Some time around August 2013, the email system of Yahoo was attacked and the records of more than 1 billion users were stolen. Information included names, birth dates, phone numbers and passwords which were encrypted with an easily broken form of security. Now they are for sale on the Dark Web.
The breach was much worse than originally reported, and even the most loyal Yahoo users are starting to lose faith in the ability of the service to protect their data and are considering deleting their accounts altogether. There are several steps involved with backing up your contacts and emails so they are accessible to you once you close your account, and Steven J. Vaughan-Nichols does a great job of outlining the process. In the meantime, here are 3 easy steps you should do today to protect your Yahoo account.
1. Change your Yahoo account password on Yahoo services such as Yahoo Mail or Flickr. This can be found on your Yahoo account page under Account Info, click on Account security, then choose Change password.
2. Turn on two-step verification.
3. Click "Disable security questions" on the Account Security page if you still have them since Yahoo's security questions were also cracked. Then, disable all of them.
This is a great time to review the strength of your passwords and how you manage them. Don’t use the same password for multiple accounts; if someone breaks into any of your accounts, all those accounts with the same password are at risk.
Here are some tips for generating secure passwords:
- Make a random 2 to 4 word paraphrase that does not include any elements from your name, organization, address or any information associated with you
- When generating your own password, it should contain upper and lowercase letters, punctuation, a number and be a minimum of 14 characters long
- Change your passwords every 3 to 6 months and don’t reuse them
- Do not store your password list in the cloud, such as on Google Docs or Dropbox
- Consider a two-step verification on services that provide it
It can be difficult and time consuming to manage dozens, if not hundreds, of unique online passwords. There are several password management solutions that can help you both generate and manage secure passwords for your online accounts. For instance, Lastpass offers free and premium password generation and management services (although it does not generate passphrases). With Lastpass you only need to remember one master password to access the other passwords it encrypts and stores for you. (For an overview of how best to manage the passwords along some tools for storing your passwords, read Sinu's blog: How secure is your password.)
According to Vaughan-Nichols, “Yahoo has another login authentication option called the Yahoo Account Key. With this, instead of entering passwords every time you login to your Yahoo account, you'll get a notification on your Android or Apple device.”
As is the way of today’s world, bad people are trying to capitalize on Yahoo’s misfortune through phishing attacks. If you get an email saying your Yahoo account may have been hacked and it asks you to click a link to re-secure your account, don’t click on it. Yahoo's official emails have the subject line: "Important Security Information for Yahoo Users" and will look like these examples from Yahoo.
Whether you have a Yahoo account or not, this is a good time to review your passwords, set up two-factor authentication and make sure you are using unique passwords – or better yet, passphrases – for each account. As you find a balance between convenience and data security, we suggest moving the balance point as far toward security as you can and consider using a password generation and management solution to make your online life easier and more secure.