Yahoo hit with a Massive 500 Million Account Data Breach

In what could be the largest data breach in history, Yahoo announced today that attackers infiltrated their servers in 2014 and walked away with account information for at least 500 million users. This stolen information may include names, email addresses, telephone numbers, dates of birth, hashed passwords, with most being encrypted using bcrypt, and potentially encrypted or unencrypted security questions and answers. According to Yahoo, they feel that this attack was conducted by a state-sponsored attacker, rather than a small hacking group or lone hacker.

In a notice posted to Tumblr, Yahoo's CISO Bob Lord stated:

We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what we believe is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.

So what does this mean to Yahoo users? It means that if you used the same password from Yahoo on other sites, you better go to those sites and change the passwords now! With today's modern hardware, decrypting stolen encrypted passwords is not the hard task it used to be. Criminals will buy this Yahoo data, decrypt the passwords, and try to use it to login to other accounts you may own. This could lead to identity theft, massive SPAM attacks, or banking theft.

With that said, the first thing anyone should do who has a Yahoo account is to immediately change their passwords at the other sites they visit.

So how can you protect yourself from data leaks in the future?

Data leaks are becoming so common, I suggest that people use the following strategies to keep their online accounts secure:

1. Never reuse the same password at another site. Yes, I know this is a pain in the arse, but so is getting your bank account broken into. There is no excuse not to use password managers such as KeePass or online services like LastPass to store unique passwords for every site you visit.
    
2. Never reuse the same password at another site. No, this wasn't repeated by mistake. Most people will ignore step 1, so I am repeating it.
    
3. Enable two-step verification on any online accounts that support it. Two-step verifications makes your online accounts more secure as it requires user's to login with their normal password and with a special password sent to a user's cell phone or selected email address. This sounds like a pain, but you quickly get used to it. It also makes your account very secure.
    
4. Use strong complex passwords. If you use a password manager as suggested in step 1, the programs can create unique and strong passwords and the password managers will automatically log you in with them.

Out of all of these steps, though, using unique passwords at every site you have an account is the most important. That way if one site is hacked, you are still safe and secure on any other ones.