5 things you should do following the Yahoo breach

The massive data breach can be an opportunity to do some cleanup and implement security recommendations

Internet giant Yahoo announced a massive data breach Wednesday that affected over one billion accounts, making it by far the largest data breach in history.

This follows the disclosure in September of a different breach that affected more than 500 million of the company's customers.

What stands out with this new security compromise is that it occurred over three years ago, in August 2013, and that hackers walked away with password hashes that can be easily cracked.

If you're a Yahoo user you should consider your password compromised and should take all the necessary steps to secure your account. You should follow all of Yahoo's recommendations, but here are a few more that you should have in mind:

1. Don't save emails you don't need

Because space is no longer a problem with most email services, users tend to never delete emails. While that's extremely convenient, it's not a very good idea, because it allows hackers to easily discover what other online accounts are tied to that address by searching for sign-up or notification emails from various online service providers.

Aside from exposing the link between your email address and accounts on other websites, sign-up and notification emails can also expose specific account names that you've chosen and are different from the email address.

You might want to consider cleaning your mailbox of welcome emails, password reset notifications and other such communications. Sure, there might be other ways for hackers to find out if you have an account on a certain website, or even a number of websites, but why make it easier for them to compile a full list?

2. Check your email forwarding and reply-to settings

Email forwarding is one of those "set it and forget it" features. The option is buried somewhere in the email account settings and if it's turned on there's little to no indication that it's active.

Hackers know this. They only need to gain access to your email account once, set up a rule to receive copies of all your emails and never log back in again. This also prevents the service from sending you notifications about repeated suspicious log-ins from unrecognized devices or IP addresses.

Another technique that attackers might use to get a copy of your emails is to change the reply-to address in your email settings, although this is noisier and can be spotted more easily than a forwarding rule.

The reply-to field is included in every email message that you send and allows the recipient's email client to automatically populate the To field with an address you chose when they hit reply. If a hacker changes the reply-to value with an address that he controls, he will receive all email replies intended for you and these typically include the original emails that you sent.

In order to ensure that you also get those replies, the attacker can set up a forwarding rule in their own email account and automatically forward those replies to your address.

3. Two-factor authentication everywhere

Turn on two-factor authentication -- this is sometimes called two-step verification -- for any account that supports it, including Yahoo. This will prompt the online service to ask for a one-time-use code sent via text message, phone call, email or generated by a smartphone app when you try to access the account from a new device. This code is required in addition to your regular password, but Yahoo also has a feature called Account Key that does away with regular passwords completely and instead requires sign-in approval via phone notifications.

Two-factor authentication is an important security feature that could keep your account secure even if hackers steal your password.

4. Never reuse passwords

There are many secure password management solutions available today that work across different platforms. There's really no excuse for not having unique, complex passwords for every single account that you own. If you do want memorable passwords for a few critical accounts use passphrases instead: sentences made up of words, numbers and even punctuation marks.

According to Yahoo, this breach happened in August 2013, at a time when the company hadn't yet switched to the more secure bcrypt password hashing algorithm. As a result, most passwords that were stolen are in the form of MD5 hashes, which are highly vulnerable to cracking.

If you made the mistake of using your Yahoo password elsewhere and haven't changed it yet, you should do so immediately and review the security settings of those accounts too. It's very likely that hackers have already cracked your password and had three years to abuse it.

5. Phishing follows breaches

Large data breaches are typically followed by email phishing attempts, as cybercriminals try to take advantage of the public interest in such incidents. These emails can masquerade as security notifications, can contain instructions to download malicious programs that are passed as security tools or can direct users to websites that ask for additional information under the guise of "verifying" accounts.

Be on the lookout for such emails and make sure that any instructions you decide to follow in response to a security incident came from the affected service provider or a trusted source. Official Yahoo emails are easily recognizable in the Yahoo Mail interface because they are marked with a purple Y icon.

In the future, be selective in what personal information you choose to share and which websites you choose to share it with, even when those websites are legitimate. There's no guarantee that they won't be hacked in the future and you simply don't know how securely they store your details.

In Yahoo's case, the compromised account information includes names, email addresses, telephone numbers, dates of birth and, in some cases, unencrypted security questions and answers. These details can be used to impersonate you or to authenticate you on other websites.

Don't provide real answers to security questions, if you can avoid it. Make something up that you can remember and use that as answer. In fact, Yahoo doesn't even recommend using security questions anymore, so you can go into your account's security settings and delete them.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?