What you should do if you were hit by the Yahoo hack
NEW YORK - The latest hack impacting more than one billion Yahoo accounts has users all over the world worried about how to protect their digital privacy.
News that the struggling internet company was breached back in 2013 — coming on top of a separate hack that exposed some 500 million Yahoo users — should serve as a reminder that everyone’s email and personal information is vulnerable to hacking.
“They got users’ names, birthdays, they got encrypted passwords — though the passwords may not have been encrypted with secure technology — and they got answers to security questions, so if you had a Yahoo account and you typed in your mother’s maiden name or the name of your first pet — all of that information was accessed by hackers,” NewYorker.com editor and CBS News contributor Nicholas Thompson said on “CBS This Morning.”
Safeguards you can take include creating strong passwords and changing them when you have to. Yes, all this is a pain, and it’s not your fault that the tech industry hasn’t been able to stem the rise in security breaches. But if you do nothing, you could be putting your personal or financial information — or even your identity — at risk.
Should I change my password?
It’s a good place to start. While some security experts argue that it’s more important to pick a complicated password than to change them frequently, if you haven’t changed your Yahoo password since 2013 do it now.
And even if you have changed your Yahoo password in the last three years, you might want to do it anyway. Breaches are often worse than they first appear. LinkedIn disclosed earlier this year that a 2012 breach affected 117 million accounts — not the 6.5 million previously thought.
What’s a good password?
The more complicated and lengthy a password is, the harder it will be for hackers to guess.
Don’t include your kids’ names, birthdays or references to any other personal details. Hackers routinely troll Facebook and Twitter for clues to passwords like these. Obvious and default passwords such as “Password123” are also bad, as are words commonly found in dictionaries, as these are used in programs hackers have to automate guesses.
Long and random combinations of letters, numbers and other characters work best.
Your password reset questions should be as unique as possible too, and don’t be tempted to recycle those either. This was some of the information stolen in the Yahoo hack. And with the help of social media, it’s not hard for hackers to find those little personal tidbits like what your mother’s maiden name is, or the name of your hometown.
Yahoo recommended that users who haven’t updated their passwords since 2014 do so now. These passwords were encrypted through a tool known as bcrypt.
Brett McDowell, executive director of the FIDO ALliance, a nonprofit that vets login systems, told CNET.com that this form of encryption is able to be burst through with enough persistence by hackers.
“Yahoo users with relatively weak or obvious passwords should take the recommended precautions,” he said.
Is it OK to reuse passwords?
No. Avoid using the same password for multiple sites, so that a break of your school’s PTA site wouldn’t lead hackers to your online banking account.
You can make things easier on yourself by using a password-manager service such as LastPass or DashLane. They remember complex passwords for you — but you have to trust them. Last year, LastPass disclosed “suspicious activity” and told users to change their master passwords.
Some web browsers such as Apple’s Safari and Google’s Chrome also have built-in password managers. They work if you switch devices but not if you switch browsers.
What more can I do?
Multi-factor identification — which asks users to enter a second form of identification, such as a code texted to their phone — will provide additional protections. It’s now commonplace for many email and social media accounts.
Even if hackers manage to get your password they would be unable to get in without the code texted to your phone.
Tech companies are also working on a number of futuristic solutions, including biometrics and photo-based “selfie passwords,” but it will take some time for them to be fully developed, tested and rolled out for widespread use.
Should some accounts be trashed?
Delete or deactivate accounts you no longer use. Has your Yahoo email account been filled with spam since before the invention of smartphones? Maybe it’s time to say goodbye.
Nicholas Thompson’s advice is straightforward: “Delete your account.” Thompson stressed that all of the reporting since the initial word of the hack has made it clear that Yahoo “de-prioritized security.”
“Security is expensive,” he said, taking critical aim at Yahoo. “It’s like putting bars on your windows. It costs money, and it makes the view a little less pretty.”
That goes for social media too — close down accounts you don’t use anymore (remember Myspace?). This often can be done through your account settings, as long as you still have your password to sign in.
What about social media security?
And while we’re on the subject of social media, make sure you restrict posts to just your actual friends. You can adjust that in the settings.
Some companies try to help their users with this. Facebook, for example, occasionally prompts its users to review who can see their personal information and how strong their security settings are.
Nonetheless, assume that everyone everywhere can see what you’re posting. That’ll keep hackers from harvesting those juicy details they can use to crack into your accounts.