The Yahoo! breach has been getting quite a lot of coverage in the press today so I thought I'd put together a quick bit of information for those who fear they may be affected.
What do we know?
So far we know that in late 2014 Yahoo was compromised and details on at least 500 million users was taken. That's at least half a billion users! This is the single largest breach of user data that's ever been recorded, in history. Probably not the kind of claim to fame that Yahoo wanted. You can read details on the official announcement from Bob Lord, CISO at Yahoo, right here, but there are a few key points I will pick out. The statement tells us that the information that was stolen may contain:
- Email address
- Telephone number
- Date of birth
- Hashed passwords
- Security questions and answers
The statement goes on to say that financial data resides on a different system and was not compromised, though that might not offer much comfort to those affected.
Why has it been 2 years?
Typically when a company is breached and data is stolen like this, if the breach goes unnoticed, they usually find out when the data goes up for sale on the dark web. In this case though Yahoo believe they were compromised by a state-sponsored actor, which changes the game a little. Instead of stealing the data and selling it for profit, like your average cyber criminal, a state-sponsored actor most likely has a very specific reason for wanting the data. This could be anything from trying to identify activists or dissidents by accessing email accounts or looking at the emails of influential or political figures. Whatever the reason, they surely wouldn't want knowledge of the attack to become public because users would then start to take the steps we're now taking to protect ourselves. They want it to remain secret which is why we haven't seen any mention or rumours about the breach until now. To that end it's worth pointing out that the breach was actually discovered by accident. Whilst investing an alleged breach from earlier last month in August, Yahoo actually came across evidence of the breach in the headlines today.
What should I do?
If you have a Yahoo account you need to login and change your password and possibly your security questions if they were compromised too. The process is pretty simple and painless.
It's also crucial that you change the password on any other service that you many have used it on. The last thing you want is an attacker being able to login to any of your other accounts. Sharing the same password across different websites is really bad for your online security so consider a password manager program like 1Password to help you. I'd also highly recommend that you setup 2FA or 2SV on any websites that support it. It's really easy to do and gives you a massive boost to your online security. You can read more in my blog Keep cyber criminals at bay, use 2FA!
The official announcement from Yahoo! link
The New York Times have a good bit of advice on further steps you can take. link