CASE STUDY – Yahoo hacks: Stolen data threatens users and their employers

CASE STUDY – Yahoo hacks: Stolen data threatens users and their employers


SUNNYVALE — With Yahoo’s hacked information reportedly showing up on the dark web, cybersecurity experts warn that sloppy password habits can lead to trouble for users, and sometimes their employers.

Yahoo on Wednesday revealed that in 2013 hackers stole personal data from more than a billion user accounts. That revelation followed the firm’s September announcement that at least a half-billion accounts were hacked in 2014.

The stolen data may have included scrambled passwords, plus security questions and answers, phone numbers and dates of birth, Yahoo said.

The pilfered passwords pose the dominant problem, cybersecurity experts said. The password-scrambling technology Yahoo has admitted to using has for years been considered by the Carnegie Mellon University Software Engineering Institute to be “cryptographically broken and unsuitable for further use.”

And typically, many people use the same email address and password to log into multiple accounts. That means if a criminal has someone’s Yahoo email address and password, they may be able to use those credentials to access sensitive accounts, such as for banking and online shopping.

Even many people who use different passwords just make tweaks to the same one, and criminals can “guess” them using automated systems, said Emmanuel Schalit, CEO of Dashlane, which offers a free service for saving passwords in a secure database.

“Hackers have built software to recognize variations,” Schalit said.

Schalit and other cybersecurity experts strongly recommend that people use a different password for every online account so that if one is hacked, as in the Yahoo breaches, it can’t be used to get into other accounts.

However, Dashlane’s research indicates that every five years the average American doubles the number of online accounts they’re using. A different password for each is too much for most people to remember, Schalit said.

Internet users “absolutely” should use a different password for every account and keep track of them with a password-management service, said Jason Rose, senior vice-president of marketing at Mountain View identity-management firm Gigya.

Yahoo users are now also at risk of identity theft, because criminals can use email addresses, and possibly other stolen information, to pose as the user, Schalit said.

“An email account is a very vulnerable door to your identity,” Schalit said.

And Yahoo email addresses and passwords aren’t the only stolen information useful to hackers and potentially costly to users. Dashlane tested a tool enabling it to scan contents of emails, and found that many messages contained credit card numbers, unscrambled passwords and social security numbers.

Also, in both Yahoo hacks, security questions and answers were stolen. Because security questions are fairly standardized across many online services — your mother’s maiden name, for example — criminals can try a Yahoo user’s security answers elsewhere online, such as on retailers’ websites, and access accounts by resetting the password via the security questions. Security experts advise using different questions, or different answers to the same question, for each account. Some password-management services store this information as well.

Yahoo account holders who changed their passwords after September’s news of the 2014 hack may have protected their Yahoo accounts but still risk having data from either Yahoo hack used for identity theft or illegal access to other accounts, cybersecurity experts said.

Many businesses’ databases, containing proprietary and confidential information, are now vulnerable to attack after the Yahoo hacks, Schalit said. Because people often use the same passwords for their workplace accounts as for their personal accounts, criminals or cyber-spies could get into company systems using the stolen Yahoo data, Schalit said.

Liability for damages arising from a security breach at a business falls largely on the company for letting itself get hacked, Rose said. Businesses therefore must protect themselves from their employees’ bad habits, Rose said.

Rose and other security experts advise internet users to set up two-factor authentication — which requires a second data input beyond username and password — on all accounts for which it is available.