Three months after setting a record for the largest data breach to date, Yahoo breaks its own record by announcing that 1 billion accounts were compromised in a separate incident that took place three years earlier.
On September 22, 2016, Yahoo warned that a 2014 security breach in its network compromised the login credentials of 500 million account holders. The company now claims to have uncovered a separate incident which not only affects twice as many people but occurred in August 2013, meaning it took twice as long to inform the public.
“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than 1 billion user accounts,” Yahoo’s Chief Information Security Officer Bob Lord said in a statement published on Wednesday. “We have not been able to identify the intrusion associated with this theft.”
It’s unclear who’s responsible for the attack, but Yahoo suspects it may be the work of state-sponsored hackers, just like the 2014 hack.
As far as good news is concerned, payment information and plain-text passwords were not obtained in the breach. But the bad news is that the user account information stolen from potentially affected accounts includes names, telephone numbers, dates of birth, and hashed passwords using MD5, along with encrypted or unencrypted security questions and answers.
Evidence acquired by forensic experts investigating the incident suggests that an authorized third party stole the company’s proprietary code and used it to forge cookies that allow authentication and access users’ accounts without passwords. Forged cookies could even allow intruders to remain logged in indefinitely until the cookie’s destruction.
There are a few things that Yahoo account owners should immediately do to minimize potential damage. First and foremost, one should change not just their Yahoo account passwords but the password on every account linked to the Yahoo email. Email addresses have become the hub of your online footprint.
1.) Passwords are no longer the end-all of online security, but merely the first line of defense against online fraud. Make sure to use a different password per account and a password manager like 1Password to keep track of them all. Consider pairing 1Password with biometric authentication like fingerprint scanning to avoid having to type the master password with each use.
2.) Don’t forget to enable two-step verification; that way, logging in to an account requires not just the password but a string of digits texted to your phone number.
3.) Next, audit your Yahoo inbox for any unscrupulous emails that might suggest that another account was breached. Yahoo accounts also permit users to view recent activity indicating when the account was last accessed.
4.) You’ll also want to get into the habit of entering false information when creating online accounts with non-important websites in case they’re hacked.
5.) Lastly, it might be time to stop using Yahoo and switch to email service that takes online security more seriously. Consider using ProtonMail going forward. It’s hosted in Switzerland, double-password-protected, and offers military-grade 256-bit AES encryption to those who want to use it.
Learn more about Electronic Products Magazine