Yahoo Data Theft Good Reason to Regularly Change Passwords

In case you needed another reason for regularly changing your passwords, the recently-uncovered Yahoo hack of 500 million accounts is probably the reason of the decade so far. The hack and subsequent data theft involving half a billion Yahoo accounts is the largest of its kind – ever. Granted, it is Yahoo, where most people don’t send or store any sensitive data like payment card information (PCI) or other personally-identifiable or compromising information anyway, but it’s the principle of the thing. The Web-based giant has confirmed that the hacked information includes:

  • Names
  • Email addresses
  • Telephone numbers
  • Dates of birth
  • Hashed passwords (the vast majority with the password-hashing function bcrypt)
  • And, “in some cases,” encrypted or unencrypted security questions and answers.

Yahoo Serious?

Yahoo is alleging that the massive data breach “didn’t include unprotected passwords, payment card data, or bank account information.” The popular search engine and email host denies that it stores any payment card or bank account information in its database. And, although it blames a “state-sponsored actor” for the cyberattack (apparently from Russia, according to Yahoo and US intelligence officials), the fact remains that Yahoo allowed a hack of epic proportions to happen on its servers and domains, making the practical point clear to all of us: “Change and encrypt your passwords regularly.”

Yahoo Hack

The Yahoo hack resembles previous data breaches of huge Web-based giants like LinkedIn, Tumblr, and Adobe, as well as healthcare facility hacks where Ukrainian hackers claimed responsibility for at least one of them. This latest and biggest hack ever is so disconcerting, because the cyber breach occurred a full two years earlier. It repeats a pattern we have seen in these cybercrime cases where we don’t learn of the data thefts until well after they have happened. And, it’s also disconcerting for another glaring reason: Yahoo failed to inform its users of the hack and suggest a password reset in August 2016 when the news was first made public.

The Password-Changing Argument

There is great debate amongst white hat hackers and IT specialists on whether regular password changes are a good thing or not. The argument for seems to stem from situations like the Yahoo hack – basically, the “change when urgently required” rule. Studies have shown that routine password changes of every few months appear only to frustrate office staff, with new passwords only being variations on old ones anyway, and written on sticky notes attached to monitors, which defeats the purpose of safety. But, the pro-password change argument remains in serious cases like data breaches involving half a billion accounts.

The Takeaway

Basically, no one’s data is 100% safe online, even when supposedly protected over secure servers and databases. Too-frequent password changing may be just as risky as never changing them, so a happy medium here is prudent. A good rule of thumb is to stick with one hard-to-decrypt password, maybe alter a number or letter here and there, and never share any financial or personally-compromising information on unsecured channels of communication.

Alexssa

I first hired John directly as an employee back in 1999.
He was an excellent addition to a growing team at a small technology company. Subsequent to the sale of the company, John branched out on his own and started an IT consulting firm. Since that time, I have not used anyone else. John is capable, personable, has integrity and is also very likable. I would recommend him without reservation.”

  Kevin DiCerbo   

Connect With OffSite IT

  • Los Angeles / Orange County 22607 La Palma Avenue Suite 409 Yorba Linda, CA 92887
  • Chicago 6912 Main Street Suite 214 Downers Grove, IL 60516
  • 1-866-828_-6674 info@offsiteIT.com