Yahoo Data Breach Affects Estimated 500 Million Users

The latest resounding nationwide data breach has affected one of the largest search engines in the world: Yahoo!

It’s been identified that more than 500 million Yahoo accounts were compromised in 2014. There is speculation that email addresses, names, telephone numbers, dates of birth, and potentially both encrypted and un-encrypted security questions/answers were all compromised.

Additional assumptions have been made that the breach was a state-sponsored attack, meaning that government officials of this unidentified country were either involved or informed about the scheme before the initial breach took place.

This is estimated to be one of the largest data breaches to hit a single company, in terms of the number of user accounts affected by the breach. Yahoo receives nearly 1 billion estimated monthly users and is currently in the process of being bought out by phone carrier juggernaut Verizon for a sum that nears $5 billion. At the time, it’s unclear if the newly identified breach will affect Yahoo’s deal with Verizon.

The disclosure of this data breach to the public comes months after an initial discovery of various hacked Yahoo data was being sold online using Bitcoin currency by a Russian hacker. A second hacker followed suit in August, selling large chunks of Yahoo user data on various hacker websites.

Yahoo determined that a data breach had indeed taken place two years after-the-fact, which is an unusually large amount of time between breach and discovery. This timeline is considerably concerning for users and is far larger than the 191 days that the Ponemon Institute has issued to be the average detection period.

What’s next for Yahoo! users?

So, you have a Yahoo account and you’ve just received the emailed instruction advising you to change your password and security questions/answers… now what?

The steps for remaining protected online are rather simple, but do require a certain level of attention and vigilance. All users need to be proactive, not reactive.

  1. Create a brand new password for your Yahoo account; this means actually creating something that has never been used on any other account, on any other internet site. Check out other password security tips here!
  2. Change the security questions & answers, and again, choose a topic that hasn’t been used on any other internet account that you may have set up. Enable two-factor authentication, so that your account requires multiple mediums for it to be accessed.
  1. Be wary of all incoming emails — especially of those marked as Yahoo! official emails — as hackers will attempt to use your account information to their advantage. Never click on links that request password or personal information changes.
  2. Monitor all of your other private accounts. This breach took place two years ago, so if the information (email / passwords / security questions) compromised is similar for your other accounts, hackers may attempt to gain access to more coveted, and profitable, accounts (banking / retail).
  3. Change your passwords on a regular basis. You shouldn’t be reduced to changing your passwords only when the next major data breach affects your account. Think of your accounts & passwords as revolving doors; change them every 30–60 days to ensure that the doors keep turning.
  4. Security web expert, Troy Hunt, has launched a data breach identification site that allows you to check your various email addresses to see if they’ve been breached. Check out HaveIBeenPwned? to check your personal accounts.

In addition to the steps above, make sure you’re never sending sensitive or confidential information across standard email accounts. All personally identifiable information (PII) needs to be secured and encrypted before being sent to another email account. Think of your personal information as the gateway to your life savings, start protecting it before there’s nothing left to protect.

Also, check out my steps for better understanding email scams and account compromises and how you can begin recognizing a scam from a veritable source.

Peter J. Schaub

CEO & President of NeoCertified

Sources: NY Times | USA Today