ITS

A billion YAHOO! accounts breached

Security News

Yahoo just announced another instance of hacked accounts, up to a billion. Yes, I said one billion. If you have a Yahoo account odds are your account has been hacked. Back in September Yahoo announced 500 million hacked accounts.

How can this affect me?

From https://blog.knowbe4.com/and-another-billion-more-yahoo-accounts-hacked

– If you maintain an active Yahoo! account, immediately change your password AND your security questions as the case may be. The compromise of the security questions may be the long term biggest negative effect of this breach. (Obviously if you have a closed account, you will not be able to change either the password or the security questions.)

– If you are one of those people who uses the same password over multiple accounts then, aside from already knowing you are wrong for doing so, you need to immediately change the passwords and security related questions / data for those other accounts – even if your Yahoo! account has not been active for years. Obviously some security questions require a fixed answer – such as mother’s maiden name – unless you have been savvy enough to have created faux names. You can pick the name of a street perpendicular to one you lived on, or the last name of your best childhood friend, or the last name of a school you went to or whatever. Although not perfect, any of those are probably safer nowadays than using the real maiden name of your mom if any organization still uses such as a mandatory security question.

– Another issue is that any phone numbers or other e-mail addresses you associated your Yahoo! account with are likely also compromised. That gives hackers other avenues to try and get at you via, even if your Yahoo! account has been closed.

– A smart hacker will try to send out phishing e-mails to other e-mail service providers using the same ID you had for Yahoo!. The same e-mail address characters I have for Gmail and Hotmail is the same one I used for Yahoo! If my Yahoo! account has been compromised – which I assume it has been – has the same e-mail address characters as my current Gmail and Hotmail e-mail addresses. So the risk of very targeted phishing e-mails to these other addresses has increased.

– If you used a mobile phone number in association with your Yahoo! account, and you still use that mobile phone number, then SMS phishing (a.k.a. Smishing) is now an enhanced possibility. And if you, unfortunately for you, use an Android device then you better be very wary of Smishes.

– If you have an active Yahoo! account and hackers control the account, and if you have used that account as your signup account for banking, Amazon, 401K, credit card issuers, Zappos, whatever, then hackers can use that information to reset the password to those accounts to whatever they want it to be. And then go to work on your account.

– In fact if you have an active Yahoo! account you should get rid of it. But not before you clean it out. If you have used it for business or questionable personal activity, you better clean out all the folders. They may be compromised or they may not be. The contents may have already been accessed or they may not have. Speed in damage minimization may put you on the positive side of the fence. But if a hacker has accessed your Yahoo! account and you have damaging e-mails inside it, you could now be an extortion target. You will also want to check the account settings to ensure associated e-mail addresses and phone numbers have not been changed. That could potentially give a hacker a continuous route into your Yahoo! account.

– If business associates are accustomed to receiving e-mails from you using your Yahoo! account, then they are at risk of being phished. If they are communicating with your Yahoo! account against agency or company policy, and a breach occurs, they can expect to get fired or otherwise ‘jammed up.’

– Even your contacts info is of value to a hacker as they can then add all those people to their list of potential phishing or extortion victims. This includes their mobile device phone numbers.

– If you don’t change the password of an active Yahoo! account, then you must assume there is going to be dual access going on. You and a hacker. Modern detection techniques may alleviate this concern but I would not want to risk a lot on such an assumption. Some e-mail services will tell you when you last logged on. If you haven’t used your yahoo! account in 6-months, but when you log in you see the last log-in was 2-weeks ago, then you know you have a problem. * https://blog.knowbe4.com/and-another-billion-more-yahoo-accounts-hacked

Here are some things to do with your Yahoo account

Hints and Tips for Yahoo Account Owners (may be a good idea to get rid of your YAHOO account)

  1. Before you delete the account, get rid of all the folders and only then delete the account and open an account with a different email provider (Gmail).
  2. Check if you have used your Yahoo password in other sites, and change the password and security questions for those accounts. And remember, never reuse your email password (or any other password tied to an account that holds sensitive data about you) at any other site.
  3. If you used a mobile phone number in association with your Yahoo! account, and you still use that mobile phone number, then SMS (texting) phishing (a.k.a. Smishing) is now a distinct possibility, so be very wary of Smishes.

From Yahoo:

What can users do to protect their account?

We encourage our users to visit our Safety Center page for recommendations on how to stay secure online. Some important recommendations we’re re-emphasizing today include the following:

  • Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account;
  • Review all of your accounts for suspicious activity;
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information;
  • Avoid clicking on links or downloading attachments from suspicious emails; and
  • Consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

For more information:

  • https://krebsonsecurity.com/2016/12/yahoo-one-billion-more-accounts-hacked/#more-37259
  • https://blog.knowbe4.com/and-another-billion-more-yahoo-accounts-hacked
  • yahoo.tumblr.com/post/154479236569/important-security-information-for-yahoo-users

Posted in InfoSec News, Security Alerts

Share this:
Information Security • PO Box 8136 Statesboro, GA 30460 • (912) 478-1592 • security@georgiasouthern.edu