Just how bad is Yahoo's security breach? 'Equivalent of ecological disaster,' expert says
Yahoo's data breach could have ripple effects that span across the Internet. (Marcio Jose Sanchez / AP)
By Associated Press
on September 27, 2016 at 8:52 PM, updated September 27, 2016 at 10:24 PM
LONDON — As investors and investigators weigh the damage of Yahoo's massive breach to the internet icon, information security experts worry that the record-breaking haul of password data could be used to open locks up and down the web.
While it's unknown to what extent the stolen data has been or will be circulating — or how easy it would be to use if it were — giant breaches can send ripples of insecurity across the internet.
"Data breaches on the scale of Yahoo are the security equivalent of ecological disasters," said Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania, in a message posted to Twitter .
A big worry is a cybercriminal technique known as "credential stuffing," which works by throwing leaked username and password combinations at a series of websites in an effort to break in, a bit like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. Software makes the trial-and-error process practically instantaneous.
Credential stuffing typically succeeds between 0.1 percent and 2 percent of the time, according to Shuman Ghosemajumder, the chief technology officer of Mountain View, California-based Shape Security. That means cybercriminals wielding 500 million passwords could conceivably hijack tens of thousands of other accounts.
"It becomes a numbers game for them," Ghosemajumder said in a telephone interview.
So will the big Yahoo breach mean an explosion of smaller breaches elsewhere, like the aftershocks that follow a big quake?
That seems unlikely given that Yahoo says the "vast majority" of its passwords were stored in an encrypted form believed to be difficult to unscramble. On the other hand, Yahoo said the theft occurred in late 2014, meaning that hackers have had as many as two years to try to decipher the data.
Ghosemajumder said he didn't see a surge in new breaches so much as a steady increase in attempts as cybercriminals replenish their stock of freshly hacked passwords.
"Data breaches on the scale of Yahoo are the security equivalent of ecological disasters." - Matt Blaze
The first hint that something was wrong at Yahoo came when Motherboard journalist Joseph Cox started receiving supposed samples of credentials hacked from the company in early July. Several weeks later, a cybercriminal using the handle "Peace" came forward with 5,000 samples — and the startling claim to be selling 200 million more.
The stolen information may have included names, email addresses, telephone numbers, dates of birth, and in many cases, security questions and the answers people gave, Yahoo said. So here are steps you should consider taking, ASAP.
On Aug. 1 Cox published a story on the sale , but the journalist said he never established with any certainty where Peace's credentials came from. He noted that Yahoo said most of its passwords were secured with one encryption protocol, while Peace's sample used a second. Either Peace drew his sample from a minority of Yahoo data or he was dealing with a different set of data altogether.
"With the information available at the moment, it's more likely to be the latter," Cox said in an email Tuesday.
The Associated Press has been unable to locate Peace. The darknet market where the seller has been active in the past has been inaccessible for days, purportedly due to cyberattacks.
At the moment it's not known who holds the passwords or whether a state-sponsored actor, which Yahoo has blamed for the breach, would ever have an interest in passing its data to people like Peace .
Even if the hack was a straightforward espionage operation, Gartner security analyst Avivah Litan said that wouldn't be a reason to relax. Spies can mine trivial-seeming data from apparently random citizens to tease out their real targets' secrets.
"That's how intelligence works," Litan said in a phone call.
Meanwhile Yahoo users who recycle the same password across the internet may still be at risk. While people can always change the passwords across all the sites they use, Yahoo's announcement that some security questions were compromised too means that the risks associated with the breach are likely to linger.
A password can be changed, after all, but how do you reset your mother's maiden name?
After Yahoo data hack, here are 15 tips to protect yourself
By Teresa Dixon Murray, The Plain Dealer
on September 23, 2016 at 2:45 PM, updated September 24, 2016 at 8:52 AM
It's getting more and more difficult to find someone who has never been hit by a data breach. Customers of stores and restaurants . . . Government workers . . . Workers whose companies' records have been stolen . . . People with health insurance . . . Now consumers who've done business with a major email and Internet company.
Personal information involving 500 million Yahoo accounts, including accounts with Yahoo Mail, Yahoo Finance and Yahoo Fantasy Sports, was stolen back in 2014 and we're just now learning about it. Yahoo's announcement Thursday also said the theft also may have included 113 million Flickr accounts.
The stolen information may have included names, email addresses, telephone numbers, dates of birth, and in many cases, security questions and the answers people gave, Yahoo said.
So here are steps you should consider taking, ASAP:
1. Assume that anything that was in your Yahoo email account could be in the hands of bad guys, including passwords to other web sites and accounts.
2. Make sure all of your passwords on all of your accounts -- especially on any other email account or financial account -- are solid and are not the same one you used on any of your Yahoo accounts.
