HONG KONG — Yahoo has announced another huge security breach, leaving its users fretting once again about their personal information.
The latest data theft affected more than one billion accounts, Yahoo says. That’s roughly double the number involved in the cybersecurity incident it announced in September, which is believed to be separate.
“Yahoo has now won the gold medal and the silver medal for the worst hacks in history,” said Hemu Nigam, CEO of online security consultancy SSP Blue.
The embattled tech company said it’s notifying users who may have been affected by the breach and making them change their passwords. The problem is it happened all the way back in August 2013.
That means whoever plundered the information has had more than three years to exploit it, security experts say.
But there are still several ways to make your information more secure.
Use different passwords for all online accounts
People who create a really strong password for one site but then use it across others are vulnerable to attacks, said Shuman Ghosemajumder, chief technology officer of Shape Security.
Having your credentials stolen “is a matter of the lowest common denominator, the site with the least security,” he said.
Hackers obtained more than just names and passwords in the Yahoo breach — they also nabbed answers to security questions. Cybercriminals can use that info to conduct automated attacks called “credential stuffing.”
That’s when hackers take the stolen information of millions of users and build a program that tries to log in to other online accounts like banking, retail and airline rewards.
Yahoo is advising people to change the passwords and security answers on any other accounts for which they used the same or similar information as their Yahoo account.
Since strong, unique passwords are a huge pain to memorize, Ghosemajumder recommends using a password manager. Platforms like 1Password or LastPass generate and store passwords and security answers for every account you have, so you only have to remember a single master password.
Beware of emails asking for more information
Hackers can use stolen credentials to craft emails that have the veneer of legitimacy, according to Nigam.
Such emails might disclose the answer you gave to a security question, for example, and then ask if it’s still up to date and request more information.
“Criminals will give you information to gain your trust, and victimize you further,” he said.
Be extra cautious about clicking on links or opening downloads from unknown email addresses.
Never share any account information or passwords over email.
Block access to your credit report
Nigam recommends that you put “a freeze on your credit report and use a company that monitors your credit for you.”
Hackers who have valuable credentials will often try to open a credit card in your name.
When that happens, the first thing a bank will do is run a credit check. If you’ve put a freeze on your credit report, you will be alerted that an institution is trying to run a check and can flag that you didn’t request it.
“I would strongly recommend it, even if you don’t have a Yahoo account,” Nigam said.
It’s not all on you
Companies need to step up security measures to protect themselves not only against hacking, but also against the aftereffects of hacking like credential stuffing attacks, according to Ghosemajumder.
“The trust that your users have in you is directly tied to the level of security they expect,” he said.
But what about closing accounts? After two major breaches, is it time to say goodbye to Yahoo?
“If you don’t have confidence [in Yahoo] in the future, that’s a personal decision people need to make,” Ghosemajumder said, noting that Yahoo has a large security team and has invested heavily in security.
“But I think this is a severe setback for them and the entire company,” he added.