This week Yahoo confirmed that it had been the subject of a hack which had resulted in 500 million user accounts ending up in the hands of someone who wasn’t supposed to have them. Even more intriguing, that person or entity was reported as being ‘state-sponsored’. This means that their intentions were due to the political, commercial or military interests of their country of origin, as opposed to cyber criminals looking to sell or otherwise profit from the information.
It’s actually been traced back to happening 2 years ago, which makes people scratch their heads as to why it took so long before Yahoo confessed to the breach. It’s more likely that their systems didn’t detect that it had even happened, not that Yahoo knew and didn’t tell us.
If you’re wondering how 500 million people are still using Yahoo in 2016, the service also provides the login mechanism for services like Yahoo Groups and photo sharing site Flickr. I’ve had my own Yahoo account for a number of years but I have no idea of the last time I actually used it.
The immediate response to a security breach like this is to change your password immediately, even though this is a 2 year old breach. More of a concern is that the stolen data also includes ‘personally identifiable information’, like names, email addresses, telephone numbers and dates of birth, which can be used by hackers to pretend to be you (known as identity theft). In this security conscious age, providing someone with that kind of information is still seen as a good way to prove who you are, to give your more access to information or services. And it’s kind of impossible to change your date of birth.
Our top tip for how to protect yourself online is to shift your focus to the other services you use that haven’t been compromised. How many other online accounts also have your personal information and how are you protecting them?
The standard security tips are –
• Use a complex password or ‘passphrase’.
• Don’t use the same password for different online services
• Enable ‘two factor authentication’ where an additional confirmation is needed as well as your password (eg an SMS code or unique code generated by an authenticator app.
• Use a separate email account for subscriptions and online accounts that does not contain an address book or emails with family, friends & co-workers.
And while this will help protect someone logging on as you, if they have breached the service they may be able to obtain your personal information anyway.
Yes, online it’s perfectly ok to not tell the truth.
We first heard this approach from a senior security expert at Microsoft who said it was the best piece of advice that I.T. professionals could give their friends and family. Create an online persona for all of the services that want your information that doesn’t contain your real information.
It’s ok to pretend to be a 23 year old male from Alice Springs (unless of course you are a 23 year old male from Alice Springs). But it’s handy to keep your address details in the same country, as some services use this to tailor services or recommendations, and you can change to your real address if you ever need anything shipped.
If you spend some time locking down your online accounts now, you’ll be less concerned when the next security breach is announced.
We can also highly recommend that you sign up to the free service offered by security expert Troy Hunt. Troy’s Have I been pwned? website will notify you if your email address is included in a security breach. While you are there, consider helping Troy out with the running costs of this service by making a donation.