{"id":9031,"date":"2016-09-24T19:52:07","date_gmt":"2016-09-24T23:52:07","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=9031"},"modified":"2016-09-24T19:52:07","modified_gmt":"2016-09-24T23:52:07","slug":"heres-what-you-should-know-and-do-about-the-yahoo-breach","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2016\/09\/24\/heres-what-you-should-know-and-do-about-the-yahoo-breach\/","title":{"rendered":"Here&#8217;s what you should know, and do, about the Yahoo breach"},"content":{"rendered":"<p>By Lucian Constantin | IDG News Service | <a href=\"http:\/\/www.pcworld.com\/article\/3123398\/security\/heres-what-you-should-know-and-do-about-the-yahoo-breach.html\" target=\"_blank\">PCWorld<\/a><\/p>\n<p>Yahoo\u2019s announcement that state-sponsored hackers have stolen the details of at least 500 million accounts shocks both through scale\u2014it\u2019s the largest data breach ever\u2014and the potential security implications for users.<\/p>\n<p>That\u2019s because Yahoo, unlike MySpace, LinkedIn and other online services that suffered large breaches in recent years, is an email provider; and email accounts are central to users\u2019 online lives. Not only are email addresses used for private communications, but they serve as recovery points and log-in credentials for accounts on many other websites.<\/p>\n<p>An email compromise is one of the worst data breaches that a person could experience online, so here\u2019s what you should know:<\/p>\n<p>Fifty shades of hashing<\/p>\n<p>Yahoo said that the \u201cvast majority\u201d of the stolen account passwords were hashed with bcrypt. Hashing is a one-way cryptographic operation that transforms data into a set of random-looking characters that serves as its unique representation\u2014this is called a hash.<\/p>\n<p>Hashes are not supposed to be reversible, so they\u2019re a good way to store passwords. You take input, such as a password, pass it through a hashing algorithm and compare it to a previously stored hash.<\/p>\n<p>This provides a way to verify passwords at log-in time without actually storing them in plain text in the database. But not all hashing algorithms offer equal protection against password cracking attacks that attempt to guess which plaintext password generated a specific hash.<\/p>\n<p>Unlike the ageing MD5, which is quite easy to crack if implemented without additional security measures, bcrypt is considered a much stronger algorithm. This means that in theory, the likelihood of hackers cracking \u201cthe vast majority\u201d of Yahoo passwords is very low.<\/p>\n<p>But here\u2019s the problem: Yahoo\u2019s wording suggests that most, but not all passwords were hashed with bcrypt. We don\u2019t know how many passwords were hashed with another algorithm, or which one it was. The fact that this hasn\u2019t been specified in Yahoo\u2019s announcement or FAQ page suggests that it\u2019s an algorithm that\u2019s weaker than bcrypt and that the company didn\u2019t want to give away that information to attackers.<\/p>\n<p>In conclusion, there\u2019s no way to tell if your account was among those whose passwords were hashed with bcrypt or not, so the safest option at this point is to consider your email compromised and to do as much as damage control as possible.<\/p>\n<p>Don\u2019t keep emails just because you can<\/p>\n<p>Once hackers break into an email account they can easily discover what other online accounts are tied to that address by searching for sign-up emails. These are the welcome messages that most websites send when users open a new account, and which users rarely delete. These days most email providers offer enough storage space that users won\u2019t ever have to worry about deleting messages.<\/p>\n<p>Aside from exposing the links between an email address and accounts on various websites, those sign-up emails can also expose the specific account names chosen by the user, if different from their email address.<\/p>\n<p>If you\u2019re among the people who don\u2019t delete welcome emails and other automatic notifications sent by websites, such as password resets, then you might want to consider doing so and even go back to clean your mailbox of such communications.<\/p>\n<p>Sure, there might be other ways for hackers to find out if you have an account on a certain website, or even a number of websites, but why make it easier for them to compile a full list?<\/p>\n<p>Be careful when asked for your personal details<\/p>\n<p>Among the account information that hackers stole from Yahoo were real names, telephone numbers, dates of birth and, in some cases, unencrypted security questions and answers. Some of those details are sensitive and are also used for verification by banks and possibly government agencies.<\/p>\n<p>There are very few cases when a website should have your real date of birth, so be judicious about providing it.<\/p>\n<p>Also, don\u2019t provide real answers to security questions, if you can avoid it. Make something up that you can remember and use that as answer. In fact, Yahoo doesn\u2019t even recommend using security questions anymore, so you can go into your account\u2019s security settings and delete them.<\/p>\n<p>Check your email forwarding rules regularly<\/p>\n<p>Email forwarding is one of those \u201cset it and forget it\u201d features. The option is buried somewhere in the email account settings that you never check and if it\u2019s turned on there\u2019s little to no indication that it\u2019s active.<\/p>\n<p>Hackers know this. They only need to gain access to your email account once, set up a rule to receive copies of all your emails and never log back in again. This also prevents the service from sending you notifications about repeated suspicious log-ins from unrecognized devices and IP addresses.<\/p>\n<p>Two-factor authentication everywhere<\/p>\n<p>Turn on two-factor authentication\u2014this is sometimes called two-step verification\u2014for any account that supports it. This will prompt the online service to ask for a one-time-use code sent via text message or generated by a smartphone app, in addition to the regular password, when you try to access the account from a new device.<\/p>\n<p>It\u2019s an important security feature that could keep your account secure even if hackers steal your password. And Yahoo offers it, so take advantage of it.