By The Herald Editorial Board
Yes, you should change your password.
If you have a Yahoo email account, it’s very likely yours was one of 500 million accounts that was compromised by hackers more than two years ago but was discovered only months ago.
Yahoo announced last week that user information in accounts — including the email addresses, names, telephone numbers, birth dates, encrypted passwords and security questions — were compromised in 2014, though the security breach wasn’t discovered by Yahoo until this summer when some of the information turned up on a site used by hackers to sell personal data.
And it’s not Yahoo’s first such breach. Another 450,000 accounts were hacked in 2012.
The information lost, on its own, is not enough for bad actors to commit identity theft or create new credit accounts, said a news release from the Washington Public Interest Research Group, but it could be used in “phishing” attempts to trick people into providing the information that can lead to identity theft. WashPIRG warned those with any email account, Yahoo or not, to be suspicious of emails that ask for verification or submission of additional personal information.
Likewise, the Washington state Department of Revenue warns against clicking on links or opening attachments in emails. Instead, go directly to a company’s web page and confirm its authenticity before submitting information.
The Yahoo hack is believed to be the largest such security breach, and one that could create headaches for users. It could be especially costly for Yahoo, which could face a class-action lawsuit. Remediating the data breach, a New York Times story said, could cost Yahoo more than $200 for each affected account. And the breach comes as Verizon is attempting to finalize its purchase of Yahoo for $4.8 billion.
Democrats in the U.S. Senate are calling for a federal “breach notification standard,” to replace varying state standards, the Times also reported.
As we’ve seen in recent hacks, such as Sony Pictures, Target, the Democratic National Committee and even former Secretary of State Colin Powell, preventing and even detecting the data breaches is difficult. Consumers might want to reconsider what information they are comfortable providing to websites and other services.
A single standard for notifying the public of a data breach would help, as would more investment in security by the companies we entrust with our information.
But as usual, the best bet is for individuals to take responsibility for their own data security by closing old accounts that they don’t use anymore, changing passwords and security questions regularly and being wary of requests in emails and by phone for information.
Among tips offered by the New York Times and others:
Along with changing your password, make sure you don’t use the same password at multiple sites.
Use a password manager, such as LastPass or 1Password, which creates unique passwords for multiple sites and stores them on a database that is accessed with a master password that you create.
Create passwords that are long and complex, for example a nonsense phrase that also contains numbers and special characters.
And choose security questions whose answers don’t contain information that could be easily discovered on your social media sites, including schools you attended, pet names or favorite bands.
Free email sites, such as Yahoo and Gmail, are a great service, but their popularity has made them a fat target for identity thieves. Some diligence and care can help preserve their utility and our personal information.
Talk to us
> Give us your news tips.
> Send us a letter to the editor.
> More Herald contact information.
