Yahoo Data Breach Means Hackers Are After More Than Just Your Name
The Identity Theft Resource Center has been tracking data breaches for over ten years, and has seen the trends shift greatly in that time. Cybercrime has evolved from the days when highly-skilled thieves exploited vulnerabilities in network security in order to steal data. Now, anyone with the right tools and a little bit of know-how can use less sophisticated methods like phishing, ransomware attacks, and account spoofing.
But just as the tactics that cybercriminals use has changed, so has the information they’re seeking. Where hackers once sought credit card numbers in order to make high-dollar purchases before the accounts were closed, now they’re going after individuals’ more permanent information, like Social Security numbers and birthdates.
Last week’s announcement of what may be the largest single data breach in history demonstrates how hackers are once again looking for new sources of data in order to turn a profit. When Yahoo announced that cybercriminals—believed to be government-sponsored foreign operatives—had breached a server and downloaded more than 500 million account holders’ information, they mentioned a highly specific and seemingly harmless piece of information.
The hackers not only took names, user names, and hashed passwords, but also downloaded the answers to security questions. These questions, whose answers only the user should be familiar with, are used to reset the password if it’s forgotten, and can be used in two-step authentication. This means the user has to answer the security question correctly in order to log in.
Security questions tend to be fairly uniform across different websites and contain fairly harmless personal details. Your mother’s maiden name or your childhood pet’s name, for example, aren’t usually considered classified information. The problem, though, is that many sites use a very small list of questions. If a criminal learns the answer to your question on one site, he can use those same answers to log into your account on other sites. Even worse, he can use your security questions to lock you out of a different account by changing the required question.
This is another example of the permanent information that hackers go after. Just like your Social Security number, your childhood best friend’s name is probably not going to change. And sure, you could just make up a new answer to these questions on every different site, but you run the risk of forgetting which name you gave to which sites.
Fortunately, there is a better solution, and it’s actually rather easy. Tech users have long been warned about the need for strong, unique passwords. A strong password contains at least eight characters, including a combination of uppercase, lowercase, numbers, and symbols. A password is considered unique if you use it on only one website or account.
In order to keep your accounts secure, you can take one more step: change your password routinely. Yahoo has announced that this information was actually taken back in 2014, and anyone who hasn’t changed the password since that time is at risk. If you have the option to change your security questions, rotate those out, too. This month it’s mom’s maiden name, in a few months it’s the name of your childhood pet, sometime after that change it to the street you grew up on. These steps are vital if your information might have been accessed in the Yahoo breach, but they’re a good idea for all digital citizens to follow in order to prevent the loss of their data.
Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.