Online security is a tricky business, and one that’s dominated by a single factor. That single factor is money, because while the history of malware started with mostly prank-based or destructive software, for some years now it’s been a matter of cold, hard cash. The ways that the money is generated varies depending on the value of your online data; it’s not just a matter of access to, say, bank accounts or credit cards.
It recently emerged that online services owned by Yahoo! were seriously compromised to the extent that potentially every single Yahoo! account may have been compromised in a significant way. Yahoo! isn’t quite the online powerhouse that it was ten or more years ago, but the chances are decent that you may have had a Yahoo! account, whether for free online email, or any of its subsidiary brands.
The breach itself appears to have happened back in August 2013, and is distinct from a seperate breach that the company disclosed back in September (Yahoo’s data breach may be good for overall security standards) which allegedly saw some 500 million email accounts compromised. What that means is that Yahoo! has been the site of effectively two of the worst security breaches in online history. That’s not an award anyone in business wants to win.
For its part, the company has said that it doesn’t think that personal credit card information was included in the breach, but it does appear that other personal information may have been compromised. That still has value on the darker parts of the web, whether to try to then scam you further down the line, or simply for identity theft purposes.
You could always take the step of deleting your Yahoo! account, but the realistic picture here for a breach that happened three years ago is that whatever damage was going to be done is, in one sense, old news. Any leaked information has probably been sold, possibly multiple times.
It really does highlight a serious issue with breach reporting, simply because a breach of one day is an issue, but a three year breach means that information online may have changed hands multiple times. It’s hardly a ringing endorsement of Yahoo!’s security practices, and certainly if you’re unhappy with the company then you could delete your accounts, but it’s not going to markedly change what’s already happened.
So what can you sensibly do? It should go without saying that if you do have a Yahoo! account, you should at the very least change your password, especially if it’s remained unchanged for the past couple of years.
You should also take the opportunity to audit your other online services, both for passwords and for features such as two factor authentication, in order to lock them down as well as possible. As always, a major breach like this always brings out the chancers as well, so be wary of any automated email that offers to reset your password for you. The odds are just as good that they’re going to try to get access even if you have changed your login details to remain secure.
While Yahoo! maintains that it doesn’t think financial details were compromised, it’s equally a wise step to keep an eye on your accounts for any kind of unusual activity. That won’t always be someone trying to buy a Lamborghini somewhere in the middle of Russia straight away, but could instead be a smaller, hard to notice charge for just a dollar or two to test against it. See something like that on your account, and it’s time to contact your bank to check that your money is still secure.
It’s frustrating that a lot of online security lies beyond our own individual control, but that doesn’t mean there’s nothing you can do for your part to keep your own individual information secure. Governments are still struggling working out how breach reporting in cases like this should work, and we should see some emerging standards for this kind of matter in the coming years.