Article Link: http://thehackernews.com/2016/09/yahoo-data-breach.html
The following article discusses a data breach at Yahoo that happened back in 2014. Account information for over 200 Million Yahoo accounts was being sold on the Dark Web. An estimate claims that 500 Million accounts could have been effected. N credit card information was obtained, but user logins, passwords, security question answers and questions were stolen.
Yahoo claims that it was a state sponsored attack, but have not revealed any proof of that comment.
Yahoo users are urged to change their password.
In reviewing this article, it’s scary. From the teen in the basement to the state sponsored hacker, there is so much to watch out for! I think about my own life. All the information that is put out there in things like Google Mail and Docs. It’s scary to know that we can take the best precautions to protect our information, but once it leaves our hands, it’s out there. We have no accountability for the safety of our information that we put out in Cyberspace! But yet, we continue to do it more and more, at an alarming rate!
Thanks for the article Scott. You’re absolutely right about the information that we put on the internet is no longer ours and we are depending on the companies to protect it. As we seen over the years, attacks on corporate systems has plagued every industries. We’re talking about script kiddies to state-sponsored attacks. It is important to point out that even though Yahoo probably encrypted the data that was ex-filtrated, once the data is out of their control, the hacker can spend as much time as it takes to decrpyt the data.
Although systems controls are out of the user’s hands, there are some additional security features that these type of companies provide. Some email services like Yahoo and Gmail also provide Two-factor authentication. Aside from entering your username and password, Yahoo would send you a text message with a verification code to enter along with the typical login credentials. So even if a hacker obtains your username and password, they will also need your phone.
I have a Yahoo account that I rarely use, but it still contains PII that I would not like leaked. Fortunately, I was using Yahoo’s one time password feature. It’s similar to two-factor authentication (i.e. password + SMS one time code), but you do not enter a password at all. Each time you try to login, you are e-mailed an 8 character one time password.
Some would argue that two-factor authentication is stronger, however in this case the users that did not have a static password stored are fortunate because many people use the same or similar passwords for multiple accounts.
There are multiple arguments to these security options. This article below outlines that SMS passwords could be targeted by Malware:
http://www.darkreading.com/endpoint/yahoos-one-time-passwords-have-security-experts-divided/d/d-id/1319491
In this case, I feel fortunate that my password was not stored and my account was not compromised, however it reiterates the importance of using alternative methods of authentication and complex passwords that are unique for all of your accounts.