Scam of the day – October 5, 2017 – Yahoo data breach update

Not wanting to be outdone by Equifax and its data breach affecting 145 million Americans (sarcasm), Yahoo, which was recently bought by Verizon has just announced that its massive 2013 data breach which it had previously said “only” affected a billion people actually affected all 3 billion of its customers.

Included in the stolen information was names, email addresses, telephone numbers, dates of birth, hashed passwords as well as security questions and answers, only some of which were encrypted.

While no credit card information or Social Security numbers were lost in this data breach, which has been attributed to Russian hackers by the Justice Department, the risk of identity theft from this data breach is significant.

Scammers are already contacting people through phishing emails posing as Yahoo and in an attempt to lure the targeted victims to click on links or download attachments containing malware.  In other instances, the scammers will ask for personal information in an effort to gain information that can be used for purposes of identity theft.  The real Yahoo does not do this.  If you have questions about your Yahoo account, you can contact help.yahoo.com for free assistance.

TIPS

As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy. Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.  Yahoo provides for dual factor authentication.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate.

Scam of the day – March 17, 2017 – Four people indicted for massive Yahoo data breach

On Wednesday, the Justice Department unsealed an indictment of two Russian intelligence officers and two hackers, one Russian and the other from Kazakhstan, who, the indictment alleges were responsible for the 2014 massive data breach of Yahoo in which tremendous amounts of personal data was stolen.  The indictment was originally filed on February 28th, but was only unsealed two days ago.  The intelligence officers used the information to spy on specific targeted companies and individuals for political purposes while the hackers were permitted to use the data for a wide range of profit producing scams including credit card fraud and spamming operations.  The indictment even details how the hackers diverted Yahoo users looking for erectile dysfunction drugs to a particular pharmacy chosen by the hackers.

This indictment confirms what many of us have long known, which is that the Russian government’s cyberintelligence and cyberwarfare operations are done through a joint venture between criminal hackers with tremendous computer skills and conventional Russian intelligence officers.  Under the terms of this joint venture, the hackers working with the government are permitted to perform their own cybercriminal acts without fear of government interference so long as they do not attack Russian targets.  This is quite different from what is generally found in other centers of cybercriminal activity such as North Korea and China where the hackers are state workers.

Here is a link to a copy of the indictment:

https://www.justice.gov/opa/press-release/file/948201/download

TIPS

Whether the cybercriminals trying to attack you are state sponsored or not, the threat is still the same and the defensive measures you must take are no different.  Cybersecurity requires constant diligence along with the recognition that you are only as safe as the places that have your information with the weakest security.  Limit the amount of personal information you provide to anyone with which you do business.   It is also important to use and constantly update security software on all of your devices as well as avoid clicking on links or downloading attachments unless you are absolutely sure that they are legitimate.  These are some of the basic steps we all should take to make ourselves safer in cyberspace.

 

Scam of the day – December 16, 2016 – Yet another major data breach disclosed at Yahoo

It was just in September that I told you about a massive data breach at Yahoo affecting as many as five hundred million people, making it the largest data breach in history.   However, as I often say, “things aren’t as bad as you think — they are far worse.”  Earlier this week it was disclosed that Yahoo had also been a victim of an earlier data breach in 2013 that was only recently discovered in which personal information on a billion Yahoo customers was stolen. Included in the stolen information was names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers only some of which were encrypted.

Gaining access to someone’s email account can provide a tremendous amount of personal information that can be leveraged to make that person a victim of identity theft.  This should be a wake up call to everyone, even if you do not use Yahoo email to implement stronger email security measures.

