Cybercriminals Breach Yahoo, Impacting 500 Million Users

When it comes to data breaches there are hits and there are misses. And then there are hits. Today, there was a hit. Yahoo Inc., a long-time, major tech player, confirmed a massive breach, affecting up to 500 million Yahoo users. Usernames, protected passwords, dates of birth, associated email addresses and more were allegedly stolen in late 2014, meaning the cybercriminals behind the caper have had some time to process the data.

So yes, it’s a big hit.

Rumors of a massive breach on this scale have been circulating on the Dark Web since August. That’s when a hacker using the name “Peace” offered to sell 200 million Yahoo usernames, passwords, birthdates and more for about $1,860, according to Motherboard. It’s unknown if anyone has purchased access to that stolen data.

What is known, according to Yahoo’s statement on the matter, is that all stolen data was protected in some form (hopefully through encryption. It included payment card data, and bank account information.

Breaches like this are a serious matter, especially for users who don’t regularly access their Yahoo account. That’s because breaches on old websites and services can often have a cascading effect, in which poorly crafted, forgotten and reused credentials could grant cybercriminals access to increasingly sensitive data and account privileges on other websites. The longer a person ignores an unused service’s security the more likely the account associated with that service will be used in a breach or an attack. If you’ve ever held a Yahoo account, then go to their website and update your credentials now.

So what should you do in light of this attack? Here are a few security tips to follow:

  • Create a complex password. All accounts should be protected by a password that’s at least eight characters long, uses lowercase and capital letters, and employs both numbers and symbols. These types of passwords can be hard to remember, which is why I’d recommend using a password manager. Speaking of which…
  • Use a password manager. Password solutions, such as True Key by McAfee, are programs that generate, store and protect passwords associated with a long list of services. Over the past few years, these tightly protected programs have become critical for users trying to practice good security hygiene online today. Simply put: if you can use password manager, do so.
  • Use multi-factor authentication. The same line of reasoning goes for multi-factor authentication This is a security standard that requires a user to both a) know something only they would know and b) have something only they would have in order to verify that they are who they say they are. Today, this is typically done through a combination of a PIN, a text message to your smartphone, and even possibly a fingerprint scan. Most services offer multi-factor authentication for their accounts today, so use it if you have the opportunity.
  • Use comprehensive security. Finally, you ought to have a comprehensive security service installed on all of your devices. Such programs, like McAfee LiveSafe, offer protection from a variety of malicious programs while also keeping track of your devices’ security standing.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

gary