Y! the Yahoo hack does affect you
04 Oct 2016Note: This is a cross post from http://blog.sherpamarketing.ca
It's been a little over a week since Yahoo confirmed it had been hit with a massive security breach. The hackers gained access to over 500 million user records back in late 2014. To date, this data breach is the largest in history.
Most of the people I know claim to not have a Yahoo account. Most people see a yahoo email address as a sign of limited technical knowledge, almost a sign of shame. However, if you ask the same people if they play Fantasy Sports using the Yahoo app, the answer changes. A lot of people also seemed to have setup a Yahoo mail account years ago as their throw away email account.
Anyone that has a Yahoo account, for whatever reason, needs to login and change their password.
I've heard a lot of people say "well I never use the account anymore". The problem with this line of thinking is that the data that was stolen included personal information, date of birth, phone numbers, hashed passwords and security questions and answers.
It's that last piece of information that is worrisome. Many accounts today have you answer two or three questions that they will use to confirm your identity when you forget your account. The largest problem with security questions is the static answers. Your mom NEVER changes her maiden name. You cannot go back in time to change the name of your first pet. While most of these answers can be found in social media anyway, they never change. If they are available in the Yahoo breach, they can be used by hackers to reset passwords to other accounts.
Security experts have been preaching for years that everyone needs to use password managers to easily allow the common user to have long, random and DIFFERENT passwords for each website. While this will help with keeping our accounts secure, we need to apply this same principle to our security questions.
Each time we fill out a security question for a site, we should be using a random password. Storing this information in a secure password manager like LastPass or 1Password will allow you to find it whenever you need to supply it to the website again.
I'm sure my mother would be shocked to learn that her maiden name is yWVG\fU`{y#i, 3Z9W51TtKLNQ and ut$-%F35, however, it will protect me from data breaches in the future containing this information.