Yahoo has just announced that instead of one billion accounts being compromised in the 2013 security breach, all of its approximately three billion accounts were compromised in some form. In case you’ve lost track, the 2013 breach is different from the 2014 breach, in which “only” 500 million accounts were compromised. The press release from Verizon/Oath is predictably vague, stating that information stolen did not include passwords in the clear, banking information or payment card details, but did not detail what was stolen/exposed in the breach. The statement “passwords in the clear” could be taken to imply that encrypted passwords were stolen, and who knows whether they were stored securely, as since then, several weakness in previously-used encryption methods have since come to light. Seeing as this was 4 years ago, it’s highly likely that any encrypted information stolen has already been cracked.
What this means for you:
If you haven’t stopped using Yahoo as an email provider, it’s time to kick that email address to the curb, especially if you are using it for business. Yahoo has repeatedly demonstrated it’s not deserving of your trust or your data, so its time to stop using them. Period. Your second takeaway should be this: stop using the same password for everything, and definitely don’t resurrect old passwords thinking that there is no way someone could come across that password. I will guarantee you that despite the gigantic amount of leaked identity information out there, it has been amassed and cross indexed. If you used a password on Yahoo, LinkedIn, Adobe, or any of the numerous other breaches that have occurred in the past 5 years, that password is in a database next to your email address, and it will be used against you, guaranteed, if it hasn’t already.
Looking for a way to create memorable, but unique passwords? Try this site. My favorite setting is:
- Two words
- 4-8 characters each
- Alternating case lowerUPPER
- Surrounded by 2-digit numbers
If you are looking for a way to organize and use the many unique passwords you are creating, try one of these services:
[…] of the 2014 breach, which, keep in mind, was a paltry 500M accounts breached as compared to the 3 billion accounts breached in the previous year. Oh, and don’t forget, it’s also highly likely that the US government scanned your […]