Yahoo admit 1bn accounts accessed in 2013 hack

©iStock.com/ra2studio

THE details from more than one billion accounts may have been accessed by hackers during a 2013 cyberattack, Yahoo have admitted.

Among the information believed to have been stolen in the attack are names, email addresses, dates of birth, and even some encrypted security questions and answers.

Yahoo have started contacting those whose accounts they suspect of having been affected - there's a copy of the message here - broadly offering the usual advice about making sure we change our passwords and watching for suspicious activity on our accounts.

It's the second such large scale hack Yahoo have had to confess to in recent months, following the revelation in September that an estimated 500,000 accounts were accessed in 2014.

Unforgivable delay

Are we to blame?
Are you suffering cybersecurity fatigue?
A third failing to protect identities

While any company that believes they may have suffered a data breach of some sort are only being responsible in telling us to change our passwords, it can sometimes feel about as much use as locking the stable door after the horse has bolted.

For all the criticism TalkTalk received about their handling of the October 2015 data breach, they deserve some praise at least for being so quick to inform users and the wider public.

No more than a day after the attack, TalkTalk had gone public, confirming the involvement of the Metropolitan Police Cyber Crime Division; by the following morning they were offering free credit monitoring to their customers.

Many of those wanting to secure their accounts as soon as possible by changing their login details found themselves frustrated by TalkTalk's own attempts to keep them safe: the ISP kept potentially vulnerable parts of their site offline for some time afterwards.

Old accounts risk new accounts

TalkTalk data leaks
October 2016: Fined £400,000 for breach
October 2015: 'Sustained attack'
August 2015: TalkTalk Mobile in Carphone Warehouse breach
Late 2014: Alarm after suspicious calls

Here's the deeper problem. Then, as now, it isn't just current users who are affected: as The Telegraph reported in the immediate aftermath of the TalkTalk hack, the ISP couldn't rule out that details of their former customers weren't among those lifted.

Therefore anyone who's had an account with TalkTalk in the past few years, and anyone who's had an account with Yahoo (or one of their many companies, including Flickr and Tumblr) in the past few years, is potentially vulnerable as a result of these breaches.

We know that we're supposed to use different passwords for different accounts, and change them regularly, but unless prompted many of us stick with the same ones for years, using them on multiple accounts with perhaps only a little variation.

And while existing users can be alerted and given the chance to change their security credentials, those of us with lapsed, closed, or forgotten accounts don't have the same luxury.

So what can we do?

Change your passwords

Stay safe online

Anyone wondering about an email address or username - whether current or historic - can visit HaveIBeenPwned? to check whether it was lifted in any of the large scale hacks where the illegally accessed data has since been made public.

These include attacks on LinkedIn, Dropbox, Adobe and Tumblr - but as yet it's not clear if the data lifted from Yahoo has been shared in a way that this site can trace.

The next step is simple: get a password manager, one with a built-in password generator. Mac users should have access to one already - Apple Safari can generate random passwords, then store them in iCloud Keychain.

LastPass and KeePass are free to use and highly rated; it's also worth checking to see if there's a password management tool available from whoever provides our computer's anti-virus and other security programs.

Check that it's compatible with every type of device in the house, then download it to them all, and start using it to update then securely store every account password you can think of.

Even though older and forgotten accounts may still be vulnerable, spending a bit of time updating newer accounts with more secure credentials will at least help protect us from those old details coming back to bite us.