I have seen a lot of posts on various tech blogs about the Yahoo! data breach announced last week and many of them make the same tired jokes about the fact that the 500 million compromised accounts were likely last used in 2003. One meme that circulated today noted that Yahoo!’s traffic was up substantially as everyone logged into their account for the first time in years – only to change their password and log out again. A good friend last week asked why this was making news, despite the fact that Yahoo! is a shadow of its former self.
To understand why the breach is a big deal – beyond the simply unimaginable scale – you have to understand how hackers are using this data. Once you grasp that, you should come away with two things, an abiding fear of your own security and a desire to correct its deficiency.
Large scale data breaches are problematic primarily because the average user somewhere between one and a small handful of passwords they reuse across many sites. You may have accounts on dozens or hundreds of sites, but precious little differentiation between the passwords. So when a large scale hack happens – especially when passwords are compromised – those records can be used to subsequently test the same login credentials on another site.
So here is what that looks like in practice. If the hacker has your Yahoo! address and password, they can script an attack on Facebook or LinkedIn to use that as your login. If they find the combo works, great! If they also get a secondary/recovery email address, they now may have the same password you use on Gmail, or Hotmail. A quick filter of the compromised data by domain and suddenly they can script hundreds of additional attacks on other sites.
So what can you do about that? The answer is pretty simple – STOP USING THE SAME PASSWORD ON EVERY SITE. Every site you visit should have a unique password, and ideally that password should be REALLY hard to break manually. Here is a good example:
That hot mess was automatically generated by the password keeper I use, KeePassX. There are others out there, like LastPass. The point is, there are solutions for the fact that people are incapable of memorizing hundreds of unique passwords, and you should look into one – REALLY soon.
These breaches are going to continue, and as long as you are using P4$$word! as your login for every account you have, you’re going to fall victim to them – if you haven’t already.
The breach of 500 million Yahoo! accounts matters, even though Yahoo! doesn’t, because it adds fuel and armament to the tank that hackers are driving through the Internet. As it cruises along, their ability to snarf up more and more of your accounts gets better an better. And as long as you are still using the same password on every site, you are doing precious little to stop it.