Yahoo says that someone has stolen information associated with more than one billion user accounts. That’s billion—with a “b.” And even if you have a Yahoo account that you haven’t used in years, there are good reasons to be concerned about this Yahoo breach. An email account can hold a treasure trove of personal information that can be used against you—now or years down the road.
In a statement this afternoon, Yahoo said the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5 hashing—weak protection that’s easily crackable) and, in some cases, encrypted or unencrypted security questions and answers.
Yahoo says it believes that the data was stolen in August 2013. And even though that was more than three years ago, affected users could be in jeopardy today and tomorrow. Why? Do you remember all of the information in your Yahoo account, particularly if you haven’t used it in a while?
Let’s work through a few scenarios to figure out what could go wrong in an email breach.
Login credentials and security questions used elsewhere?
The most critical aspect is your login credentials used elsewhere. If attackers were able to obtain your credentials—username and password—from a breach, think: Where else did you reuse those same credentials? Social media? Your bank account? Perhaps your retirement plan?
If you’re sure you haven’t reused that password, good for you. Still, there’s still more to consider. How about your security questions and answers that so many sites use to reset your current passwords? It wouldn’t take a sophisticated attacker to use the security Q&A from your breached Yahoo account to try to start taking over your other accounts.
Yikes! Email accounts contain a whole lot of info
What else is in that old email account? Consider your profile settings. Full name, home address, phone number, date of birth, backup email addresses—all valuable information for an attacker targeting you.
Is that old account a password recovery address for other online accounts. If so, a thief would just have to request a password reset and select the old account as the delivery method. How would they discover where you have other online accounts? Well, there are the emails in the breached email account, plus by using all of your profile information and a little time on Google.
Don’t let what’s personal become public
It already sounds bad, but it doesn’t stop there. Think about the content of your email and related chat messages, including attached photos. What if they were posted on the internet for everyone to see? Private conversations, bank and credit card statements, health information, purchasing history.
What about your list of contacts? An attacker could now pretend to be you and send them anything, including harassing messages and even malware.
So what can you do? Go into those old accounts and clean them up. Delete emails, chat messages and profile information. If you decide you’re not going to use that account anymore, why not delete the account itself? It’s better to do this before a breach happens, but better late than never.
And before you see that next headline mentioning a data breach at a site you haven’t used in ages, do yourself a favor: Log in and take action.
Posted by Joe Gervais, LifeLock cybersecurity expert