The Yahoo! Breach – What Happened, What You Can Do, and Why

If you had a Yahoo account in 2014, you should read this to find out what happened, and what you can do about it. The bottom line is, the advice that Yahoo is giving their users is not nearly enough to protect from the scale of this data breach.

The timeline seems to suggest that much of the damage may have already been done because the information has been on sale in the Deep Web for at least two months, or longer. The Yahoo breach, originally thought to have occurred in 2012, actually occurred in late 2014 according to the company.

On December 5, 2015, InfoArmor informed some of its clients that their Yahoo Mail account passwords may have been compromised; see email, below.

Then, on August 1, 2016, Hacker News reported that a user with he handle “peace_of_mind” had posted for sale “200 Million hacked Yahoo Accounts. And, of course, Yahoo confirmed stolen data of 500M accounts today.

Passwords NOT safe

Yahoo has given us conflicting information on the question of whether or not Yahoo passwords are safe.

First, in their announcement today, Yahoo told us that the passwords in the compromised user accounts were “hashed.” That is good news for you if you happen to be a Yahoo user, or if you *were* a user in 2014. Hashing is a common form of password encryption that keeps the actual password safe from theft because it can’t be read by anyone who did not create the key. If you are curious about bCrypt, the type of hashing used by Yahoo for “most” of passwords that were compromised, read about it here.

So, it would seem that the 2014 Yahoo account passwords are safe, right?  There are a couple of problems with that: According the Yahoo, some passwords were hashed with bCrypt, and others were not, which is probably why Yahoo has also asked its users to reset their passwords.

“We are asking potentially affected users to promptly change their passwords…” – Yahoo

Changing passwords is an inconvenience to its users which should not be made without good reason. Again, Yahoo believes that ”at least” 500 million user accounts were compromised. That’s approximately then the number of every man, woman, and child on the continent of North America. And, it is a reasonable expectation that a corporation will only ask a continent full of people to do something if it is unavoidable.

Also, in their statement, Yahoo said that the “vast majority” of their passwords were hacked with bCrypt. This is consistent with what Hacker News reported:

“Since the passwords are MD5-encrypted, hackers could easily decrypt them using an MD5 decrypter available online, making Yahoo! users open to hackers.”

These numbers are definite not proof, but they seem to tell a logical story: Of the 500M passwords stolen, the vast majority (300M) were hashed with bCrypt, and the rest (200M) used MD5.

So, assume your password was stolen. Keep reading to see what you can do about it.

Worse than stolen passwords

According to Yahoo:

“The (stolen) account information may have included names, email addresses, telephone numbers, dates of birth…unencrypted security questions and answers.”

That is bad. Really bad. Why? Passwords can be changed. However, it is a little more difficult to change your name, address, or date of birth. And, the name of your elementary school will always be the name of your elementary school; also hard to change.

On the surface, it may not seem like a big problem to have your name available on the internet, given that a Google search on most of our names will reveal a large quantity of information, and a physical address is not hard to find. The trouble is, if all of that information from Yahoo is now in the hands of criminals, the set of data, including address, email and birthday, will make it easy for criminals to systemically try to find additional information, such as your social security number, your financial accounts, and even your employment accounts. For example, if they knew your name, address, birthday, and a few security questions, they may be able to convince a customer service operator at your bank that they are you. Then, they can change the address on your account, get a duplicate card sent to the fake address, and even open a new card in your name.

Don’t forget your email accounts

Did you reuse your Yahoo password as the password on your email account?  Yes? No?  If you are not sure, then assume that you did. Many of us reuse passwords; its not a crime, but I can create punishment. If a criminal gets control of your email account, including your hosted Yahoo mail account, that criminal will have tremendous access to your entire digital life because a criminal can use access to your email account as a way to gain access to your financial accounts, your social media accounts, and explore your privacy in many other ways. Why? Because most accounts have an option on their website that reads, “Forgot Password?” Click it, and you receive an email to the account on file to reset the password. Even if the criminal never new your password, but they can read your email, then they can reset a password of another account to anything they want, and even change to email on file at that account to completely take control.

What is a hacked email account worth? The best article I’ve ever read on this topic was written by Brian Krebs, and you can find it here.

No mention of Credit Cards or Financial Information

As CNN reported,

“The silver lining for users — if there is one — is that sensitive financial data like bank account numbers and credit card data are not believed to be included in the stolen information, according to Yahoo.”  – CNN

That’s important because a criminal with assess to the data does not give direct access to a credit card number. However, the data could allow a reasonably skilled criminal to gain control of your credit card account, and possibly other types of financial accounts.

What Yahoo is advising its users to do?

Yahoo asks it’s 500 million users to take an unprecedented step in insuring their privacy and security:

“Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.” – Yahoo

This is actually a request for a staggering amount of work. First, you have to figure out what your security questions and answers were in late 2014. If you’re somehow able to figure that out with some degree of certainty, perhaps you haven’t changed them since 2014, the next step is to figure out all of the other accounts input you may have use the same answer to the same security question. And, of course, step three is to go to all of those accounts, and reset all of your security questions. Of course, if one of those other accounts, say your bank, only gives you three choices of security questions, and you happen to use the same three security questions on your yahoo account, then, you’re face with making up a new maiden name for your mother.

Obviously, what Yahoo is requesting represents a unreasonable amount of work for a unreasonable number of people. Again, corporations should never ask a continent full of people to perform hours of unnecessary work. It’s bad for the brand.

Here are the specific points from Yahoo’s announcement:

  • Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
  • Review your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
  • Avoid clicking on links or downloading attachments from suspicious emails.

What Yahoo is not advising, but you should do anyway

When changing your passwords, and updating your security questions, focus on two types of accounts: your financial accounts, and your email. Financial accounts represent the most direct source of money to the criminals who may have your information. But email accounts can be used to reset most (or all) of your private accounts, so be sure to check those too.

In addition to what Yahoo is advising, you should:

  •  Turn on 2-factor authentication, if available, to all of your financial accounts.
  • When you change your password, don’t reuse it. Ever.
  • Create a password from two or more nonsensical words and a number. For example, “sTeak8shoe” is far more secure than “we1rD” because length and uniqueness are important elements of a strong password.
  • Run a free credit report. With the information that was stolen from Yahoo, a criminal whol
  • e have almost enough information to open a credit account in your name. For US citizens, all the criminal would need is a valid social security number, which is easily attainable on the Deep Web. If you decide to check with your credit bureaus, request a free copy of your credit report at all three credit bureaus.

For more tips and suggestions about how to change your password, and how to generally protect yourself online, read my book, Digital Habits:

Published by

David W. Schropfer

David W. Schropfer is the CEO of SAFE (Smartphone Authentication For Everyone), a cybersecurity company in New York (  Every day, he and his team of professionals keep the people who use The SAFE Button protected from some of the most common traps, hacks and attacks that target computer systems of all sizes. David is the author of the bestselling cybersecurity book, Digital Habits: 5 Simple Tips to Help Keep You and Your Information Safe Online. His previous books, including The Smartphone Wallet and industry whitepapers, predicted some of the biggest trends in the payments, mobile, and security industries.  Since graduating Boston College, David earned an Executive MBA from the University of Miami.

One thought on “The Yahoo! Breach – What Happened, What You Can Do, and Why

Comments are closed.