Yahoo recently went public regarding “information associated with at least 500 million user accounts was stolen from its network in 2014 by what it believed was a “state-sponsored actor.” The data stolen may have included names, email addresses, telephone numbers, dates of birth, and hashed passwords (the vast majority with the relatively strong bcrypt algorithm) but may not have included unprotected passwords, payment card data or bank account information, the company reported at the time. Later on, Yahoo disclosed that more credentials were stolen and that more data (credit cards) was exfiltrated than was known at the time of the discovery.
Yahoo is working with law enforcement on the matter, and has launched an investigation into a possible breach in early August after a Russian hacker named “Peace” offered to sell a data dump of over 200 million Yahoo accounts on the darknet for a mere $1,800 which included usernames, easy-to-crack password hashes, dates of birth, and backup email addresses.
Why Should You Worry?
Well, if you change your password regularly (every month or so), and use difficult to guess passwords (ie. NOT “123456” or “password”, or even the ever-popular “abc123”), then you should be good initially (unless, of course, they have your credit card info, in which case you should cancel your cards immediately). However, the hackers aren’t quite done with you…
- Phishing attacks will likely be the number one strategy, with Yahoo user accounts being used for social engineering attacks. These are usually highly successful, and lucrative, for hackers.
- However, since many people use the same username & passwords across multiple sites, the other attack you have to watch for is “credential-stuffing”. This is a brute-force attack where attackers inject stolen usernames and passwords into a website until they find a match using the stolen Yahoo username and passwords.
- Yahoo has put a security announcement on their website, and has started to send users notices that they need to change their password. CyberCriminals were grateful, I’m sure, as they are going to spoof this and rake in the money. The emails being sent out look similar to below:
Subject: Your Yahoo account
The security of your Yahoo account, [Name], is important to us. Out of an abundance of caution, we are asking you to change your password. We are committed to protecting the security of our user’s information, and we take measures like this when appropriate in light of reported security issues or suspicious activity on an account.
We encourage you to take the following steps:
- Sign into your account and change your password:
2. Visit our Help Page for information on safeguarding your account:
Start using Yahoo Account Key and never get locked out from forgetting or losing your password. Yahoo Account Key is a convenient way to control access to your account, and it’s more secure than a traditional password because once you activate Account Key – even if someone gets access to your account info – they can’t sign in.
How To Protect Yourself:
- Do NOT click on any links contained within an email, even if the email looks legit. Type in the address yourself into your browser bar.
- Do NOT phone any phone numbers contained within an email. Look up the phone number yourself, directly on the company website.
- Do NOT use the same usernames and passwords on multiple accounts. Using the same password on multiple accounts is an invitation to get hacked. If you did use your Yahoo passwords on other sites, go to those sites, and change those passwords there too. Also change the security questions and make the answers non-obvious.
- Use a free password manager that can generate hard-t0-hack passwords, keep, and remember them for you.
- Watch out for phishing emails that relate to Yahoo in any way, especially if they ask you to click on links, or if they are asking for information.
- Now would be a good time to sign up for Yahoo Account Key – a simple authentication tool that eliminates the need to use a password altogether.