Yahoo disclosed on Thursday what may be the biggest breach of all time : 500 million users accounts were breached in 2014 by a 'state-sponsored actor'.
It may be the US government itself (through the NSA) or Russia, or China.
If you have a Yahoo account, even if it's one you made ages ago, you should change your password right now.
The news first appeared online in August, when a hacker nicknamed Peace or Peace of Mind tried to sell the information from a Yahoo data leak containing more than 200 million user accounts' data.
Even though Bob Lord, CISO of Yahoo, write there is 'no evidence that the state-sponsored actor is currently in Yahoo’s network', he doesn't say explicitly whether the hacker is locked out. The breach may have happened through a backdoor in network equipment. Thus the attackers may still be able to access emails, documents, chats and other personal data of Yahoo users.
What information has been acquired by the hacker?
The hacker was able to get user IDs, passwords, names, phone numbers, dates of birth, and in some cases unencrypted security questions and answers.
How to protect yourself
- If you have a Yahoo account, you should immediately take action: change your password to a unique one; if you reused your Yahoo password on other websites, make sure you change it there too. In the future, never reuse a password, and instead create a unique strong password for every website, app or web service you use. A password manager with strong encryption like LastPass or Encryptr can help you generate strong random passwords, and most importantly, keep track of them securely.
- Another excellent idea would be to enable 2-factor authentication: with 2FA, when you log in from somewhere new, the login form will ask you for a code sent to your cell phone. This way, even if hackers get hold of your password - something you know - they will still need something you have: your phone. Yahoo's implementation is called Yahoo Account Key.
- About security questions, the best way to make them bulletproof is to provide fake answers. An answer to a security question should be easy to remember but difficult to guess, even to people you know.
- You should verify if there are apps you don't recognise that are connected to your Yahoo Account.
- Do not click on suspicious links in emails. In the days and weeks, phishing emails will likely be sent to Yahoo users, hoping they fall prey to official-looking messages urging them to authenticate their account by entering their password or other information on fake login pages. 'Official email from Yahoo! always comes from an "@yahoo-inc.com" email address.'
The 10 biggest previous breaches
MySpace accounts - 359m
LinkedIn accounts - 164m
Adobe accounts - 152m
Badoo accounts - 112m
VK accounts - 93m
Dropbox accounts - 68m
tumblr accounts - 65m
iMesh accounts - 49m
Fling accounts - 40m
Last.fm accounts - 37m
Source : haveibeenpwned.com