My Yahoo account looks the same today as it did yesterday. But today it is broken, breached, vulnerable. A tiny notice tells me so as I sign in.
Mine appears to be one of the more than 500 million accounts raided during a cyber attack in 2014, just confirmed today by Yahoo.
Now, I know that what Yahoo describes as a “state-sponsored actor” has access to the junk ads and old e-mail messages I haven’t checked in years, since I moved on to other platforms.
Other users, to their amusement, are finding themselves in a similar spot.
“Yahoo hackers looked at my account and were like ‘This guy needs to empty his inbox,’ said Twitter user Carson Clark.
“That moment when you wonder… Did I have a Yahoo account and if so what the hell for?” said Twitter user Rudolf van der Berg.
There is a lot to snicker about. But the hack can also have serious consequences for you, and for Yahoo itself.
“This company, a once all-powerful search engine, has fallen harder than ever before,” said James McQuiggan, who works in information security for Siemens.
“Today, Yahoo has been put back into the spotlight as having the most and the highest,” he added. “Unfortunately it is not most website visits or the highest number of searches, but actually the most records of usernames, passwords, email addresses, telephone numbers and birthdays that have leaked due to data breach.”
What it means for you
If you have a Yahoo account, or if you use Flickr, Yahoo Finance, or Fantasy Football through Yahoo Sports, you’ll want to listen to this guy, Tim Erlin of cybersecurity company Tripwire.
“Those affected by the breach will need to take an immediate action to change any passwords that are the same as their Yahoo! account,” Erlin said.
Change your password and set up two-step verification, to make it harder for the bad guys to take over your account if they have your password, Yahoo advises.
The company said the breach happened in 2014, so they want you to change your password if you have not done so in the last two years. Some experts say you should change it anyway, even if you’ve set a new one recently.
Also, check your accounts for suspicious activity, Yahoo said.
Breach notice from Yahoo.
Why?
It’s not just that the attackers can take over your account and masquerade as you to get money out of you or people you know.
“It matters because far too often people reuse the same usernames and passwords,” said Dave Lewis, founder of Liquidmatrix Security Digest. “Attackers that can gather this sort of information can potentially gain access to other sites as a result and cause financial harm.”
Add to that security questions. People often give honest answers to their security questions—seems dishonorable to say your first pet Spanky’s name was “Vn$7GxL”—but security experts say that just gives hackers the opportunity to steal one set of security questions and use them to get into all of your accounts.
Yahoo wants you to now change your security questions, too. Experts say you should change the answers to random numbers and letters, and store that info in a password safe, along with your other password information.
Then what?
Now that your password is out there, the bad guys may set their sights on you as a target.
You may get sneaky e-mails using your information to try to trick you into clicking on attachments that will install malware on your computer, or into filing out your credit card numbers on a shady site.
“Consumers will also need to be vigilant about identity theft and phishing over the coming months,” said Erlin. “We may not see the full effects of this massive breach for more than a year.”
“The Yahoo! breach is a reminder that companies collecting personal information are at risk from attack, even if they don’t consider that information especially sensitive,” he added. “The more data you collect, the more attractive you are to attackers.”
Have you been hacked?
You can check to see if your e-mail account info has been stolen. McQuiggan recommended you try a site called www.haveibeenpwned.com. Enter your e-mail address and learn what the breach history is for the account.
Will you actually change your password and security questions?
“Hopefully with this breach, people are already taking the proper steps to protect themselves,” McQuiggan said.
What does it mean for Yahoo?
Discussion online shows some people already thought of Yahoo as a buzzless brand.
“Half a billion #Yahoo user accounts hacked!” wrote a Twitter user with the handle @hareeshtweets.”Surprising to know that it still has those many users.”
“It’s Yahoo mail, so at least we know this hack won’t impact anyone under 35,” said user Evil MoPac.
Some say the revelation of the breach could make things even more difficult for the company, especially after the announcement this summer that Verizon is buying Yahoo’s core Internet assets.
“With the recent purchase of the company by Verizon, this could be the poison apple that seals Yahoo’s fate within the mobile carrier, where people might turn away from Yahoo,” said McQuiggan.
Verizon might be able to take Yahoo to court to unwind the deal, arguing that “the event has caused irreparable harm to Yahoo in terms of customer trust and usage,” suggested Dan Primack in Forbes today. Or Verizon could threaten to do so, and get a better deal on the purchase.
On the other hand, breach fatigue could set in. For many, it already has.
“People are numb to data breaches,” said Lewis. “They will not be enthusiastic but, I doubt that there will be long term fall out in this case.”
Fallout
I’ve changed my Yahoo password. Added two-factor verification. Changed my security questions. Left the 2,000 pieces of junk mail intact for the state-sponsored attackers to review and delete. Here’s hoping they do.
And I’m ready to do it again, after the next big hack.
“Data breaches will continue until… well, continue,” said Lewis. “Defenders need to do a better job of tackling fundamental security and designing secure systems from the ground up.”
Until then, you may want to make sure you’ve watched this video on post-breach safety from the Federal Trade Commission, and followed these steps, as recommended by McQuiggan:
—Change your password today, even if you have changed it in the past two years.
—Set up two-step verification with your Yahoo account. Honestly, you should set it up on as many accounts as possible. This way if the username and password are entered, there is an additional verification code that is needed to access your accounts, which is sent to your mobile phone.
—Make sure you are not using the same password on Yahoo as you are other sites. If so, change the passwords as soon as possible!
—Take the time and use a password database management program, like PasswordSafe, 1Password or Dashlane.
—Be on the lookout for suspicious emails either from Yahoo, or other companies that might try to convince you they are real because they have your name, e-mail, birthday etc. Don’t click on any of the links, just delete the email.