3. If you used the same "secret questions" on your Yahoo account and any other account that you have, start changing them. Favorite movie of all time? Pet's name? Middle name of your youngest sibling? Change them all.
And on that note, don't use secret questions that other people know the answers to. There are lots of people who know your high school mascot. It's probably easy to figure out from your Facebook page or among anyone you knew in high school. Don't use the name of the street you lived on as a child. Or your pet's name. Tons of people know the name of your dog, cat or guinea pig.
4. Further, when you're asked by a bank or a credit card company or any entity to provide something like your mother's maiden name, don't provide the true answer. Your mother's maiden name is easy to find. When I'm asked for my mother's maiden name, I give them a fabricated last name. The trick is, you gotta remember it since it's not true.
5. Watch out for suspicious emails or phone calls that try to trick you into disclosing personal information, based on already having some information about you that may have been extracted from your Yahoo account.
With a data breach of this scale, many of us will receive emails and calls that claim to be from Yahoo and asking us to click on links or fill out forms or provide even more personal information.
If anyone contacts you by email or phone and says he's from Yahoo or law enforcement and is calling about this breach, hang up. If you don't hang up for some reason, then do not provide any information, such as your Social Security number, date of birth, bank account information, etc.
6. Remember that stores, banks, universities and investigators will never contact you out of sky blue and ask for personal information such as account numbers, Social Security numbers, passwords, etc. Never. Ever. And they'll never contact you and ask you to change your password by clicking on an unknown link. Don't click on links or reply with any information. Never. Ever.
7. This same warning applies to anyone who calls you and claims to be from Microsoft or Apple support and says you have a problem with your computer and the caller needs access to your computer to fix it. Just don't. Ever. Just hang up without saying bye.
8. Be more cautious about anything you post on social media -- Facebook, Twitter, Instagram, etc. You can provide thieves with a lot of information without meaning to. This is especially troubling if you post the name of your best friend and photos of your dog online, and then use that information as the answers for security questions for bank accounts.
And remember that even if your social media accounts are accessible only to friends or family, the information is still on some company's database and can be accessed or sold.
9. If you want to be uber-cautious, contact your banks and investment accounts first, then credit cards and other types of financial accounts. Ask whether you can put additional verbal passwords on your accounts that don't involve any public record data such as your date of birth. We're talking about PINs or random words (like cinnamon or acorn). You want to make sure someone can't access your accounts for wire transfers or to change your contact information without your secret password.
10. I've never been a huge fan of credit freezes across the board. That's starting to change. It's almost come to the point where everyone should consider having their credit files frozen so that someone can't open new accounts in their name.
Yes, credit freezes can be a hassle if you need to unfreeze your reports because you're applying for a loan or insurance or renting a new apartment. It can take up to three business days to unfreeze it and allow access. And yes, freezing and unfreezing them costs $5 per credit bureau.
But a credit freeze would prevent any new accounts from being opened without your expressed permission, indicated by providing your 10-digit PIN that you're given when you freeze the files.
If you want to do a credit freeze, you'll have to contact each of them individually:
Equifax: http://www.equifax.com/help/credit-freeze/en_cp or call 1-800-685-1111.
TransUnion: https://freeze.transunion.com or call 1-888-909-8872
Experian: https://www.experian.com/freeze/center.html or call 1-888-397-3742.
One of my primary sticking points with credit freezes is that they can give people a false sense of security. Credit freezes won't help prevent fraud on existing accounts, which constitutes 88 percent of identity theft.
11. Consider paying for identity theft protection. You're looking for the kind that can alert you to any underground use of your Social Security number, credit card numbers, driver's license number or email.
12. Watch out for anything odd -- a medical explanation of benefits for a service you didn't have or from a provider you don't recognize, a rejection letter for an account you didn't apply for, a missing credit card statement that is more than a few days late. These could be signs of identity theft.
13. Put every type of protection you can on your financial accounts. If you can use two passwords, do it. If you can require codes to be sent to your phone in order for you to log in, do it. If you can request email or text alerts for purchases or bank account withdrawals or changes to your contact information, then do it. While you're at it, make sure that companies you do business with have all of your current contact information in their files.
14. Monitor your primary bank accounts, credit cards, investments, etc., more carefully than ever. Every week is good. Every day is better.
15. Check your credit reports regularly. You're entitled to one free credit report per year from each of the three major credit bureaus. Go to annualcreditreport.com or call 1-877-322-8228. Or you can fill out a paper request and mail it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, Georgia 30348-5281. You'll be asked to provide your name, address, Social Security number, date of birth and which bureau you want a report from (Equifax, TransUnion or Experian).
Best advice: Order a credit report from one of the bureaus every four months.