What the New Yahoo Breach Numbers Mean for You

Earlier this week, Yahoo announced that the data breach reported earlier this year did not impact 200+ million users as originally thought. The reality is that up to three billion accounts may be compromised –which is essentially Yahoo’s entire customer base. What does this news change? How does it impact you? What should you do now? Let’s walk through the answers to those questions.

What changed: In July 2016, Yahoo officially released information about a data breach that it believed involved the personal information on 200-400 million users, or more. This week, it notified the world that its original estimate was incorrect. In reality, up to three billion users were in the data files that the attackers have stolen, which means that nearly everyone who’s used Yahoo services is going to be impacted by this situation.

How does it impact you?

The data stolen includes (but isn’t limited to):

  • Usernames
  • Names
  • Email addresses
  • Physical addresses
  • Birth dates
  • Account security questions and your answers to them
  • Any other information you gave Yahoo in your profile on any of their sites
  • Passwords, which were encrypted when stolen, but have been at least partially decrypted now

What this means to the average user is that the hackers probably have your password, and they do have everything they need to get into your account. Even if your password wasn’t decrypted yet (and a large number of them have been already), an attacker could take all the remaining information and pretend to be you in order to get a “password reset” from Yahoo and gain access to anything you have in your Yahoo account and any services.

Also, since the passwords have already been decrypted for a lot of accounts (200 million known to be available as plain text just so far), hackers can break into any site where you used the same username and password or email and password combination without trying to gain access via password reset procedures.

As they have your name, username, email, and security questions and answers; someone can impersonate you and get multi-factor authentication disabled on your Yahoo account. Essentially, they call in, tell the phone representative that they’ve lost their phone or changed their number, answer the security questions and provide your home address, and get the MFA protection removed or changed to their own phone.

What you should do now

If you have ever used a Yahoo service where you had to log in, then immediately do the following:

  1. Change your password on ALL sites that used the same email address/username and password as your Yahoo account. Also, choose new Security Questions and answers, so that an attacker can’t use your old ones to overcome security protocols. Change this information on Yahoo as well.
  2. Use a password manager to keep track of login information, so you can avoid using “Log in with Yahoo” or Facebook or other services. Instead, set up individual accounts for each site and use a password manager so you aren’t  forgetting them or writing them down.

The first step makes sure that if an attacker does get your credentials from this breach, they cannot use them on any other site. Step 2 makes sure you’re automatically protected from getting hacked across multiple sites should another site or service suffer an attack like this in future.

While you cannot stop this kind of attack from happening (unless you work for Yahoo in its digital security division), taking these steps can lock an attacker out of your accounts on Yahoo and other sites.

Finally, after every major breach like this, scammers begin to blast out emails and phone calls to try to get people who may not have been breached to give up secure information. Don’t click on links in emails that look like they’re from Yahoo or give control of your computer to a caller. Instead, if you think the email might be legitimate, go to Yahoo manually in your web browser and then find the information you need in your profile.

Stay safe, stay sane, and start now to protect your online identity from being compromised due to one site letting information get away from them.

This article originally appeared on October 5, 2017 in betanews

 

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities

CIAM

Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy

B2E

Workforce Identities

Govern and control access rights for employees, partners, and contractors

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources

Initiatives

Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution

Industries

Healthcare

Financial Services

Retail

Energy and Utilities

Public Sector

Resources

White Papers

eBooks

Recorded Webinars

Analyst Reports

Innovation Labs

Documentation

Support Portal

Events & Webinars

Events

Webinars

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth

Leadership

Newsroom

Careers

Contact