Rumours of a serious security breach at Yahoo had been circulating for some time before an announcement was made. An investigation into an attempt to sell 200 million Yahoo accounts showed the actual number was 'at least' 500 million, and the data is from late 2014. Details that have been stolen include including names, email addresses, telephone numbers, dates of birth, security questions and answers, and encrypted passwords. Details of security questions, such as a mother's maiden name, are very valuable to hackers as they can be used to unlock/recover accounts or clone identities.
The details cover accounts for Yahoo and Flickr. There could be more Yahoo owned services included in the breach, but there is no information on that at the moment. BT and Sky used Yahoo to manage some of their email services. It isn't clear if details from any of these accounts have been stolen, but they are recommending users change their passwords.
What to do
- If you use Yahoo for your business emails, and the account was opened before 2015, change your password and security questions so hackers cannot take it over. If you use a BT or Sky email address, you may also want to update your password.
- If you don't use Yahoo for business emails, you could still be vulnerable if passwords are being shared. Best practice is to have separate passwords for each system, but sometimes that doesn't happen. Hackers are very good at using names, email addresses and date of birth to link personal accounts to work accounts, this could lead to them being taken over. Change your Yahoo password and security questions, and the password on your work email.
- If you have staff, they may have an account that is part of the security breach and could end up with their work email account being taken over. The advice is the same; they should change their Yahoo password and security questions, and also update the password on their work email.
- As hackers now have details such as date or birth and security questions and answers, they can construct ever more convincing 'phishing' emails to try and get you to click on links that download malware. Remind staff to look out for unexpected emails.
These are the basic steps. There are additional ways to improve security, but these depend on how a business operates and the information it holds.