<\/p>\n<p>Don\u2019t reuse passwords; just don\u2019t<\/p>\n<p>There are many secure password management solutions available today that work across different platforms. There\u2019s really no excuse for not having unique, complex passwords for every single account that you own. If you do want memorable passwords for a few critical accounts use passphrases instead: sentences made up of words, numbers and even punctuation marks.<\/p>\n<p>Here comes phishing<\/p>\n<p>Large data breaches are typically followed by email phishing attempts, as cybercriminals try to take advantage of the public interest in such incident.<\/p>\n<p>These emails can masquerade as security notifications, can contain instructions to download malicious programs that are passed as security tools, can direct users to websites that ask them for additional information under the guise of \u201cverifying\u201d their accounts and so on.<\/p>\n<p>Be on the lookout for such emails and make sure that any instructions that you decide to follow in response to a security incident came from the affected service provider or a trusted source.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Lucian Constantin | IDG News Service | PCWorld Yahoo\u2019s announcement that state-sponsored hackers have stolen the details of at [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7],"tags":[323,453,666,1265],"class_list":["post-9031","post","type-post","status-publish","format-standard","hentry","category-security","tag-email","tag-hackers","tag-md5","tag-yahoo"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-2lF","jetpack-related-posts":[{"id":9364,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/06\/03\/this-week-in-tech-669-15-minutes-of-fun\/","url_meta":{"origin":9031,"position":0},"title":"This Week in Tech 669: 15 Minutes of Fun","author":"NCCT","date":"June 3, 2018","format":false,"excerpt":"https:\/\/youtu.be\/KQc0YlNQNfY --Apple's WWDC this week looks like it may be a disappointment for anyone hoping for new hardware. --Facebook is killing its \"Trending Topics\" section. --Teens prefer Instagram and Snapchat to Facebook; close to half are \"almost constantly\" online. --The Atari VCS is coming soon for expensive retro gaming. --Scooters\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/KQc0YlNQNfY\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9405,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/10\/07\/odorless-and-weightless-hackers-this-week-in-tech-687\/","url_meta":{"origin":9031,"position":1},"title":"Odorless and Weightless Hackers &#8211; This Week in Tech 687","author":"NCCT","date":"October 7, 2018","format":false,"excerpt":"https:\/\/youtu.be\/lb4rnqfNdas Chinese Spy Chips, Microsoft Highs and Lows, Pixel 3 Event Predictions, and More! Bloomberg reports that China used tiny chips to spy on Apple, Amazon, and the US government. Apple and Amazon deny it. How do we know who is right? All the news from the Microsoft Surface event,\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/lb4rnqfNdas\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9452,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/19\/internal-bug-discovery-security-now-693\/","url_meta":{"origin":9031,"position":2},"title":"Internal Bug Discovery &#8211; Security Now 693","author":"NCCT","date":"November 19, 2018","format":false,"excerpt":"https:\/\/youtu.be\/ClVI9PMQGCY Australia vs Encryption, Google+ Bugs Hasten its Demise -- Australia's recently passed anti-encryption legislation -- Details of a couple more mega-breaches including a bit of Marriott follow-up -- A welcome call for legislation from Microsoft -- A new twist on online advertising click fraud -- The DHS is interested\u2026","rel":"","context":"In &quot;Microsoft&quot;","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/ClVI9PMQGCY\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9330,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/04\/03\/security-now-657-protonmail\/","url_meta":{"origin":9031,"position":3},"title":"Security Now 657: ProtonMail","author":"NCCT","date":"April 3, 2018","format":false,"excerpt":"https:\/\/youtu.be\/OeSZg-ph3Ns This week we discuss \"DrupalGeddon2\", Cloudflare's new DNS offering, a reminder about GRC's DNS Benchmark, Microsoft's Meltdown meltdown, the persistent iOS QR Code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new eMail initiative, Free electricity, a policy change at\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/OeSZg-ph3Ns\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9450,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/20\/are-passwords-immortal-security-now-690\/","url_meta":{"origin":9031,"position":4},"title":"Are Passwords Immortal? &#8211; Security Now 690","author":"NCCT","date":"November 20, 2018","format":false,"excerpt":"https:\/\/youtu.be\/mOSTtkK7vy0 Pwn2Own, the Future of Passwords. -- All the action at last week's Pwn2Own Mobile hacking contest -- The final word on processor mis-design in the Meltdown\/Spectre era -- A workable solution for unsupported Intel firmware upgrades for hostile environments -- A forthcoming Firefox breach alert feature -- The expected\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/mOSTtkK7vy0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9387,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/07\/29\/this-week-in-tech-677-to-serve-cat\/","url_meta":{"origin":9031,"position":5},"title":"This Week in Tech 677: To Serve Cat","author":"NCCT","date":"July 29, 2018","format":false,"excerpt":"https:\/\/youtu.be\/9koTMZi05pk This Week in Tech Facebook's stock crash, Tesla surfboards, Russia hacks utilities, and more. -- Jason Calacanis tells us what's going on with his buddy Elon Musk. -- Apple fixes the MacBook Pro's throttling issue. -- Facebook and Twitter stock takes a dive over poor growth numbers, but Google\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/9koTMZi05pk\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/9031","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=9031"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/9031\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=9031"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=9031"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=9031"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}