Advertisement

How Yahoo’s massive password breach could end up affecting other online accounts

This Jan. 14, 2015 file photo shows Yahoo's headquarters in Sunnyvale, Calif. On Thursday, Sept. 22, 2016, the company disclosed hackers stole sensitive information from at least 500 million accounts. (AP Photo/Marcio Jose Sanchez, File).
This Jan. 14, 2015 file photo shows Yahoo's headquarters in Sunnyvale, Calif. On Thursday, Sept. 22, 2016, the company disclosed hackers stole sensitive information from at least 500 million accounts. (AP Photo/Marcio Jose Sanchez, File). AP Photo/Marcio Jose Sanchez

LONDON – As investigators weigh the damage of Yahoo’s massive data breach, security experts worry that the record-breaking haul of password data could be used to hack other accounts.

The company admitted Thursday that user information from 500 million accounts was hacked in late 2014. According to a blog post from Yahoo’s chief information security officer, Bob Lord, the hacked information included passwords, email addresses, phone numbers and security questions.

While it’s unknown to what extent the stolen data has been or will be circulating, giant breaches can send ripples of insecurity across the internet.

READ MORE: Here’s what you need to know about the Yahoo hack

“Data breaches on the scale of Yahoo are the security equivalent of ecological disasters,” tweeted Matt Blaze, a security researcher who directs the Distributed Systems Lab at the University of Pennsylvania.

Story continues below advertisement

Experts are now worried about a technique known as “credential stuffing,” which works by throwing leaked username and password combinations at a series of websites in an effort to break in.

Think of credential stuffing like a thief finding a ring of keys in an apartment lobby and trying them, one after the other, in every door in the building. The bigger issue is software makes this trial-and-error process practically instantaneous.

Credential stuffing typically succeeds between 0.1 per cent and two per cent of the time, according to Shuman Ghosemajumder, the chief technology officer of Mountain View, California-based Shape Security.

READ MORE: How to protect yourself from security breaches on social media sites

That means cybercriminals wielding 500 million passwords could conceivably hijack tens of thousands of other accounts.

So will the big Yahoo breach mean an explosion of smaller breaches elsewhere?

Ghosemajumder believes there could be a steady increase in attempts as cybercriminals replenish their stock of freshly hacked passwords. He also noted that Yahoo passwords may have already been used to hack other services; and because the initial breach occurred in late 2014, hackers may have had access to the data for as long as two years.

If you were affected by the breach, Yahoo recommends that you change your password as soon as possible. In this case, users should also change their  security questions and answers, whether or not they have had them encrypted.

Story continues below advertisement

Data breaches highlight the importance of secure passwords

This is also a good opportunity to highlight the importance of creating a secure hard-to-guess password.

Stay away from easy-to-guess passwords like “1,2,3,4″ or “Password” and easy-to-guess identifiers like your dog’s name.

Passwords that use up to ten upper- and lower-case letters mixed with numbers are proven to be more secure – despite being hard to remember.

READ MORE: How to create a more secure password

One tip is to construct a password from a sentence, mix in a few upper case letters and a number, for example, “There is no place like home,” would become “tiNOplh62.”

Numbers included in a password should never be something easy to guess based on the user. That means your age, the current year, or your address are not good choices. Similarly, the longer the password the better.

– With files from Global News reporter Nicole Bogart

Sponsored content