Yahoo’s report of the breach comes just weeks after a technology Web site Motherboard announced in August that a hacker known as Peace was advertising on the Dark Web that he was selling some 200 million Yahoo user accounts. At that time, Yahoo issued a statement saying that it was aware of the claim and its security was investigating the case.
Yesterday, Yahoo issued an announcement that the account information stolen may include names, email addresses, telephone numbers, dates of birth, hashed passwords, “and in some cases, encrypted or unencrypted security questions and answers.”
Yahoo claims its ongoing investigation suggests that the stolen information did not include unprotected passwords, payment card data, or bank account, payment card data and bank account information. However, there is still the possibility that holders of such information could potentially cobble it with other data and gain access to user’s other accounts such as banking accounts, medical records, and even corporate or government accounts and networks.
The incident serves to bolster the importance of having a security breach strategy, according to Claudiu Popa, security expert and president of Informatica Corp., a Toronto-based security and privacy risk assessment firm.
“My grave concern with this matter lies in the following unanswered questions,” Popa told ITIC. “Businesses must create Breach Response Procedures based on the assumption and simulated scenarios of serious data breaches.”
Among his questions were:
- How many Canadian users does Yahoo have exactly?
- How will Canada’s privacy laws protect Canadians impacted by Yahoo’s loss?
- On what basis are state-attackers to blame and why would Yahoo be less accountable for compromising its users’ data?
What should be included in a company’s Breach Response Procedure? Popa suggests including the following:
1. A communication plan that details what they know and how they are now containing the problem
2. An acknowledgment of accountability for the information assets that were entrusted to them
3. A clear set of steps for users to follow to protect themselves immediately and in the future, not just “change your passwords because we got breached”
“Most importantly, they must respond and notify customers and users immediately,” Popa said. “ The speed of the disclosure is critical in salvaging the public’s trust and helping potential victims to protect themselves.”
“Yahoo is notifying potentially affected users and has taken steps to secure their accounts,” the search engine company said. “These steps include invalidating unencrypted security questions and answers so they cannot be used to access an account and asking potentially affected users to change their passwords.”
Yahoo also recommended that users who have not changed their password since 2014, do so now.
Here are four things you can do if you suspect you might be one of the victims of the breach
Change passwords. Not just the one for your Yahoo account. Use this as an opportunity to update all your passwords. And avoid the temptation to use the same password for different accounts. Too much work? Try using a password manager which store all your account details in an encrypted storage on your computer or smartphone. Check out PC Mag’s list of best password managers for 2016.
Review and delete sensitive content. Search old emails and delete correspondence that may contain sensitive information. Empty your trash folder. Review the security settings of services connected to your Yahoo account and disconnect them.
Enable two-factor authentication. Add another layer of security requiring another form of authentication in order for your account to be accessed.
Avoid answering suspicious emails. Hackers may try to exploit the Yahoo account breach news and send out an email that baits users into revealing their passwords or clicking on attachments that contain malware. Be extra vigilant.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…