Yahoo! tries for new world record and wins … but it already had the world record!

Yahoo Hacked

You all heard the headlines during the year about the massive Yahoo! hack, where in late 2014, hackers had stolen the names, addresses, mobile telephone numbers, dates of birth, security questions and passwords of 500+ million accounts. This was a new world record for the amount of user accounts stolen on the internet.

Well bless their cotton socks, Yahoo! had actually already done even better and they didn’t even realise it. In 2013 over 1 billion accounts had the same type of information stolen, including poorly protected passwords. Yahoo! had no idea that this had happened. It wasn’t until somebody provided the authorities with details that they had come across on the web. The authorities brought this to Yahoo! in October/November, which was when they were still thrashing around after the the September revelations about the 500m accounts, and I can just imagine their response…

Seriously though, this went further than just a huge amount of normal e-mail addresses. It would seem that 150,000 US Government and Military accounts may be at risk as they used Yahoo! mail accounts as backup e-mail addresses.

This is simply beyond embarrassing for Yahoo! and I wonder how much Verizon will knock off the purchase price after this doozey.

Enough with the Yahoo! bashing … What can you do to help protect yourself:

Two-factor authentication:

This will absolutely improve your on-line account protection by a huge amount. Particularly if you use an authenticator app like Google Authenticator. There is even an entire commandment dedicated to it, because it is that good!

Use unique passwords on every site:

Yes, we know it’s difficult to do this, but this is where the bad guys win. If you haven’t received the excellent training available from L2 Cyber Security Solutions, then use a Password manager.

Check auto-forwarding settings:

If the evil doers have compromised your e-mail account, they may have done this in a very sneaky fashion by logging on once, and setting your account to automatically forward all received e-mail to them. This is a particularly stealthy way for them to spy on you. Go to your account settings now and check if there is any forwarding of mail going on.

Don’t save welcome e-mails or password resets:

When you sign-up to services or accounts, you provide your e-mail address and that service or account sends you a “are you the person who just signed up to us” type e-mail, followed by a “welcome to our service” type e-mail. You might also have forgotten your password for such accounts and requested a password reset which they helpfully send to you in an e-mail. 

Well you really should delete all such e-mails after you have read them, because these will lead the evil doers to these accounts, where they will do another password reset and then compromise that account too. If they don’t know what services you subscribe to, they can’t do anything to them.

I’m a BT or Sky e-mail subscriber. I’m not at risk from Yahoo:

Ahhhh … No you’re not. As mentioned in our earlier post, BT and Sky (and many others) used Yahoo! as their back-end e-mail provider. If you had a BT or Sky account back in 2013, then these may be at risk. Refer to the steps above and secure your account now.

Conclusion:

Yahoo! have some serious, serious questions to answer. but you need to protect yourself, So take the above steps at the very least.

Brian Krebs has an excellent Q&A about this mess available here. It’s worth a read.

If you need advice, you can call us on 087-436-2675 or e-mail us on info@L2CyberSecurity.com … and of course: