What are your unexpected risks from the Yahoo billion account breach?

Orange County, CA - The big cyber-security news today is the breach of one billion user accounts at Yahoo!  Some experts are recommending the immediate closing of your Yahoo! account. However, I am not fully on board with that recommendation. If you have highly sensitive information in your Yahoo! account, then I agree. If the account is used for some club activities or e-mail in Yahoogroups.com, etc. then, at minimum, you need to change your password.

At minimum, all Yahoo! users need to change their passwords today. If you have helper/challenge questions for your passwords, those questions and answers need to be changed too. If your Yahoo! login name, password and challenge questions & answers have been used on other websites, then you need to change those, too, immediately. 

Here is the advice Alvaka has for you:

·         Beware that Yahoo! is a partner of AT&T so you may have exposure there, as well. At minimum, change the password or close the account and move your information elsewhere.

·         If you have employees who check their Yahoo! account at work, you need block Yahoo! at your firewall and filtering defenses you have.

Here are some good tips I saw posted by the CEO of KnowBe4, and I agree with them. He says:

Dangers from the Yahoo security breach

Dangers from the Yahoo security breach

Hints and Tips for Yahoo Account Owners

1.            Before you delete the account, get rid of all the folders and only then delete the account and open a Gmail account instead.

2.            Check if you have used your Yahoo password in other sites, and change the password and security questions for those accounts. And remember, never reuse your email password (or any other password tied to an account that holds sensitive data about you) at any other site.

3.            If you used a mobile phone number in association with your Yahoo! account, and you still use that mobile phone number, then SMS phishing (a.k.a. Smishing) is now a distinct possibility, so be very wary of Smishes.

The forensic investigation is still going on, but it is highly likely that the bad guys initially got in through a spear phishing attack with a spoofed 'From' address. These types of attacks are hard to spot and employees tend to fall for them.

Here is what is likely the biggest threat to you and your organization – spoofing. We are seeing a lot of spoofing going on with regards to domain names and e-mail accounts. To read more about that there is a good article here at SearchSecurityTechTarget – email spoofing.

Be very aware of attempts to trick you. Alvaka Networks is implementing a new service that helps you test your users once or twice per month to see if they are likely to fall victim to spoofing or spear-fishing tricks. It is a great way to train your users. If you are interested in learning more write to us at info@alvaka.net and we can let you try it out.

PS. This information below just came in from one of our friends of Alvaka. It is the official explanation coming from Yahoo's Chief Information Security Office, Bob Lord.

 Subject: Important Security Information for Yahoo Users

Reply-To: replies@communications.yahoo.com

 

Yahoo breach notification letter.

Yahoo breach notification letter.

NOTICE OF DATA BREACH

Dear John Doe,

We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.


What Happened?

Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with a broader set of user accounts, including yours. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.


What Information Was Involved?

The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. Not all of these data elements may have been present for your account. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system we believe was affected.


What We Are Doing

We are taking action to protect our users:

  • We are requiring potentially affected users to change their passwords.
  • We invalidated unencrypted security questions and answers so that they cannot be used to access an account.
  • We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.

What You Can Do

We encourage you to follow these security recommendations:

  • Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
  • Review all of your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
  • Avoid clicking on links or downloading attachments from suspicious emails.

Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.


For More Information

For more information about this issue and our security resources, please visit the Yahoo Security Issues FAQs page available at https://yahoo.com/security-update.

Protecting your information is important to us and we work continuously to strengthen our defenses.

Sincerely,

Bob Lord
Chief Information Security Officer
Yahoo