Years ago, long before the recent incidents, my Yahoo account was hacked. I was not pleased and immediately dumped my Yahoo! email account and went over to gmail.
Although I haven’t used Yahoo much since then, I received their official email on the massive hacking of their accounts. To date, this intrusion has been one of the biggest hacks in history, possibly compromising some one billion accounts.
I wish I had some cybersecurity expert to quote who could explain exactly what happened at Yahoo — and why. But even the company appears to be mystified, or is simply not releasing details.
In any case, it’s a cause for concern if you use their servers or email. It’s not clear if they’ve fixed the security issues, although they are posting updates here.
Here’s their most recent “Notice of Data Breach” email signed by Bob Lord, Chief Information Security Officer and my pointed questions:
President and CEO of Yahoo! Marissa Mayer. (Photo by Matt Winkelmeyer/Getty Images for Glamour)
“Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data.
Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with a broader set of user accounts, including yours. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.”
So now there were two major hackings. Did the company not know after the first breach that they had a problem? What did they do to prevent another breach after the first incident? And why are we now just hearing about it? Who were the forensic experts and why did outside law enforcement (which agency) get involved? Did Yahoo not have internal security people who could detect the breach?
“The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”
What exactly did the hackers steal and what are they likely to do with the information? Identity theft looks like the obvious reason, but what am I missing?
“The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system we believe was affected.”
Okay, so that’s somewhat good news. What is Yahoo doing differently to protect this information? Is it stepping up cybersecurity measures?
“We are taking action to protect our users:
We are requiring potentially affected users to change their passwords.
We invalidated unencrypted security questions and answers so that they cannot be used to access an account.
We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.”
Well, that’s nice. Again, why did you wait two to three years to tell us?
“What You Can Do
We encourage you to follow these security recommendations:
Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
— Review all of your accounts for suspicious activity.
— Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
— Avoid clicking on links or downloading attachments from suspicious emails.
— Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.”
Thanks, Yahoo. This is all pretty sound advice, although it’s coming kind of late, don’t ya think? What constitutes “suspicious activity?” What are you doing to prevent further breaches? We need some specifics before we log on again.
All told, I’d say this massive security nightmare was handled incredibly poorly by Yahoo. They’ve been slower than snailmail in responding and assuring Yahoo users that they should keep using their services.
One can only hope that Verizon, which is in the process of buying Yahoo, will have more aggressive security. That is, if the deal still goes through after these incidents. In the meantime, change your passwords and don’t respond to unsolicited emails.