TIPS

As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy. Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

This is also a good time to check your credit reports with each of the three major credit reporting agencies for indications that your identity may have been compromised. You can get your free credit reports by going to www.annualcreditreport.com   Beware of going to other sites that appear to offer free credit reports, but actually sign you up for costly services.  And while you are at it, you should consider putting a credit freeze on your credit reports at each of the three major credit reporting agencies so that even if an identity thief does manage to steal your personal information, he or she cannot access your credit report to open new accounts.  For more information about credit freezes and links on how to set them up go to the Scam of the day for June 27, 2016.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate. In addition, scammers armed with personal information gained through a data breach such as this will be targeting people with spear phishing emails attempting to lure you to click on malware infected links.  Any email you may get purporting to be from Yahoo will not contain links or attachments and will not ask you to provide personal information.  For help directly from Yahoo on this matter go to https://help.yahoo.com/kb/helpcentral

Since you can never be sure if a company is going to be subjected to a data breach, try and limit the personal information you provide to all companies.  Don’t leave your credit card number on file for convenience sake and don’t provide your Social Security number unless you absolutely must do so.  Many companies ask for this information although they have no real need for it.

Don’t store sensitive information in your email account where it could be accessed in the event your account is hacked.  You also should encrypt your emails.  There are many simple, free software programs you can use to encrypt your emails.

As for the companies themselves, they should be utilizing encryption to protect stored data as well as utilizing modern analytics programs that can better detect unusual activity.

Scam of the day – September 24, 2016 – Massive Yahoo data breach

Today’s Scam of the day will be a bit longer than usual, but the added length is necessary to discuss the recent announcement of the massive data breach at Yahoo affecting as many as five hundred million people, making it the largest data breach in history.   Yesterday, Yahoo announced that it had been the victim of a data breach that began two years ago.  Yahoo has attributed the attack to what it called a “state-sponsored actor” and indicated that the compromised information included names, email addresses, telephone numbers, birth dates, encrypted passwords and security questions.  The good news is that no bank account, credit card or debit card information appears to have been involved in the data breach.  However, the information that was stolen is more than sufficient to be utilized for spear phishing emails specifically tailored for purposes of identity theft.

The first indication that there was a problem occurred in June when word of stolen Yahoo data started to be discussed in online forums on the Dark Web where cybercriminals communicate as well as buy and sell stolen data.  Later, in August large batches of stolen Yahoo customers’ data began being sold on a black market website on the Dark Web called TheRealDeal.  Now that the data breach has been confirmed, Yahoo is contacting affected customers, however it is important to remember that scammers are going to also be contacting people through phishing emails attempting to lure people into clicking on links that will download keystroke logging malware that will steal information to be used for purposes of identity theft or to trick people into providing personal information directly in response to the email. Official Yahoo emails will display the Yahoo icon and will not ask you to click on links, download attachments or provide personal information.

TIPS

As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy.  Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

This is also a good time to check your credit reports with each of the three major credit reporting agencies for indications that your identity may have been compromised. You can get your free credit reports by going to www.annualcreditreport.com   Beware of going to other sites that appear to offer free credit reports, but actually sign you up for costly services.  And while you are at it, you should consider putting a credit freeze on your credit reports at each of the three major credit reporting agencies so that even if an identity thief does manage to steal your personal information, he or she cannot access your credit report to open new accounts.  For more information about credit freezes and links on how to set them up go to the Scam of the day for June 27, 2016.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate.  Any email you may get purporting to be from Yahoo will not contain links or attachments and will not ask you to provide personal information.  For help directly from Yahoo on this matter go to https://help.yahoo.com/kb/helpcentral

Since you can never be sure if a company is going to be subjected to a data breach, try and limit the personal information you provide to all companies.  Don’t leave your credit card number on file for convenience sake and don’t provide your Social Security number unless you absolutely must do so.  Many companies ask for this information although they have no real need for it.

As for the companies themselves, they should be utilizing encryption to protect stored data as well as utilizing modern analytics programs that can detect unusual activity.

Scam of the day – February 4, 2014 – What does the Yahoo email breach mean to you?

