The data stolen may have included names, email addresses, telephone numbers, dates of birth and hashed passwords (the vast majority with the relatively strong bcrypt algorithm). According to Yahoo sensitive financial data is not believed to have been stolen. For more details on the full story is a link to a Reuters article.
How this affects you:
While you may not have a Yahoo email account yourself, many of your friends and family do. If so, then you may be exposed to what are known as Spear Phishing Attacks. Phishing is attempting to gain sensitive information that a thief does not already know by pretending to be legitimate, such as the well-known Nigerian Prince emails.
What you need to do:
There are a few basic steps that you can take:
- First and foremost, if you do have a Yahoo account, take the two minutes out of your day to immediately change your yahoo password-don’t use the same password on different sites you access
- Be on guard for any and all suspicion looking emails and use additional consideration before following links in emails, even from what appears to be from friends and family, especially those that may have a Yahoo email account
- Implement multi-factor authentication for Yahoo and other online services where available
- Be on the lookout for phishing or social engineering attacks in the form of suspicious emails; never send your private personal information to someone asking for it over email.
- Consider using a centrally-managed password manager solution or password vault. LastPass and RoboForm each have a free solution that will allow you to generate complex unique passwords for all your online activities. Make sure to use a very complex, or “Super Password” for this account, but don’t worry, it should be the only password you need to remember.
Cybersecurity teams should take the following steps to protect corporate information:
- Audit use of Yahoo on the corporate network so they can learn how many employees are using Yahoo and encourage uses to turn on additional security measures like multi-factor authentication for those users to minimize their exposure to the breach
- Consider temporarily blocking data uploads to Yahoo at work
- Monitor cloud use to look for high risk activity that may be indicative of a hijacked account or data theft attempt