Tuesday, December 20, 2016


   Just a few months ago, in September 2016, Yahoo announced that they had uncovered a breach that leaked passwords for 500 million accounts.  The actual breach took place in 2014 but took years to discover.  This breach was different than the prior breach announced in 2012.  We discussed this here.

   This announcement came at a time when Yahoo was deep into talks to be acquired by Verizon.  That September announcement led to speculation about effects to the purchase price.

   Well, truth is stranger than fiction, and Yahoo is back in the news again.  Now on December 14, 2016 it appears that yet another breach has been discovered.  This is different from the previous issues and seems to date from August 2013.  This latest discovery affects... wait for it... one billion accounts!  You'll recall that the 2014 breach discovered in Sept 2016 hit "only" half that many accounts!

   So if we look at the timeline, Yahoo had major breaches in 2012, 2013 and 2014 with discoveries in 2015 and 2016!  Good times.  Here is the latest announcement from Yahoo as well as some articles covering the details.

   This whole thing is a major issue (issues?) for a number of reasons, and it has to do with our dependence on email in our online world and Yahoo's role as major provider of free email.
  • We all use email daily for wide variety of reasons.  We have a need to trust email.  Of course, using email has made our lives easier... Not!
  • Spam and Phishing - when you receive a spam or phishing message from a "friend", you are more likely to click on the links.  Similarly, having your account taken over endangers your friends and contacts.
  • Password reuse - most people reuse passwords among internet sites because it's easier to remember fewer passwords
  • Linked accounts - as a convenience, you can connect accounts together so that you can use multiple services with one login.  This is most common with Facebook ("login with Facebook") but this is also available with Yahoo, Google and others.
  • Password resets and other verifications - often, password reset info or alerts or warnings are sent to an email address you specify.  If you specified your Yahoo account to receive these from your bank or other important site, and you account was compromised in any of the attacks we're discussing, the attackers could intercept this alert information.
   So what should you do?

   Here's some steps to take now:
  1. First thing... Assure that you are not reusing any Yahoo passwords for other accounts.  In fact, as we have discussed this many times in the past, don't reuse any passwords across internet accounts.
  2. Change you Yahoo password(s).  Yes, it's a bit late for that now, but do it anyway.  With all the breached accounts, it could take a while before the attackers get around to exploiting your particular account.  Instructions are here.
  3. If you used your Yahoo email account as the "go to" email for password resets or key information from other accounts (banks, brokerage or any important accounts), change those passwords also.
  4. If you used your Yahoo email account to receive any info for 2-factor authentication (some of those services can email you the 2 factor PIN), then change the passwords on those accounts.  If you plan to continue using Yahoo then you should activate 2-factor authentication.  Instructions are here.
  5. Consider not using Yahoo as your primary email.  This is a tough one because free email providers are always targets for attacks.  Of course, Yahoo has experienced more than its fair share of breaches, but any of the others could as well.  It's a good idea to have a few different accounts to spread the risk around.  I've found that gmail tends to be pretty good, but Google could experience a breach as well.
  6. And how to you keep track of all these email, and other, accounts?... use a password vault as we've covered here, here and here.
  7. Check to see if your Yahoo account is linked to any other accounts (like "login with your Yahoo account").  Here's some info on how Yahoo and Facebook can link together.  Delete those associations as is appropriate for you. Don't forget that the photo sharing site Flickr is a Yahoo service.
   Yes, this is a big mess.

   As much as email can drive us crazy, it is a critical service and is integrated into many daily activities (including access to other resources, account resets and 2 factor authentication).  You should review other email accounts for issues outlined in the steps above, and always the same basic precautions (no password reuse and monitoring account linkages) with any critical accounts.

   Do you have any other tips or suggestions on how to deal with this?  Should companies like Yahoo, that provide critical consumer services, have additional federal government oversight or regulations?

No comments:

Post a Comment