By Laura Haight
Just because you don't have a Yahoo! email account doesn't mean that you are not affected by the massive hack announced yesterday.
Yahoo is a massive enterprise with many services that are provided as backend authentication for other businesses. So your password, email address, and security questions may have been compromised if you have some of these services as well:
- Flickr, the popular online photo service, uses Yahoo! for login and password authentication.
- Tumblr, the social media/website service, is owned by Yahoo!
- Rivals, a fantasy sports service, is also a Yahoo! company
- AT&T, uses Yahoo! email as a back-end service provider. When you are logging into your AT&T account, you are using Yahoo! mail.
This is a newly disclosed attack and NOT an expansion of another 2013 attack that affected some 500 million Yahoo! customers.
Yahoo! has not released detailed information, but if you have an account with any of these services, or a Yahoo! mobile app on your phone or tablet, you should immediately change your password on every site, service or app where you may have used the same password OR the same security questions/answers. Better yet, based on Yahoo!s abysmal record of security, it may be time to divest yourself of the connection and find other more secure providers. According to the New York Times Yahoo! has back-burner'd security where other large online service providers have been more proactive.
While we are at the mercy of businesses that we provide our information to to protect it, we can minimize the damage by doing these four things.
- Use a different password or passphrase for every place that you provide a password. This sounds onerous and it is certainly more difficult than remember your spouse's birthday. But it is a small price to pay for losing your identity or having your credit cards, bank accounts or other critical information hacked.
- Be more discriminating about sites and services where you have to sign in. Not only will you be safer, you'll get less email.
- Do not use true information in security questions. Often these can be divined by reviewing social media posts of you or your friends. A hacker who has your email address may readily be able to find out your dog's name, your husband's birthday, your first car.
- Wherever it is offered use two-factor authentication, preferably through an app like Google Authenticator, or a physical device, like an RSA token, that is not connected to your smart phone.