The company admitted Thursday that user information from 500 million accounts was hacked in late 2014. According to a blog post from Yahoo’s chief information security officer, Bob Lord, the hacked information included passwords, email addresses, phone numbers and security questions.
While it’s unknown to what extent the stolen data has been or will be circulating, giant breaches can send ripples of insecurity across the internet.
“Data breaches on the scale of Yahoo are the security equivalent of ecological disasters,” tweeted Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania.
Experts are now worried about a technique known as “credential stuffing,” which works by throwing leaked username and password combinations at a series of websites in an effort to break in.
Think of credential stuffing like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. The bigger issue is software makes this trial-and-error process practically instantaneous.
Credential stuffing typically succeeds between 0.1 per cent and two per cent of the time, according to Shuman Ghosemajumder, the chief technology officer of Mountain View, California-based Shape Security.
That means cybercriminals wielding 500 million passwords could conceivably hijack tens of thousands of other accounts.
So will the big Yahoo breach mean an explosion of smaller breaches elsewhere?
Ghosemajumder believes there could be a steady increase in attempts as cybercriminals replenish their stock of freshly hacked passwords. He also noted that Yahoo passwords may have already been used to hack other services; and because the initial breach occurred in late 2014, hackers may have had access to the data for as long as two years.
If you were affected by the breach, Yahoo recommends that you change your password as soon as possible. In this case, users should also change their security questions and answers, whether or not they have had them encrypted.
Data breaches highlight the importance of secure passwords
This is also a good opportunity to highlight the importance of creating a secure hard-to-guess password.
Stay away from easy-to-guess passwords like “1,2,3,4″ or “Password” and easy-to-guess identifiers like your dog’s name.
Passwords that use up to ten upper- and lower-case letters mixed with numbers are proven to be more secure – despite being hard to remember.
READ MORE: How to create a more secure password
One tip is to construct a password from a sentence, mix in a few upper case letters and a number, for example, “There is no place like home,” would become “tiNOplh62.”
Numbers included in a password should never be something easy to guess based on the user. That means your age, the current year, or your address are not good choices. Similarly, the longer the password the better.
– With files from Global News reporter Nicole Bogart