In September 2016, half a billion Yahoo account users received the bad news that their names, email addresses, phone numbers, and security questions were potentially stolen in a 2014 hack.
According to CNET, the Yahoo hack is the largest data breach in history.
In the wake of a major hack like this one, the only silver lining is a powerful reminder for businesses to review their IT security practices. In the case of the Yahoo breach, hackers can use the stolen information to compromise other employee accounts and further extend the reach of the hack. Here’s how they do it, and what you can do to stop them.
The “Forgot My Password” Reverse Hack Trick
Hackers can steal information from many accounts with the information taken from a single account. If you’ve set your Yahoo email address as your “forgot my password” account for other services, a hacker can use a password reset and reminder commands to compromise even more important accounts. Hackers can use stolen security question answers here to obtain other account credentials as well.
The “Same Password, Different Account” Hack
Memorizing a different password for each account is pretty much impossible for the average person. Most people end up using the same password for many accounts. For example, if you own the email addresses “email@example.com” and “firstname.lastname@example.org” and use the same password for both, it’s likely that a hacker who stole your Yahoo password and security questions will try them on the account with the same name on Gmail.
Password Theft Prevention Strategies
Security breach prevention starts with a strategic security plan and a series of best practices:
Account-Specific Logins and Passwords. One way to prevent a hacker from using your stolen username and password on another account is to create site-specific login and password credentials. This is easily accomplished by memory by adding a site-specific prefix or suffix for each account. For example, your Yahoo and Gmail credentials may be “myemailYHOO/YHOOP@ssw0rd” and “GOOGLmyemail/P@ssw0rdGOOGL” respectively. Alternatively, password managers are an easy way to manage login credentials across accounts and generate random passwords.
Secure the Fallback Account. We’ve previously discussed the security benefits of “two-step verification” as an effective way to keep hackers out of your accounts even if they manage to steal your password or security question answers. Make sure all of your accounts that feature a “forgot my password” function lead back to a “two-step” secured email address.
Update Passwords Frequently. Typically, hackers use your stolen information immediately to access your accounts and steal your information. That’s why frequent password changes are often considered a waste of time. However, the Yahoo hack bucks this trend as the information being released in late 2016 came from 2014.
IT security and password protection are an essential part of doing business in the modern digital world. Contact us today for IT consulting advice for better security practices and managed services assistance to help keep your business’s confidential information safe.