August 2013 an unauthorized party stole the data of more than 1 billion YAHOO related accounts, not just 500 million that we reported back on September 22^nd.  Yahoo’s chief security officer Bob Lord said in a statement yesterday “We have not been able to identify the intrusion associated with this theft.”

SHOULD I CARE:

YAHOO is the host for a number of big company email systems.  Just because you do not have a @yahoo.com account does not mean you are in the clear with this breach.  Here are some of the companies that use YAHOO for hosting their email: SBCGlobal, AT&T, BellSouth and if you are in Canada an organization called Rogers. Do you use any of these?  I bet many of you do!

THIS SHOULD SCARE YOU!

Mr. Lord’s statement also continued with this.   “…for potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

The attackers were able to forge a cookie on computers making your computer believe it had already logged in to your YAHOO related account.  Once in your account all of your data mentioned above was accessible!

HERE IS THE BIG REASON YOU SHOULD CARE:

It is a fact that many people use the same or similar passwords or patterns to make passwords for all of their other online accounts.  There is NOTHING stopping the bad guys from attempting to brute force break into any of your other accounts using your email address and either the password that they stole or a variation of that password.  What if they get into your bank account!

I AM SCARED SO WHAT SHOULD I DO:

1)      Login to your YAHOO related account, for instance it could be a YAHOO.COM or SBCGLOBAL.NET account and change the password to something else and not a simple variation on what you had!

2)      Turn two-step verification on for your YAHOO related account.  In the business world this is called “Two Factor Authentication”.   During the login process a special random code is sent to your mobile number for you to enter which expires in minutes.  Click for the instructions on how to enable Two-Step Verification for YAHOO related accounts.

3)      Use a password manager to create custom single use passwords instead of having the same password for all web sites.  Here are some of the ones with a good reputation in the industry, there are other alternatives.

1. http://lastpass.com/
2. http://keepass.com/
3. http://1password.com/

4)      Check http://HaveIBeenPwned.com to see if your email address has been released in any data dumps in the past few years.  If so, CHANGE YOUR PASSWORDS.  Note:  Just because your email address comes back clean does not necessarily mean you have not been compromised as nothing out there is all inclusive in making this kind of check.

5)      Stop using free email from Yahoo and any other company for that matter. Didn’t your parents tell you “There is no such thing as a Free Lunch”?  Well it is true, in my “Cyber security for small businesses and personal Internet safety and privacy” seminars one of the key points is the proof that your data hosted at many of these “free” places is being sold to data-brokers that sell your information to anyone that wants it sometimes not caring who they are actually selling to.  Did you get that last sentence?  If not go back and read it!

6)      Set up your own hosted exchange account, like using Office 365.  You can talk to us at The Best Geeks for this service as well as all other security related services for your business