How to Protect Yourself After the Yahoo Attack

How to Protect Yourself After the Yahoo Attack by The New York Times.  Available from <http://www.nytimes.com/interactive/2016/technology/personaltech/what-to-do-if-hacked.html?_r=1> [UPDATED September 23, 2016]

Yahoo said on Thursday that hackers in 2014 stole the account information of at least 500 million users, including names, email addresses, telephone numbers, birth dates, passwords and, in some cases, security questions.

Even if you might not have used a Yahoo account for years, security experts say the incident could have far-reaching consequences for users beyond Yahoo’s services.

Here are some answers to frequently asked questions about how you can protect yourself.

How do I know if my personal information was stolen?

Assume it was.

Yahoo said it had begun notifying potentially affected users, but its breach was huge, and similar attacks and smallerthefts happen all the time.

Should I change my password?

The first step, as always, is to change passwords for sites that contain sensitive information like financial, health or credit card data. Do not use the same password across multiple sites.

Changing Yahoo passwords will be just the start for many of you. Comb through other services — especially those for which you provided a Yahoo email address to create an account — to make sure passwords used on those sites aren’t too similar to what you were using on Yahoo.

And if they weren’t doing so already, they’ll have to treat everything they receive online with an abundance of suspicion, in case hackers are trying to trick them out of even more information.

How do I create stronger passwords?

Try a password manager like 1Password or LastPass.
These sites create a unique password for each website you visit and store them in a database protected by a master password that you create. Password managers reduce the risk of reused passwords or those that are easy to decode.

If you must create your own passwords, try creating long, complex passwords consisting of nonsensical phrases or one-sentence summaries of strange life events and add numbers and special characters.

Examples:

  • My favorite number is Green4782#
  • The cat ate the CoTTon candy 224%
  • Or, if you’re extra paranoid, consider mimicking this setup:

Jeremiah Grossman, a web security expert, memorizes only a few passwords, including one to unlock his computer, and another to unlock an encrypted USB drive containing a file with a list of all his passwords for dozens of services. None of his passwords are memorable because they are random.

“I select them quite literally by banging on the keyboard a few times like a monkey,” Mr. Grossman said, adding that his setup is “a bit more paranoid” than that of the average person.

Create the strongest passwords for the sites that contain the most sensitive information and do not reuse them anywhere.
Are passwords enough?
Passwords are not enough. If a site offers additional security features, like secondary or two-factor authentication, enable them. Then, when you enter your password, you will receive a message (usually a text) with a one-time code that you must enter before you can log in.

Many bank sites and major sites like Google and Apple offer two-factor authentication. In some cases, the second authentication is required only if you are logging in from a new computer.

How can I stop my information from being stolen in the first place?

Increasingly, you cannot. Regularly monitoring your financial records can help minimize the damage if someone gets your information. But only the companies storing your personal data are responsible for securing it. Consumers can slow down hackers and identity thieves, but corporate computer security and law enforcement are the biggest deterrents.

What if you have changed your password after the breach happened but before it was disclosed?

The Yahoo attack happened two years ago but was disclosed only this week. Even if you changed your passwords recently for other websites, chances are at least some of them are similar to the password linked to your Yahoo account two years ago.

To play it safe, you should change your passwords, starting with your most sensitive accounts, including your online banking account.

Forget about security questions

Sites will often use security questions like “What was the name of your first school?” or “What is your mother’s maiden name?” to recover a user’s account if the password is forgotten.

These questions are problematic because the internet has made public record searches a snap and the answers are usually easy to guess.

In a recent study, security researchers at Google found that with a single guess, an attacker would have a 19.7 percent chance of duplicating an English-speaking user’s answer to the question, “What is your favorite food?” (It was pizza.)

With 10 tries, an attacker would have a 39 percent chance of guessing a Korean-speaking user’s answer to the question, “What is your city of birth?” and a 43 percent chance of guessing the favorite food.

Jonathan Zdziarski, a computer forensics expert, said he often answered these questions with an alternate password. If a site offers only multiple choice answers, or requires only short passwords, he will not use it.

“You can tell a lot about the security of a site just by looking at the questions they’ll ask you,” he said.

Photo:  By Yahoo! Inc. [Public domain], via Wikimedia Commons

How to Protect Yourself After the Yahoo Attack by The New York Times.  Available from <http://www.nytimes.com/interactive/2016/technology/personaltech/what-to-do-if-hacked.html?_r=1> [UPDATED September 23, 2016]