A recently discovered Yahoo database was for sale on the Dark Web that had approximately 1 Billion Yahoo accounts in it. The compromise occurred in 2013 and is separate from the later attack in 2014 which compromised approximately 500 million accounts in 2014. The compromised data included:
- Name
- Encrypted Password
- Phone Number
- Date of Birth
- Unencrypted security questions and answers that are used to reset a password.
Even though the passwords were encrypted, it's just a matter of time before a hacker can perform a brute force attack against the encrypted password and crack it. Check out the password-cracking server monster here http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ for more information. If you currently have a Yahoo account, you've probably already reset your password. If you haven't reset your password yet, please do it immediately. We have some other suggestions in light of this hack:
- Same password? If you have any other accounts that used the same password as your 2013 Yahoo account, immediately reset those passwords.
- Security Questions. If you used the same security questions as the ones used when you had the Yahoo 2013 account, reset those questions as well.
Of course DO NOT use the same password for all accounts and reset your passwords on a regular basis. Remember that your email password is one of the most important passwords you own, because it is used to reset the passwords on other accounts. For high value accounts consider using multi-factor authentication if it's available. Multi-factor authentication typically sends you a onetime use password to your phone as a text message after you've successfully logged in. Stay safe out there!