It’s password-changing time again.
Yahoo’s announcement that a “state-sponsored actor” had pilfered data, potentially including concealed passwords, from half a billion accounts in late 2014 represents one of the largest such security breaches ever disclosed. The “good” news — if we can call it that — is that the passwords were concealed and that the hack doesn’t appear to have directly involved credit cards or bank accounts, according to Yahoo’s announcement.
Credit card accounts probably won’t be affected. But “probably” is not “certainly.” If you tend to reuse passwords across multiple sites, now’s the time to stop, and to change those passwords. And Yahoo is still encouraging people to check their credit reports.
Not another Target
When you hear “data breach,” you might think of what happened to Target in 2013. About 70 million customers were affected, and — worse — 40 million credit card numbers were stolen. Millions of customers had to worry about fraudulent activity on their cards as a result.
The Yahoo breach is roughly seven times as big as the Target one, but for affected consumers, it’s not seven times worse.
The difference has to do with what was stolen. In Yahoo’s case, the stolen information included names, email addresses, phone numbers, dates of birth, concealed passwords and, in some cases, security questions and answers both unencrypted and encrypted, according to a news release from the company. Yahoo also notes that the ongoing investigation suggests that “stolen information did not include unprotected passwords, payment card data, or bank account information.”
The passwords were also “hashed,” according to Yahoo. That means they were run through a “mathematical function that converts an original string of data into a seemingly random string of characters,” according to Yahoo.
Signs of a potential hack reportedly emerged earlier this summer on the “dark web” — a space of the internet unreachable by search engines, where illegal dealings can go undetected. A hacker tried to sell what was supposedly 200 million Yahoo accounts for 3 bitcoins, or roughly $1,860, Motherboard reported in August. That’s on the cheap side, if you consider that login credentials for banks around the world go for “between US$200 and US$500 per account” in marketplaces like these, according to a white paper by Trend Micro.
What could happen
The credentials stolen in the Yahoo breach aren’t that valuable as long as the passwords are concealed. But there’s still a risk that hackers could glean more information from the breach than we think.
Take the passwords, for example. When passwords are hashed, they’re essentially useless. But it’s possible that hackers could “unhash” those passwords, says Al Pascual, senior vice president and head of fraud and security at Javelin Strategy & Research.
“There is software such as Hashcat and John the Ripper which is designed to crack passwords,” Pascual says. “It takes time and processing power, and even then not every password is typically decrypted.”
If hackers were successful at unhashing some of the passwords, they could run scripts to hit as many websites as possible to see where those passwords work, Pascual says. That could affect consumers who use the same password for every account.
Even if that proved successful, though, hackers probably wouldn’t be able to get at your financial accounts. Major banks and issuers have security software that locks users out after multiple failed sign-in attempts. However, Pascual says some smaller issuers don’t have this capability.
Phishing scams are another potential result of the breach, and one that Yahoo is anticipating. The company stressed that the email it sent to those affected by the breach “does not ask you to click on any links or contain attachments and does not request your personal information” — requests that are common tactics in phishing emails. Your credit card information might not be affected by the Yahoo breach directly, but it might be compromised if you give your login credentials to someone pretending to be Yahoo via email.
What to do about it
If you received notice from Yahoo that you were affected by the breach, here are three things you can do to guard against potential fraud on your credit cards and other accounts:
- Change your passwords. “People tend to not update their passwords unless they absolutely have to,” Pascual says. Hackers see that as a major opportunity. So if you use the same password for all your accounts, don’t just update your Yahoo password — update your other passwords, too. At the very least, make sure the passwords you use on your credit card and bank accounts aren’t the same ones you use on websites that look like they were designed by sixth-graders in 1999.
- Read emails carefully. Don’t reply to emails purporting to be from Yahoo — or any company, for that matter — if they prompt you to provide a password, username or any other personal information, or ask you to click a link. Fraudsters use urgent-sounding emails like these to get valuable information out of unsuspecting consumers.
- Check your credit report and financial accounts. Although Yahoo’s breach didn’t include financial data, “we encourage you to remain vigilant by reviewing your account statements and monitoring your credit reports,” according to a statement from the company.
You can get a free credit report once a year from each of the three major credit bureaus: Experian, Equifax and TransUnion. Go to AnnualCreditReport.com. If you detect signs of fraud on your credit card account — say, unfamiliar purchases — call your issuer right away and report it. The law sharply limits your financial responsibility on bank account fraud and credit card fraud. Even if your credit card is indirectly affected by this breach, you probably won’t have to pay for it.