Update: December 17th 2016. This week Yahoo announced a second breach of 1M users and while shocking in it’s scale, your risk is no different from the previously reported breach. Our advice remains the same and you should be safe if you follow our advice.
Unless you are living under a rock the last few days you have already heard that Yahoo was hacked in 2014 by what it believes was a “state sponsored actor”. In the announcement Yahoo confirmed that confidential information on at least 500 million user accounts had been stolen. So if you have a Yahoo email account what should you do, and what are your other online risks? We’ll step you through the 3 simple steps you should take to protect your Yahoo account as well as discuss what additional risks you may have including showing you an actual malware email I received to my Yahoo email address. Before I get to the three steps I’ll quickly review what information that was exposed in the hack.
What was stolen?
According to Yahoo, the stolen information includes names, email addresses, dates of birth, telephone numbers, password information, and possibly the question-answer security questions, which are often used to reset passwords. Yahoo indicated that the passwords that were compromised were encrypted, so while they are at less risk, if they were taken by a “nation state” they certainly have the capability to crack the passwords should they want to. The stolen information did not include payment card data or bank account information, according to the company.
First, you should change your password. Second, you should also change your security questions. Yahoo will prompt you to remove your security questions completely when you sign into the Yahoo security center, but if they don’t you should remove them. Finally, you should set up two-step verification to insure only you are accessing your account. If you do these three things you can rest assured your account will be secure on a go-forward basis.
Make sure you change the passwords on other accounts that may utilize the same one you used in your yahoo account. As we have pointed out in “Passwords: The first line of Cyber Defense” far too many of us use the same password on multiple accounts. You should either learn how to become your own human computer password generator (we show you how in the article), or if you’re lazy like me, use a password manager. Also in the blog post are links to independent reviews of password managers.
This is what “Yahoo” malware looks like.
Once you’ve secured your account and changed your other passwords, your biggest risk now is that a skilled hacker has your “verified” Yahoo email address. Since the thieves know it is a Yahoo account, you can expect to get malware disguised as an email from them. I have actually received such an email and have taken a screen shot of it which you can see below.
As you can see at first glance it looks like a Yahoo email, but my first tipoff that it was malware was that it did not come the same email address I get all other Yahoo email. Second, the language used in the email is odd and not what you would expect from Yahoo. The spacing is also inconsistent as well as the proper use of capital letters in the text. Finally, when you hover over links they route you to suspicious web addresses that are not usually associated with Yahoo. All in all, it adds up to a clearly fraudulent email. If you have a small business I suggest you share this information with your staff.
In addition to strange looking emails from Yahoo, be aware of other unusual activity. Look for uncommon friend requests, requests to reset a password and anything out of the ordinary. We have additional information on what to look for in ransomware email in “Ransomware: 4 Must Do’s to Protect Your Business”.
If you have additional questions
If you take our advice you should remain secure, however; Yahoo has set up a security FAQ page should you have additional questions regarding your account and the breach. Be diligent and also inform your staff to be on the lookout and you should remain safe; as always stay safe out there.
David Griffith used to have a normal life but he’s now living and breathing cybersecurity as the CEO of Azstec LLC, the creators of docNCRYPT, the incredibly simple document and email security solution for everyone. If you have any comments or questions, email David at dgriffith [at] azstec.com and follow the Azstec Blog or on Twitter or LinkedIn.