Yesterday, Yahoo! announced that at least 500 million accounts have been breached. This means that information you gave Yahoo! may be in the hands of hackers, but it could also mean a lot more. The New York Times has an excellent interactive tool today that demonstrates how much of your information may have leaked, not just from Yahoo! but from other breaches.
Not only should people change their Yahoo! passwords, but it is also important for people to review all passwords and information shared with Yahoo! In particular:
- Many people use the same password across multiple accounts. If you did this, you should change passwords on all systems where that password was used. When you do, you should see to it that no passwords are shared between two systems.
- Hackers are smart. If you only tweak the same password just a little bit for use on multiple systems, a determined hacker or more likely a determined script may well break into other accounts. For example, if your Yahoo! password was DogCatY! and your E-Bay Password were DogCatEBay, you should assume the E-Bay account is broken as well.
- This means you should keep a secure record of what passwords are used where, for just this sort of eventuality. By “secure” I mean encrypted and local. Having two pristine USB keys (one for backup) is ideal, where the contents are encrypted at the application layer. I also make use of Firefox’s password manager. That in itself is a risk, because if Firefox is hacked your passwords may be gone as well.
- Unfortunately passwords may not be the only information hackers have. Yahoo! has previously made use of so-called “backup security questions”. Not only is it important to disable those questions, but it is important to first review them to see where else you may have used them. Security questions are a horrible idea for many reasons: they may reveal private aspects of your life, much of which might be discovered anyway. Sites like United Airlines recently implemented security questions. My recommendation: choose random answers and record them in a secure place that is separate from your passwords.
- It is possible that hackers may have read any email you received on Yahoo! In particular, one should review any financial accounts where information is transmitted to Yahoo!
- Use of cloud-based storage as a backup for your passwords should be viewed with great suspicion. There have been a number of such tools that themselves have been found to be vulnerable.
- Hackers may have your cell phone number, for those who use SMS as secondary authentication. While SMS is not secure communication, the chances of it being hacked are relatively low. The safest practice is not to rely solely on SMS for authentication. My bank uses both a secret and an SMS message, relying on the tried and true two-factor authentication approach of something you have and something you know. A better solution is a secret and an app with a secure push notification. This is what MasterCard has done in Europe.
These suggestions are good for the sort of mass breach that we are seeing with Yahoo! In addition, one has to be careful with the amount of trust placed in a cell phone. If the phone is lost, you should assume that hackers will be able to get into it. Keeping a record of the applications you use, particularly those that have financial or security implications, will help you recover from the loss.
These suggestions are written with the notion that Yahoo! is not going to be the only site that will have had this problem. Although not to this scale, we’ve seen this sort of thing before, and we will see it again. I’ll have more to say about this from an industry perspective in a while.