More Troubles for Yahoo
In the world of high-tech, timing is everything — and Yahoo's timing has been particularly bad as of late. Yahoo recently revealed that, in late 2014, hackers from what the company called a "state-sponsored actor" stole account information from over half a billion users. The potentially compromised data includes names, telephone numbers, e-mail addresses, birth dates, passwords, and security questions. While many passwords and some security questions were encrypted, they are still considered to be vulnerable to cracking by sophisticated hackers.
According to the Privacy Rights Clearinghouse, the Yahoo breach is the largest data breach ever disclosed (making one wonder if there are even larger data breaches that have not yet been uncovered).
There's never a good time to discover a massive data breach, but Yahoo's timing was particularly bad given the company is in the middle of being purchased by telecom giant Verizon in an estimated $4.8 billion deal. So far, Verizon has only issued a statement saying they will evaluate the situation "through the lens of overall Verizon interests."
What the Hack Happened?
Two words in the above description of the Yahoo breach probably caught your attention. The first is "billion." To put the breach in perspective, the total world population in 2014 was around 7.2 billion. The Yahoo hack may have affected 7% of all the people on Earth at the time, regardless of whether or not they had a Yahoo account or even access to the Internet.
The second word is "2014". Yahoo's announcement occurred approximately two years after the breach took place. Unfortunately, it can take a long time for breaches to be discovered as stolen information makes its way through resale channels to thieves that will directly exploit the information. Once the stolen information is disbursed and used for identity theft or false accounts, it can be harder to connect the dots to an individual source.
According to the New York Times, Yahoo was made aware of a potential breach of 280 million user credentials in late July — after the Verizon deal had been announced. This claim of a breach was not substantiated, but while investigating this claim, Yahoo discovered the even larger state-sponsored hack. Had Yahoo not received word of the unsubstantiated breach, the larger hack might not have been discovered until after Verizon completed the purchase.
Because the sale is in the early stages, Verizon has a series of options to consider. Undoubtedly, they were aware of Yahoo's history with hacks — in 2012, Yahoo reported breaches of almost 450,000 user accounts — but the time delay in detecting the hacks should raise red flags at Verizon headquarters.
Verizon still needs Yahoo as a strategic entry into digital media in order to compete with the likes of Facebook and Google, so it seems likely that the breach will simply force Yahoo to accept a re-negotiated lower price. Yahoo's options seem even more limited — without the Verizon sale, their long-term prospects are grim.
Meanwhile, what about your options as a Yahoo user, or former user, with potentially compromised information? You have just one sound option: take immediate action to better protect your information in all accounts (not just Yahoo), and check your credit reports to make sure no unauthorized accounts are lurking in the background without your knowledge.
The Best Prevention: Vigilance and Common Sense
Computer breaches and identity theft have reached epic proportions even without consideration of the Yahoo hack. According to the Bureau of Justice Statistics, approximately 17.6 million Americans were identity theft victims in 2014, the most recent year for which data is available. Identity theft has been the top complaint reported to the Federal Trade Commission for the last 15 years running.
Simple preventative measures can help reduce the chances that your information will be stolen, or that it will be exploited if it is stolen. Start by using meaningful and hard-to-break passwords and include characters in the string when possible. Given a mass data breach, criminals are likely to pick off the low-hanging fruit of accounts with common simple passwords like "123456" and "password" before attempting to crack tougher codes.
Random passwords without any significance are best, but are also hard to remember. If you have trouble remembering the password, a simple trick is to pick a word you can remember and alternate allowed characters like exclamation points in the phrase. Example: "!B!A!N!A!N!A".
Change your passwords frequently and do not repeat them for different sites — the IRS data breach last year was facilitated by people using similar passwords for multiple sites. If you have trouble keeping track, consider using a password management program.
Update your security questions periodically as well, and follow the same principle of not using the same security questions for every site. Most sites give you enough options to avoid repeating questions.
Whenever a site allows, set up your account for two-factor authentication. A second authorization such as a one-time access code texted to your phone makes it much more likely that a thief will move on to an easier target. It does make daily access a bit of a hassle, but that is nothing compared to the hassle of re-establishing your identity and disputing false charges.
Finally, check your credit report regularly. For even greater protection, consider a credit monitoring service like the free Credit Manager by MoneyTips that offers continuous checks on your credit and immediate notification of suspicious activity. The sooner you are made aware of unauthorized account activity or attempts to access your account, the more likely it is that you can prevent major damage.
It's dangerous for Yahoo users or former users to assume that they weren't affected by the hack simply because Yahoo didn't notify them directly or because the hack occurred so long ago. Unfortunately, information breaches have become so common that many people have become desensitized to them, regardless of size. If you fall into this group, remember that desensitization to breaches ends about two seconds after you find that your identity was stolen and/or fraudulent charges were placed on your account.
Whether or not you were a Yahoo user in the years leading up to 2014, the Yahoo breach should be a wake-up call to take the common sense precautions listed above. Look over your credit report, and if you can't take the time to check things over in detail, consider a credit monitoring service. Given today's busy lifestyles, most of us are too distracted to check our accounts on a daily or even weekly basis.
It took Yahoo almost two years to discover their historic data breach. How long would it take you to discover a breach of your account without assistance? Don't wait until your credit cards or loan applications are rejected to take cybersecurity seriously. Be proactive, not reactive.
If you want to see your credit report and credit score within minutes without charge, try Credit Manager by MoneyTips.