Yahoo Data Breach, Part 2: Safety Tips for Users

After Yahoo confirmed serious data breach many of its users chose to block or delete their accounts. Nevertheless, this action doesn’t re-establish data privacy and doesn’t ensure that this information won’t be sold and used by the third parties.

In this blog post we discuss the impact that Yahoo data breach may have on Yahoo users. Do you really need to worry if your account was compromised and what actions should you take to secure yourself for the future?

Data is stolen, will it impact me?

“Many end users have become immune to the barrage of breach notifications and news articles.  This feeling of safety can be deceiving as users will only feel the impact of the data leak when their information is used for purposes of identity theft, at which point it might already be too late. Even though their data might not ever sell, it still could end up being freely distributed around the internet underworld.”

“Here’s where I see the problem.  The single biggest issue is password.  People tend to use the same passwords for everything.  Chances are their password for Yahoo, is probably their password for their banking, company logons and so on.  So the first thing I would see coming down the pike is an attempt to hack the companies or agencies certain key individuals work for.  The other thing I see is an increase in scams.  While a nation-State is the suspect, let’s be honest, information is valuable and I could expect to see phishing and direct scams targeted at those individuals.  I might also expect to see some use being made of the individuals’ name and birthdate, especially in the trying to obtain documentation such as birth certificates, drivers licenses information and such in order to perpetrate even bigger frauds.”

“As I understand it, the data has already been sold – Yahoo was digging into a black market sale and investigating that was what led them to the huge breach. That party could have hackers, it could have been a state sponsor that plans to use the information to forge signatures or access secure systems to reset passwords and infiltrate, or it could be someone else entirely. We simply don’t know.”

  • Matt HoptonIT consultant reminds about the “1 password – 1 site” rule and advises not to use birthdates as passwords.

Security checklist for users (save it!):

  1. Don’t be lazy and use 2-factor authentication
  2. Develop password creation logic and follow the golden rule: 1-password-1-site
  3. Install HTTPS Everywhere tool to make browsing more secure
  4. Try to avoid public Wi-Fi networks and always protect your home Wi-Fi connection with a password
  5. Do not use your corporate credentials for every signing. It’s better to create different accounts for different websites and apps.