The largest data breach in history was bigger than we thought

12 hours ago

In the latest announcement to make you nervous about data security: If you had a Yahoo account in 2013, it was hacked. Originally, Yahoo said that one-third of its user accounts were compromised. Now, Verizon, which now owns the company, is saying all three billion accounts were hacked.

How could Yahoo just be finding this out now? Amy Scott talked with Chester Wisniewski, a senior security researcher at Sophos, a network security company, about what you can do if you were affected.

Amy Scott: Why is the company just finding out about this now?

Chester Wisniewski: Modern computer networks are incredibly complicated. And I suspect that the amount of forensic work that had to go into disclosing the breach last fall probably wasn’t complete at the time that they notified people. They recognized the danger to some of the people whose Yahoo accounts had been compromised and probably wanted to get the word out and warn people. And we didn’t really know who it was back then anyways. I would have encouraged all three billion people last year to take some corrective action. And I suspect that they found more evidence as they went forward through their investigation that sadly more data had been stolen.

Scott: And for those who didn’t already take steps to protect themselves what does it mean for anyone who had a Yahoo account in 2013 or still does?

Wisniewski: Obviously there’s three billion of us which means a lot of Americans, especially those who have used the internet for a while back when Yahoo mail was a lot more popular, have these legacy accounts around. We always tell people to change the password. And you may be hesitant and go well, I really stopped using my Yahoo mail account five years ago. That account might still be used as a password reset account for many other accounts you created – even maybe your 401k or your bank account. If you were an active Yahoo mail user it’s really important that you change that password. And if you really don’t want to use it make it something long that you can write down and put in a drawer somewhere and just not worry about it.

Scott: Is it true that Yahoo accounts can’t ever be deleted?

Wisniewski: I haven’t figured out how to get rid of one yet. There certainly is an advantage for companies providing these free services to be able to offer marketers very large numbers for the number of people that use and actively use their services. I don’t know if that’s related. But I haven’t been able to figure out how to get rid of a Yahoo account. That’s why I think the best way to dispose of one is to put a long complicated password on it and file it away.

Related We might not see the effects of the Equifax breach for years A new form of ID theft: account takeover Overwhelmed by passwords? You may have security fatigue

Scott: That implies that you have one yourself?

Wisniewski: I have several Yahoo accounts. And I have a few research accounts that I use for alternate personalities. But I also have a legitimate Yahoo account that I used as a primary email address in the 1990s and that’s one of the things that scares me when I hear about these breaches because I think back and I go, what other accounts did I set my Yahoo email address on as my password recovery in 1997? And I don’t really know. And what if one of them is important? I don’t believe I’ve used that account in a long time. But I still find it worth the exercise of changing that password just in case I didn’t remember it was associated with my retirement account or my current email account.

Scott: I wonder if we’re starting to experience a little bit of hacking fatigue in this country. I mean it’s a sort of inevitable news story that I think maybe doesn’t even register anymore. We hear about these giant hacks – Equifax, Yahoo – and it seems like there’s nothing we can do about it. What can consumers do, if anything, to prevent these kinds of hacks overall?

Wisniewski: I think the two primary things that will lessen the impact is ensuring that you are using different passwords everywhere. And I know how unhappy that makes people when they hear that advice. But if your Yahoo password had only ever been used at Yahoo! then the only thing that could ever really be done with it would be access Yahoo. And so that’s one really good preventative. Sadly, not every site offers it, but many sites now offer multi-factor authentication. Services like Microsoft, Google and Yahoo have that available. That’s where they text you a number or loan an app to verify it’s you when you login. So that’s a little bit annoying, but it provides really good security, especially for those high-risk accounts that you have that you’d be heartbroken if someone broke into like maybe your Facebook and your bank account and that type of thing. I think the third thing is remember how often this is happening and stop sharing as much of your information perhaps. Don’t create that one more account on another site just because you want to make a comment on a post. And remember that you don’t need to be honest. After we heard what happened with Equifax and our birthdates being released, those things aren’t really secret anymore. But on the other had it’s just better to keep them to yourself. As a security researcher almost all my friends miraculously are born on January 1.

Scott: For me it’s July 15. I definitely have made up a birthday whenever possible. What about companies? Do you think after all these high profile cases they’re generally doing a better job of safeguarding consumer data? Or is there only so much they can do to stay ahead of the hackers?

Wisniewski: One of the most important things I think companies are taking away from this is that there’s no perfect security platform. Yahoo has a pretty amazing security team and even the best team is going to fail once in a while. I think we need to remember that data protection is a lot more like fire protection. You can’t prevent the warehouse from burning down, but we put in sprinkle systems and buy fire extinguishers to be prepared for when the bad thing happens. And I think a lot of these big headline breaches that we’ve had in 2017 especially have shown that some of these really big companies, they did their best to defend themselves, but they weren’t ready for the day when it actually happened. And so I think the emphasis for a lot of big American companies is be better prepared for when the bad thing happens and know how to reach out and protect people more quickly after an incident occurs.