Yahoo breach: here’s what you need to do

As you’ve probably heard by now, Yahoo says it suffered a massive data breach that compromised 1bn accounts. The breach, dating back to 2013, is separate from another disclosed in September, in which 500m user accounts were hacked.

Compromised user information included names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password, according to The New York Times. Yahoo is now taking steps it declined to take previously  – making affected users change their passwords and scrubbing unencrypted security questions.

Yahoo discovered the 2013 compromise after analyzing data files law enforcement provided after an unnamed third party claimed to be in possession of Yahoo information.

For users, the question now is what to do about it. Sophos senior security advisor John Shier outlined six steps you can take to protect yourself from this and all other data breaches:

  1. Consumers need to be aware of targeted phishing scams, a socially engineered attack that cybercriminals use to lure people into clicking malicious URLS with malware. This is extremely important, now that personally identifiable information (PII) is in the wild as a result of this breach.
  2. Change your Yahoo password and security questions immediately, especially if you use them on multiple accounts. As a rule of thumb, don’t use the same security questions and answers for all of your accounts.
  3. Make all new passwords different and difficult to guess. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
  4. Include upper and lower case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos  How to Pick a Proper Password video for creating stronger passwords.
  5. Be careful with your security questions: information such as your mother’s real maiden name is easy to track down. You don’t have to give the actual answer to the question: “what’s your favorite food?” – you only have to give an answer that you will remember.
  6. Use two-factor authentication wherever possible: instructions for Yahoo users are here.

Though it’s unclear if phishing played a part in enabling the 2013 Yahoo breach, the attack method has been the spark hackers used to breach other systems. Unfortunately, consumers remain easy prey when it comes to this type of scam.

In a recent Sophos survey of 1,250 consumers, nearly half of the respondents admitted they’re not familiar with phishing or perceive it as a low threat. More than 30%  of those surveyed rated themselves as being extremely unprotected, unsure of being protected or completely unaware of phishing attacks.