Here's what you should know, and do, about the Yahoo breach

The huge data breach serves as a reminder of some basic security tips

Yahoo's announcement that state-sponsored hackers have stolen the details of at least 500 million accounts shocks both through scale -- it's the largest data breach ever -- and the potential security implications for users.

That's because Yahoo, unlike MySpace, LinkedIn and other online services that suffered large breaches in recent years, is an email provider; and email accounts are central to users' online lives.

Not only are email addresses used for private communications, but they serve as recovery points and log-in credentials for accounts on many other websites.

An email compromise is one of the worst data breaches that a person could experience online, so here's what you should know:

Fifty shades of hashing

Yahoo said that the "vast majority" of the stolen account passwords were hashed with bcrypt. Hashing is a one-way cryptographic operation that transforms data into a set of random-looking characters that serves as its unique representation -- this is called a hash.

Hashes are not supposed to be reversible, so they're a good way to store passwords. You take input, such as a password, pass it through a hashing algorithm and compare it to a previously stored hash.

This provides a way to verify passwords at log-in time without actually storing them in plain text in the database. But not all hashing algorithms offer equal protection against password cracking attacks that attempt to guess which plaintext password generated a specific hash.

Unlike the ageing MD5, which is quite easy to crack if implemented without additional security measures, bcrypt is considered a much stronger algorithm. This means that in theory, the likelihood of hackers cracking "the vast majority" of Yahoo passwords is very low.

But here's the problem: Yahoo's wording suggests that most, but not all passwords were hashed with bcrypt. We don't know how many passwords were hashed with another algorithm, or which one it was.

The fact that this hasn't been specified in Yahoo's announcement or FAQ page suggests that it's an algorithm that's weaker than bcrypt and that the company didn't want to give away that information to attackers.

In conclusion, there's no way to tell if your account was among those whose passwords were hashed with bcrypt or not, so the safest option at this point is to consider your email compromised and to do as much as damage control as possible.

Don't keep emails just because you can

Once hackers break into an email account they can easily discover what other online accounts are tied to that address by searching for sign-up emails.

These are the welcome messages that most websites send when users open a new account, and which users rarely delete. These days most email providers offer enough storage space that users won't ever have to worry about deleting messages.

Aside from exposing the links between an email address and accounts on various websites, those sign-up emails can also expose the specific account names chosen by the user, if different from their email address.

If you're among the people who don't delete welcome emails and other automatic notifications sent by websites, such as password resets, then you might want to consider doing so and even go back to clean your mailbox of such communications.

Sure, there might be other ways for hackers to find out if you have an account on a certain website, or even a number of websites, but why make it easier for them to compile a full list?

Be careful when asked for your personal details

Among the account information that hackers stole from Yahoo were real names, telephone numbers, dates of birth and, in some cases, unencrypted security questions and answers. Some of those details are sensitive and are also used for verification by banks and possibly government agencies.

There are very few cases when a website should have your real date of birth, so be judicious about providing it.

Also, don't provide real answers to security questions, if you can avoid it. Make something up that you can remember and use that as answer. In fact, Yahoo doesn't even recommend using security questions anymore, so you can go into your account's security settings and delete them.

Check your email forwarding rules regularly

Email forwarding is one of those "set it and forget it" features. The option is buried somewhere in the email account settings that you never check and if it's turned on there's little to no indication that it's active.

Hackers know this. They only need to gain access to your email account once, set up a rule to receive copies of all your emails and never log back in again. This also prevents the service from sending you notifications about repeated suspicious log-ins from unrecognized devices and IP addresses.

Two-factor authentication everywhere

Turn on two-factor authentication -- this is sometimes called two-step verification -- for any account that supports it. This will prompt the online service to ask for a one-time-use code sent via text message or generated by a smartphone app, in addition to the regular password, when you try to access the account from a new device.

It's an important security feature that could keep your account secure even if hackers steal your password. And Yahoo offers it, so take advantage of it.

Don't reuse passwords; just don't

There are many secure password management solutions available today that work across different platforms. There's really no excuse for not having unique, complex passwords for every single account that you own. If you do want memorable passwords for a few critical accounts use passphrases instead: sentences made up of words, numbers and even punctuation marks.

Here comes phishing

Large data breaches are typically followed by email phishing attempts, as cybercriminals try to take advantage of the public interest in such incident.

These emails can masquerade as security notifications, can contain instructions to download malicious programs that are passed as security tools, can direct users to websites that ask them for additional information under the guise of "verifying" their accounts and so on.

Be on the lookout for such emails and make sure that any instructions that you decide to follow in response to a security incident came from the affected service provider or a trusted source.

Join the CSO newsletter!

Error: Please check your email address.

Tags Yahoo

More about Yahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place