Yahoo’s hacking sequel is even worse than the original
I remember the day when I decided that me and my Yahoo Mail account should start seeing other people. Although it turned out that due to lousy security, said email account had already been doing just that.
On my way into work some years ago, I got a bounce-back from a spam email I didn’t send. Then another. Then another. I logged in to try to figure out what happened, and after changing my password, checked the login history. Yahoo, it turned out, had been dutifully noting login locations every 15 minutes:
8:45 – London
9:00 – London
9:15 – Warsaw
9:30 – London
The fact that it had been diligently tracking this information, but saw nothing suspicious in me completing a 2,024-mile round trip in half an hour was what made me decide enough was enough.
So it wasn’t hugely surprising to me to find Yahoo’s latest press release expressing that users should change their passwords yet again, as the site has managed to lose one BILLION users’ data information. If that story sounds familiar, it might be because we reported a similar-sounding breach back in September. At just 500 million accounts, that one looks positively small potato compared to this latest misstep, as shown by the graph below via our friends at Statista.
These are two distinct hacks. The company initially believed them to be part of the same breach, but that’s no longer their working theory. As a result, the company believes that affected accounts – all ONE BILLION of them – may have leaked “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers”. On the bright(er) side, the company is pretty confident that financial records, because that data lives in a different place to the crime scene.
In theory, Yahoo should be in the process of selling up to Verizon, but this latest hack puts that in doubt again. In a recent SEC filing, Verizon suggested that the merger could be delayed, altered or cancelled outright “as a result of facts relating to the Security Incident”. That’s the last hack. Not the bigger, badder sequel.
So next time you log in to your Yahoo account, you’ll be prompted to change your password. Again. The company also offers some friendly advice:
- Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account;
- Review all of your accounts for suspicious activity;
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information;
- Avoid clicking on links or downloading attachments from suspicious emails; and
- Consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.
Notable by its absence is “consider an alternative to Yahoo”, but have that extra one as a freebie from me to you.