Yahoo didn't have enough problems as it tries to sell off much of itself? Early signs the company was hit by a big data breach, as my colleague John Brandon wrote, turned out to be true. Except, it was beyond big. We're talking about 500 million records stolen in 2014 and only coming to light now.
It's hardly the first time someone broke into supposedly secured data and made off with millions of records. But this dwarfs most cases and may literally be the worst data loss of all time. To put this into perspective, I recently spoke to an analyst who covers security in financial services. The year 2015 was considered really bad because a total of 500 million records were lost. This year will make last look like a cakewalk.
Whether or not you have a Yahoo account doesn't matter. It's time to get really serious about protecting yourself and your data. Having done research into identity theft in depth in the past, I can confidently say you don't want it to happen to you. Identity theft can cost you ridiculous amounts of money and time to clear up, it can cost you even more out of pocket if you don't know how to deal with it (especially as there are deadlines you'll have to meet), and it can take years -- yes, literally years -- to remedy.
Much of this comes down to taking care of your data. And yet, as the numbers keep showing, an overwhelming number of people still take foolish chances. Here are a number of steps you can start taking today to improve your chances of reducing the impact a data breach will have on you.
Don't use the same password on two different sites.
Tons of people don't want difficulty in remembering passwords, so they use the same one for all their accounts, or perhaps alternate between two or maybe three. This is asking for trouble. Should records be breached through no fault of your own, criminals might start trying your email address and password on all kinds of sites. Repeated passwords means a much better chance of success.
Once they're in another account, they may be able to leverage that information to get them even further. For example, if a company you've done business with has recorded the last four digits of your social security or credit card number anywhere, including on records of orders, that's additional material for people to prove they are you by talking to helpful customer service personnel at yet other sites. "What are the last four digits of the credit card you used to establish this account?" Sound familiar? And then if the security questions are available (and they were with some of the Yahoo accounts), that's an extra tool. So, never repeat passwords.
Use long, random passwords.
If your password is "password" or "12345" or something like that, you're begging to be hacked. Forget what you think is clever, like substituting the number 3 for the letter e. Password cracking programs, of which there are many, can barrel through such attempts at obfuscation. Forget anything that sounds like a real word or that is a number with some significance to you.
People breaking into accounts generally do so as a business. The harder it is, the more likely they're going to pass by your account and go to the next one. Take advantage of this practicality and use passwords that are 20 or 30 characters long and that include a random mix of letters, numbers, and odd characters.
Use a password manager.
Don't depend on memory or keeping a notebook with all your passwords. You won't remember the many different passwords you'll need and a lost notebook will leave you screwed. Use a password manager that can generate random passwords, remember them and the sites they're associated with, and potentially keep them in a cloud so you can get access anywhere.
Now, there is one potential weakness. You need a password for the password manager, and if it isn't tough enough and someone breaks in there, your security is hosed. In particular, if there is a cloud option that synchronizes your passwords between devices, you want the data stored in encrypted form only in such a way that the service provider can't decrypt them. Or if you lose the password and can't recover it (some services make that impossible so no one can give your master password to the wrong person), there may be nothing left.
Maybe you write this one password down and hide it away in your home someplace where no one else will come across it. Overall, though, a password manager is really good to use.
Use two-factor security.
With two-factor security, there is another step you have to take to get into an account. Typically, you get a code on your phone, either through a text or an app, which you need to provide, in addition to your user name and password, to log in.
It's a pain, yes. Too bad--do it anyway, at least on the accounts that might have your credit card or other data that would be really bad to have in the hands of others.
Learn the basic steps of identity theft recovery.
When you learn your information may have been compromised, you're already behind the gun. There are many steps to take, including examining credit reports for potential unauthorized activity, checking with your bank, putting credit holds on your account with the major credit reporting agencies, and filing police reports.
Go do some research now and at least know where you'll pull up the necessary information if and when the worst happens. Preparation speeds response, and that's what you'll need.