It was just in September that I told you about a massive data breach at Yahoo affecting as many as five hundred million people, making it the largest data breach in history. However, as I often say, “things aren’t as bad as you think — they are far worse.” Earlier this week it was disclosed that Yahoo had also been a victim of an earlier data breach in 2013 that was only recently discovered in which personal information on a billion Yahoo customers was stolen. Included in the stolen information was names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers only some of which were encrypted.
Gaining access to someone’s email account can provide a tremendous amount of personal information that can be leveraged to make that person a victim of identity theft. This should be a wake up call to everyone, even if you do not use Yahoo email to implement stronger email security measures.
As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy. Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked. Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.
This is also a good time to check your credit reports with each of the three major credit reporting agencies for indications that your identity may have been compromised. You can get your free credit reports by going to www.annualcreditreport.com Beware of going to other sites that appear to offer free credit reports, but actually sign you up for costly services. And while you are at it, you should consider putting a credit freeze on your credit reports at each of the three major credit reporting agencies so that even if an identity thief does manage to steal your personal information, he or she cannot access your credit report to open new accounts. For more information about credit freezes and links on how to set them up go to the Scam of the day for June 27, 2016.
Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account. For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.
Security questions are notoriously insecure. Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves. The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.
As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate. In addition, scammers armed with personal information gained through a data breach such as this will be targeting people with spear phishing emails attempting to lure you to click on malware infected links. Any email you may get purporting to be from Yahoo will not contain links or attachments and will not ask you to provide personal information. For help directly from Yahoo on this matter go to https://help.yahoo.com/kb/helpcentral
Since you can never be sure if a company is going to be subjected to a data breach, try and limit the personal information you provide to all companies. Don’t leave your credit card number on file for convenience sake and don’t provide your Social Security number unless you absolutely must do so. Many companies ask for this information although they have no real need for it.
Don’t store sensitive information in your email account where it could be accessed in the event your account is hacked. You also should encrypt your emails. There are many simple, free software programs you can use to encrypt your emails.
As for the companies themselves, they should be utilizing encryption to protect stored data as well as utilizing modern analytics programs that can better detect unusual activity.