data breach but Yahoo’s timing is especially unfortunate. The company is currently in the middle of a $4.83 billion acquisition deal with Verizon. However— as Bloomberg reported following the announcement — there may be some indication that this most recent announcement could delay the deal’s close or cancel it altogether. The recent disclosure might also lower Verizon’s asking price for the struggling email service provider.

Yahoo shares lost nearly 6% in afternoon trade Thursday on NASDAQ. Shares are currently trading at $38.80.  Verizon stock is at $51.84, up 0.4% in afternoon trade on the NYSE.

 

The post 5 Steps Yahoo Users Can Take to Protect Their Data appeared first on MagnifyMoney.

6 Things You Should Do Immediately If You Have a Yahoo Account

Sunnyvale, CA, USA - Apr. 23, 2016: Yahoo Inc. Headquarters. Yahoo Inc. is an American multinational technology company that is globally known for its Web portal, search engine Yahoo! Search, and related services.

Yahoo says 500 million user accounts have been compromised, and they are telling users to change their passwords. That’s good advice, and below you’ll find better advice from security firm Sophos.

But first: For the next several days, or even weeks, beware emails that appear to come from Yahoo. Now will be a great time for phishers to trick users into following alleged “change your password” links that actually lead to hacker-controlled sites.

Now, onto the better advice:

  1. Change your Yahoo password immediately.
  2. Reset this password, if you’re reusing it on other online sites. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
  3. Make all new passwords different and difficult to guess – yes, you need to create different passwords for every site you visit.
  4. Include upper and lower case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos Password Quick Tips guide for creating stronger passwords.
  5. Don’t trust password strength meters – these are unreliable and inaccurate.
  6. In general, it’s always good practice to update your passwords, password manager and security questions if you hear of a potential data breach that might affect you. Even data breaches from several years ago could still impact you today.

I disagree about using a new password for every site. I mean, it’s a lovely idea, but it’s just not realistic.  Instead, I’m an advocate of having password families.

One simple password for throwaway accounts you don’t care about, like newsletters;  one medium-hard password for sites that require a registration, but don’t involve money; and then one really strong password for financial accounts that you change on a regular basis.

For that tough password, use something clever, like the first letter of every word in a sentence.  Like this: I Was Born on November 1 in North Dakota — IWBoN1iND (I wasn’t, by the way).  Change a number to a symbol and you are in good shape, like IWBoN!iND.

Now, as for how often you should change your password — I asked a bunch of experts that question not long ago and got some interesting answers.

Graham Cluley – Independent computer security analyst, formerly of Sophos and McAfee (more about him)

I only change my password if I’m worried a service has been hacked/compromised. I have different passwords for each site. In fact, I reckon I have over 750 unique passwords. I use password management software. I think requiring people to regularly change their password is a bad idea. it encourages poor password choices, (such as) ….passwordjan, passwordfeb, etc.

Depends.

Mikko Hypponen – Chief Research Officer, F-Secure (more about him)

For your corporate network account? Several times a year. For an online newspaper that requires registration in order to read it? Never.  As always, it’s about threat modelling: Figure out which services are the important services FOR YOU. Then use a strong, unique password on those, and change it regularly. For non-important sites: who cares.

James Lyne, Global Head of Security Research at Sophos, speaking specifically about corporation passwords (More about him)

The requirement to change your passwords is a preventive measure that is designed to minimize the risk of your already stolen password being cracked and used. Over 2014 there have been a huge number of attacks which have led to the loss of password hashes (or other representations). These password ‘representations’ require time and effort for attackers to crack and reverse to their plain text form. Depending on the hashing scheme in use and the resources of the attacker this can take little, or a very long time. Changing your password regularly helps manage the risk of an attacker stealing your password hash from the provider (without you knowing) by increasing the probability you have changed it before they use it.

There is a real balance to be struck with password rotations. Some enterprises set painful rotation rules that require staff to regularly learn a new password and commit it to memory – ironically this can lead to staff producing poor passwords to meet the requirement which again ironically makes it much easier for the attacker to break. Providing the service provider does their part and secures your password with an appropriate storage mechanism often using a significantly longer, complex and hard to guess password is a much better defence. Good luck to the cybercriminal going after a 128 character password stored as a (moderately poor) SHA1 hash.

Password managers help you generate long and complex passwords that will be hard to crack even if lost, that said, if you go this far and implement a manager you may as well rotate your passwords once in a while as you don’t need to remember them and it helps minimize the risk of attackers using stolen credentials (particularly on sites that store your password poorly).  Most enterprises would do well to consider how to improve their password storage security and the strength of the original password over a 30 day rotation period.

Harri Hursti – independent security researcher, famous for “The Hursi Hack” of voting machines (more about him)

This is not (an easy question) … because also changing the password too often can become a security risk

It greatly depends. Passwords I use more often, over the internet and are in sensitive sites are changed 2-3 times a year. Then there are very important passwords which are either used very seldom or are used in more secure environment and those I change once a year, or not even then.

Chester Wisniewski and Paul Ducklin, senior security advisors at Sophos. (More about Chester and Paul)

The answer, loosely, is this.

Change a password if any one of these is true:

  1. You suspect (or know) it has been compromised.
  2. You feel like changing it.
  3. You have been re-using passwords and have decided to mend your ways.

We explain better in the podcast “busting password myths,” I think.

The podcast is 15 minutes, however, the first two minutes address this very question and may be worth your time.

 

The post 6 Things You Should Do Immediately If You Have a Yahoo Account appeared first on MagnifyMoney.

Yahoo Confirms Massive Data Breach: What You Need to Know

yahoo-data-breach

Yahoo confirmed a massive data breach Thursday that compromised an estimated 500 million users’ personal details.

The announcement follows a Yahoo investigation into claims that a hacker going by the name “Peace” was trying in early August to sell the usernames, passwords and dates of birth of Yahoo account users on the dark web.

The investigation found that “certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” Yahoo said in a news release. “The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”

The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected, Yahoo said. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.

Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven’t changed their passwords since 2014 do so.

Keeping Your Information Safe

If you ever have reason to believe a password to any of your accounts has been compromised, it’s a good idea to change it immediately. And you’ll want to do that across any account that shares the same password (not a best practice, by the way) as the affected one since hackers who obtain one username and password may try to use it to gain access elsewhere.

Remember, to keep passwords long and strong by using alphanumeric characters and phrases that can’t easily be guessed via social media (like, say, your pet names.) And, if you ever have reason to believe your personal information was hacked, it’s a good idea to monitor your credit for signs of identity theft. You can view a free credit report summary, updated every 14 days, on Credit.com.)

Image: Nicolas McComber

The post Yahoo Confirms Massive Data Breach: What You Need to Know appeared first on Credit.com.