Updated on December 10, 2021
Yet another security breach has happened, and this time, the victim’s Yahoo.
Yahoo’s reported that a security breach has led to a whopping 500 million users’ information stolen. To quote the New York Times:
In a statement, Yahoo said user information — including names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions — was compromised in 2014 by what it believed was a “state-sponsored actor.”
“State-sponsored actor” usually means a hacker that’s being backed by a country’s government.
Making this even worse is that the security breach happened back in 2014. However, it’s only coming to light just now. How this will affect Yahoo’s recent sale to Verizon isn’t certain.
It’s also unknown why Yahoo’s been this slow to discover and report on this breach. As the Times notes:
Two years is an unusually long time to identify a hacking incident. According to the Ponemon Institute, which tracks data breaches, the average time it takes organizations to identify such an attack is 191 days, and the average time to contain a breach is 58 days after discovery.
That said, Yahoo’s security breach has come to light faster than the recently-reported ones for Dropbox and Last.fm.
Still, it’s time again to change your passwords. While I’d check on any related Yahoo services, some say that Tumblr shouldn’t be affected by this. Still, updating passwords even for Tumblr might not be a bad idea. Plus, it can’t hurt.
As I’ve written before, the usual password security tips still apply. Use at least 12 characters with a mix of punctuation/capitalization; use a unique password for each site; and try to use a password manager.
Mashable and a few others have also suggested switching to non-Yahoo services, such as Gmail/Outlook or 500px. Given Yahoo’s ongoing problems, plus changes in various online services in recent years, it might be worth considering.