A few days ago, Yahoo announced that its email security had been breached.  Yahoo is the second largest email provider with approximately 273 million users.  The actual breach which involved the theft of both usernames and passwords was accomplished not by hacking Yahoo directly, but rather by hacking a third party website’s database that allowed the use of Yahoo email addresses to establish customer accounts.  Similarly, the recent breach of Target also appears to have been accomplished by hacking into a Target vendor’s systems to obtain the credentials necessary to, in turn breach the security of Target.  Many people may not be particularly alarmed that all was taken in the Yahoo hacking were usernames an passwords, however, because people often use the same user name and passwords for multiple accounts, including online banking, the threat posed by this hacking could be quite serious.  In addition, these usernames and passwords could be used by identity thieves for “spear phishing” a technique by which identity thieves are able to send specifically targeted messages to potential victims that appear to come from trusted sources thereby making the potential victim more likely to click on a link or download an attachment in the email that would be riddled with malware that will steal all of the information from a person’s computer or other electronic device and use that information to make the person a victim of identity theft.

TIPS

If you haven;t already done so, change your username and password for Yahoo email if you are a user of Yahoo email.  Even if you are not a Yahoo email user, you should make sure that all of your online accounts have different user names and passwords because the risk of your being a future victim of a similar type of data breach is very high.  It is a good idea to change your passwords every few months and make sure that the password is at least eight characters long and is a mixture of letters and symbols.  For tips on how to pick a good password, check out my book “50 Ways to Protect Your Identity in a Digital Age.”

Scam of the day – January 6, 2014 – The threat to you of Yahoo hacking

Fox IT, an Internet security firm has just uncovered a hacking of Yahoo’s ad network that appears to have started on December 30th, but may well have begun earlier.  Estimates are that about 27,000 people had their computers and other electronic devices infected each and every hour since the hacking began.  The vulnerability exploited by the hackers involves flaws in the security of Java software used in the online advertisements and by many individual computer users.  As I have warned you for more than a year, Java is a dangerous software program.  Java software which is popular software program made by Oracle has been a particularly successful target of hackers and identity thieves.  According to Kaspersky Lab, flaws in Java software was responsible for about half of all the cyber attacks by hackers in 2012.    Much of the recent wave of attacks against American companies by the hundreds involved Java software vulnerabilities.  The Department of Homeland Security earlier this year identified new and dangerous vulnerabilities in Java software that can lead to your identity being stolen and your computer being compromised by hackers.  The Department of Homeland Security even advised that people disable Java or prevent Java apps from running in their browsers.A recent study from Palo Alto Networks, a software security company found that only 6% of malware infections are coming from tainted email while 90% came from malware unwittingly downloaded when people went to legitimate websites that you had reason to trust, but had been infiltrated by hackers.  This type of identity theft has come to be known as a “drive by” identity theft.  To make things worse it usually takes as long as three weeks for anti-malware software makers to identify the latest malware threats.  Java software which is used on many legitimate websites has proven to be a rich target for identity thieves because of its continuing vulnerabilities to hackers.  It is for this reason that the Department of Homeland Security advised people to consider uninstalling Java software.The Yahoo hacking, which the company says has now been fixed enabled the hackers, while the hacking was active, to install various malware programs called ZeuS, Andromeda, Dorkbot, Tinb and Necurs, which enabled the hackers to steal personal information from people who unwittingly installed the malware by clicking on infected ads unless the computer user was protected by proper anti-malware security programs or was not using Java.  You can find out if your computer was infected by going to Microsoft’s safety scanner at http://www.microsoft.com/security/scanner/en-us/default.aspx

TIPS

Along with avoiding obvious scam emails, the best thing you can do is to make sure that your security software and anti-malware software are constantly kept up to date with the latest revisions, updates and patches.  You also may want to uninstall software programs, such as Java which have proven to be an Achilles heel for many legitimate websites.  Finally, if you want to be extra careful, you may even want to consider having a separate computer for your financial dealings and purchases while using a separate computer for surfing the Internet so that if you do go to a tainted website, there would be nothing of value on that computer for an identity thief to use.

I strongly advise people who do not need to use Java that they disable it.  Here is an important link from the Department of Homeland Security with information as to how to disable Java or to otherwise deal with its vulnerabilities: http://www.us-cert.gov/ncas/alerts/TA13-064A