Yahoo Inc. just revealed its second major breach in a year. Its first disclosure, taking place in September, claimed that cybercriminals stole data on more than 500 million users. Its second disclosure, taking place on Wednesday, announced that cybercriminals stole data on more than a billion of the service’s users. The criminals, essentially, stole the details of almost every Yahoo account.
The stolen data includes names, email addresses, telephone numbers, dates of birth, hashed passwords (more on this in a moment) and encrypted and unencrypted security questions and answers. The cybercriminals did not compromise any clear-text (normal text, like what you’re reading now) passwords, banking information or payment card data, according to Yahoo. The company has not been able to identify how the data was stolen, though it does say it believes the intrusion began in August 2013.
And that’s not all. While Yahoo did take the precaution of hashing passwords—essentially jumbling passwords so much they become unrecognizable—the cybercriminals behind the attack can still bypass a password challenge, thanks to forged cookies. Cookies, in internet lingo, are a type of tracker stored on each user’s computer. This tracker contains information relevant to a particular website or service and the user it’s assigned to, allowing that user to enjoy easier access to services and more.
Cybercriminals, however, can use forged cookies to trick Yahoo’s service into thinking a user is accessing their account when it’s actually the criminal in question. Yahoo has invalidated these cookies and is in the process of notifying users affected by this technique. The forged cookies are a bigger problem than it immediately seems, since it suggests a hostile party had access to the company’s proprietary code—a major issue for any organization dependent on software for profit.
Regardless, there are steps you should immediately take if you ever find yourself involved in a massive data breach like this one:
- First, change your password. The first order of business is logging into the affected account and changing your password. It should be a complex password, with capital and lower-case letters, numbers and symbols, and should contain at least eight characters. If you have trouble coming up with such passwords or, more likely, trouble remembering them, then consider investing in a password management solution, which helps generate and store complex passwords for you.
- Keep an eye out for suspicious activity. A post-breach environment is a prime time for hackers—particularly for phishing scammers. These crooks depend on tricking users into giving up information based off of appeals to authority and immediacy, often via email. Never click on or respond to any email asking for personal data or account login information. Don’t click on any links in an email purporting to be from a compromised service. Instead, type in the website’s web address on your own and reset your password from there.
- Use comprehensive security. No one is capable of being on guard 24 hours a day, seven days a week. For that, you’ll need a comprehensive security solution capable of doing all the security monitoring for you. For that, there are a range of security solutions, like McAfee LiveSafe™, which stay up to date on the latest malware threats and protect your devices from the woes of dangerous websites and more.
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.