Today is was revealed that Yahoo experienced a breach of account names and passwords of epic proportions. Now we’re running down the ways which users – any user of Yahoo products of all sorts, with Yahoo accounts – should move forward. This includes password changing. This includes the potential use of Yahoo’s Account Key. It includes not having a heart attack about the situation while, at the same time, understanding that one’s account breach could mean some very serious things.
As mentioned earlier today, this would be a great time to start using Yahoo Account Key. With this system, the only way a Yahoo user can access their account is with a two-device combination of button-presses. The user must have their phone, and someone who might’ve otherwise accessed their account from afar can not do so.
Yahoo suggests that those affected by this breach are being notified. They wrote today, “We are notifying potentially affected users by email and posting additional information to our website. Additionally, we are asking potentially affected users to promptly change their passwords and adopt alternate means of account verification.”
Regardless, all Yahoo users should take precaution.
The most important first step all Yahoo account-holders can take is to change their password and security questions. This can be done through Yahoo’s Eval Profile page.
Any accounts outside of Yahoo that use the same password as the Yahoo account should also be updated. One can topple the rest.
Users should also review their accounts – all accounts, including bank accounts (even though Yahoo suggests that no bank information was stolen). There, users should look for any activity they do not recognize, and speak with their bank if they find any such activity.
Users that receive emails about this hack will not necessarily be from Yahoo. While Yahoo has sent out an email, it’ll always read like this Yahoo PDF.
As Yahoo suggests, “Importantly, the email does not ask you to click on any links or contain attachments and does not request your personal information.”
Of note, from the folks at Flashpoint: “On August 2, 2016, Flashpoint became aware of an advertisement posted on TheRealDeal Marketplace by actor ‘peace_of_mind'(otherwise known as ‘peace’) for the sale of some 200 million Yahoo account credentials. Peace_of_mind is the same actor whom Flashpoint previously reported as selling leaked MySpace and LinkedIn account credentials in May 2016. This actor, who is also a co-founder of TheRealDeal Marketplace, is considered highly credible based on past activity and feedback from customers.”
An “actor” in this case is a person or persons behind this hack and subsequent sale of account names and passwords. We experienced something similar back when Facebook suggested that “State-Sponsored Actors” might have gained access to some of their accounts.