Breached Security, Breached Trust: Yahoo’s Leak And What It Means For You
More than 500 million Yahoo accounts have been compromised in the latest breach. The security breach was limited to username and password information for Yahoo’s various sites, including webmail, news and fantasy sports services. No financial information is believed to be included in the stolen data, but there’s reason to be concerned!
The stolen data
This breach was discovered after FBI officials detected hackers attempting to sell the personal information of Yahoo users. There are many reasons thieves are interested in this information.
First, stealing an email account can be a first step to identity theft. By taking command of an email address, a thief can access password retrieval services at websites linked to that email. A hacker could gain access to a Yahoo account and then use password retrieval to gain access to online shopping, banking and even employment or government accounts.
Second, thieves use what’s called “credential stuffing.” Many people recycle username and password combinations across several services. Thieves take advantage of this by trying stolen usernames and passwords at other common sites. This strategy works, on average, for about 0.5% of stolen information.
Sorting through a breach of this size takes a lot of time and energy. Assume that all Yahoo login information was stolen. If you do use or have used a Yahoo site for any services, assume it’s compromised. Fortunately, two of Yahoo’s most popular platforms, Tumblr and Flickr, were unaffected by the breach.
Steps you should take
1. Change passwords!
For high-security accounts, like your primary email address, credit cards, brokerages and online banking, change passwords every 6 months. If you have a Yahoo account, and you use your Yahoo password at other sites, change them all.
If you use a Yahoo account to access your finances, consider changing the email address connected to those accounts, as well. The service provider may have been negligent in protecting information in this instance, and there is no telling what other security vulnerabilities still exist in their systems. While it may be a hassle to change accounts, it may be worth it for peace of mind.
2. Change security questions!
Questions used in the password reset process may have been compromised, too. If you use the same information to secure multiple accounts, that data could also be at risk. Wherever possible, switch to a two-step authentication method. Use your cellphone number as a backup password option. If you try to reset your password, the service will call or text you with a code to use as a verification method. It puts another step between potential thieves and your information.
3. Check your credit!
This information has been leaking since 2014, so it’s possible you could already be a victim of identity theft. Getting a credit report will let you know if any new accounts have been opened using your personal information. Similarly, this might be a good time to consider a credit monitoring service. Such services keep an eye on your credit periodically, and can help protect against identity theft.