Yesterday, Yahoo confirmed a data breach affecting 500 million accounts, including logins, names, logins, birthdays, and security questions. The good news is that the passwords were encrypted with a strong hash algorithm, so they’re relatively protected for now. The bad news is, the breach happened in late 2014, so all that data has been kicking around for nearly two years.
It’s too early to say exactly which users are in the dump, but the number is so large that if you are a Yahoo user — or even just a human being on Earth — the odds are pretty good that you’re in there somewhere. In case you are, here are a few quick things you can do to make sure nothing from the breach ends up coming back to you.
Change your password and your security questions
Yahoo’s already started doing this, and the strong hash on the passwords means it will take a lot of time and computing power before any criminals can actually get the passwords in unencrypted form. Still, better safe than sorry. Change every password and security question linked to Yahoo, Flickr or Tumblr — it's easy to do, and it will make a huge difference if the hackers have any surprises in store.
Use a password manager
If criminals ever do break through that password hash, the damage will go far beyond Yahoo itself. The most popular attack in these situations is something called a credential stuffing attack — running the Yahoo login / password pairs against other sites to see if anyone used the same password for both services.
Experts say that, on average, 2 percent of passwords in a given dump will match with a given site. In this case, that means 10 million people, or roughly the population of Portugal.
The easy answer (which you’ve probably heard before) is "don’t reuse passwords," which is true, but easier said than done. The better answer is to use a password manager like 1Password, LastPass, or Dashlane, which will generate strong, unique passwords for each service. Each one has its own strengths and weaknesses — but even the weakest is better than keeping your old passwords and potentially losing control of your accounts.
Use two-factor authentication
Of course, those passwords will matter a lot less if you’re using two-factor authentication on all your accounts. Do it! Google Authenticator is great, and I am a big fan of my Yubico key. SMS isn’t perfect, but it’s pretty good, too. Just use something!
Kill your security questions
This one is probably the hardest — but if you want to completely cut off the fallout from the Yahoo dump, it’s necessary.
Part of the information taken from Yahoo was security questions: questions like "What was the make of your first car?" or "What was the mascot of your high school sports team?" Yahoo can stop using those questions, but the information doesn’t stop being true, and there will be plenty of other services using the same questions. This is how hackers went after tax returns in 2015 — and there’s every reason to think they’ll try the same attacks next year.
So, how can you protect yourself? The only real answer is to break the security question system entirely. Every time you’re presented with a security question field, give a unique and untrue answer — effectively, a backup password. Write it down, lock it away, and never give the same one twice. When the time comes to reset your password, you’ll be the only one who knows the answer.
Of course, that’s an extreme solution and not everyone has the stomach for it, so if you want to stick to the first three points here, I totally get it. Just do what you can, and try not to get hacked out there!