The Yahoo Breach Affects 1 Billion – What Do You Do Now?

Unless you’ve been living under a rock recently, you’ll have heard the news about the Yahoo data breach. If you haven’t, the basics are that Yahoo User details were compromised a few years back, and anyone that had an email account with them up until that point may have had their email addresses and passwords released.

But it’s worse than that: Yahoo was also fulfilling the email services for several ISPs including BT and Sky in the UK, meaning their customers are also at risk. Brilliant. At the last check, approximately one billion people had their details potentially compromised.

Rather than combing over what went wrong, what Yahoo should’ve done better or even touching the whole US government debacle with a ten foot pole, I’m going to focus on a few simple things: what this means for you – whether you’re a customer or not – what you can do about it and what you can do to prevent yourself from being at risk in breaches like this in the future. Don’t worry, it’s all pretty easy, although there will be a fair bit of work involved in setting it all up. Your security’s worth that, right?

I’m covering password practices in quite a bit of depth today, so this is a stupidly long post. Feel free to skip around and if you’d like to be kept up to date with more pieces like this in the future, sign up to my free email list. No spam, no sales pitches, just free information to help you keep yourself, your family and your business safe online.

I Used To Use Yahoo Mail – Why Do I Care?

One of the biggest issues that comes from these breaches is that old accounts can be compromised. If, like most of Yahoo’s customers, you haven’t used it in years, what does it matter if your email and password are on the list? You don’t care if people get into those old emails or use that account for spamming, right?

But you’re probably like most people and have used the same password or a very close variant of that same password on important stuff. In fact, you’ve probably used that same password or a close variant on pretty much everything you’ve signed up for in the last five years, haven’t you?

I get it. It’s easy to remember the same password for everything and no one likes the judgement they feel when clicking the “forgot password” button. If this sounds like you, you should probably keep reading and share this post with your similarly-minded friends and family. Don’t worry, I won’t mind.

How Breached Data Is Used

The thing a lot of people miss about data breaches or dumps is that the account from the compromised platform is very rarely what those details are used for. If you used Yahoo Mail years ago and have moved away from it, you’re right to not be particularly bothered by it in terms of that particular account. However, it’s the account details that are the prize rather than the account itself.

Let’s use a common example: your username and password are found in a dump of breached data. Since most of these breaches lately have been from around 2012 – 2014, it’s a moderately safe assumption that you’re not using it anymore or the platform in question has been responsible enough to tell you to change your password. The compromised account isn’t the worry. But did you use that password on other sites? Your other email? Your Facebook? Your PayPal? Your bank? I’m willing to bet the answer to at least one of these is yes.

If someone has gone to the effort of procuring these data dumps, they’re likely more than capable of setting up an automated tool that will try your details (along with the others in the list) on a multitude of sites, waiting for a match. Once they’ve got a match – especially if you use the same password for everything – your online footprint is pretty much theirs. They can raid your bank account, your PayPal, clear out your Dropbox, spam your Facebook and that’s just a few examples.

I’m not scaremongering here. I’ve seen it happen.

That’s why this stuff matters. Here’s what you can do right now, for free, to protect yourself.

Change Your Passwords And Make Them Better

If you’re a current or former customer of any of these compromised platforms – or even if you’re not – change your passwords, especially if you’re someone that uses the same password or series of passwords for everything. You might have escaped this breach, but the law of averages says you’ll be caught out eventually.

A safe password is a unique password. Everything you access should have a password specific to that site. If it’s not used on any other sites, it’s less of a worry if the platform it’s used on is breached as it can’t be used to access anything else.

But just because a password is unique, doesn’t mean it’s good. A password that’s simple can still be compromised easily enough. So while we’re changing our passwords, let’s make the commitment to change them to something better.

What Is A Good Password?

We’ve already covered that one of the key components of a good password is that it’s unique to the platform it’s used on. And when I say unique, I mean totally different, not just changing a single digit. But that’s not all that goes into creating a good password.

A good password can be defined as:

  • Unique: We’ve already covered why this matters, but to reiterate: everything you log in to should have a completely unique password.
  • Long: The longer it is, the harder it is to guess or break through brute force or other automated methods. Recommendations are for at least eight characters, I tend to favour at least 20.
  • Mixed-up: A mixture of letters, numbers, cases and characters will help keep you safe.
  • Not linked to you: If someone can work out your password based on your Facebook activity or by otherwise investigating you or your family, it’s not a safe password. Avoid anything like this. Your password should not be your dog’s name, your mother’s maiden name, your favourite TV show or anything like that.
  • Random: For best results, your password should be a unique, long, randomly-generated string featuring a range of characters, numbers, letters and cases. This makes it basically impossible to guess or break through brute-force methods.

Basically, a good password is 1gY#vk0yw!YMkdd8q9Tf. A bad password is password.

So now we know what a good password is, how do we remember them? It’s impossible to remember a load of random strings, isn’t it? At what point does security outweigh convenience? I ask because I know what most people will choose between the two.

Use A Password Manager

There are a range of password management tools out there that will remember these passwords for you, allowing you to log into your stuff on your computers, phones and tablets while keeping the passwords safe from prying eyes. A lot of them are free or freemium, so the only cost you need to worry about is the time setting them up. The good thing is that after the initial time investment, you’ll find that it’s a lot quicker and easier to log into all the sites and apps you log in to and the peace of mind is worth it.

Personally, I’m a big fan of LastPass – so much so that I’ve signed work up for an Enterprise account and got everyone there running it. It’s free for personal accounts and the premium options are affordable too. With plugins for pretty much all browsers across PC, Mac and Linux machines and handy mobile apps for iOS and Android, it’s one of the best cross-platform tools out there as well. The encryption levels are solid and they participate in a bug-bounty program, so you can be sure that your data’s safe with LastPass, but as I say, there are many others out there too.

Generally, I suggest staying away from ones which are completely free with no premium option – if no one’s paying for it, where is the incentive for them to keep it up to date? Where is the money to develop it coming from? If they at least have an option to pay them, that’s where their incentive comes from, so it’s more reassuring. You get what you pay for, after all.

Avoid storing passwords in your browser itself – some of them aren’t that secure and you also don’t get the cross-platform benefits.

The great thing about any of these tools is that you only need to remember one password – the password that unlocks the system, so you can focus on making it a good one based on the criteria above. For something like this, it’s vital that your password is not something you’ve used on any other sites. As we’ve seen with these breaches, your passwords and platforms from years ago can come back to haunt you.

Best Practice For Password Managers

Once you’ve got your password manager installed and you’ve stored the details for the sites you use, just go through them and change the passwords using the tool’s own password generator, remembering the guidelines from above. You can generate completely random strings and not need to remember them, so your online security instantly improves.

Suddenly, a breach from 2012 is far less of a worry and, should a breach of those sites occur, it’s easy to just change your password to another random string. Just make sure that the password you use for that platform is something completely unique and strong. If it’s easier to remember, use a random word generator, jumble the cases and put a few characters and some numbers in there.

So What Do You Do Now?

Whether you’re a victim of the Yahoo breach or not, just following the tips above will help you improve your online security and the security of anything you’ve got stored within the sites you log into. It shouldn’t cost you any money, either, just an hour or so of your time. Maybe I’ll write some more simple security tips style posts in the future.

Password managers aren’t perfect – nothing is – but they at least help you mitigate the risk of using the same password for everything.

In the meantime, I’d love to hear what else you struggle with in terms of online security for future pieces. Drop me a line through the contact form or on Twitter and don’t forget to sign up for my (very secure) mailing list to stay up to date.