We Phish Yahoo! a Merry Christmas :-)
Yahoo! recently announced that a billion user records were stolen from them. Just another run of the mill hack? Apparently not. You see, more than 150,000 U.S. government and military employees are among the victims of Yahoo!’s newly disclosed data breach. And their names, passwords, telephone numbers, security questions, birth dates, and backup e-mail addresses are now in the hands of cybercriminals.
What Is A Backup Email Address And Why Do I Care?
Like many other web services, Yahoo! allows customers to set up a recovery email address. If you forget your password or your account is locked, a special link in an email sent to your backup address can be used to recover your credentials. And apparently, many thousands of those backup email addresses ended in .gov or .mil. Yeah, workers with access to US government systems.
Yahoo! Did Not Know They Were Hacked…
Many have said that there are two types of companies; those that have been hacked, and those that don’t know that they’ve been hacked. In this case, cyber-security researcher Andrew Komarov kindly let the federal government know that he found Yahoo! users’ credentials on the Dark Web, and the feds in turn notified Yahoo!. But that wasn’t even the beginning of the nightmare.
And in fact, Bloomberg News reviewed the database that Komarov discovered and confirmed a sample of the accounts for accuracy. The thought that employees of government agencies like the National Security Agency may have had their personal information stolen immediately sent chills through the security community.
Since a 2015 survey by password manager Password Boss shows that 59 percent of consumers reuse passwords, the chances are high that the passwords on a hacked user’s Yahoo! account and their backup email account probably are the same.
Komarov also found communications from a buyer for the data, but only if it contained information about a very specific set of people. The buyer supplied a list of ten names of U.S. and foreign government officials and industry executives to the hackers, and if their information was included in the stolen online loot, they had a deal.
… for Three Years!
I may have forgotten to mention that the data actually was stolen in August 2013, creating a 3-year opportunity for bad actors and foreign spies (based on the names in the buyer’s request, Komarov is pretty sure that it came from a government) to identify employees doing sensitive and high-security work here and overseas.
So of course, there are lessons on cyber-hygiene to be learned from this story:
- Don’t reuse passwords. Use a password manager if you need to. Personally I use Codebook, but figure out what works for you.
- Use different names on your work and personal email accounts. Work might be firstname.lastname@example.org and home might be email@example.com. It makes machine-based searching harder if not impossible.
- Don’t use real security answers. In my case, I treat them like passwords and use random character strings. This is another good reason to use a secure (not online!) password manager with strong encryption.
- If at all possible, use multi-factor authentication to access (and recover) your online accounts. And ask your company to implement multi-factor authentication on your internal systems and even your mainframe in case your password is somehow exposed.
- Create a backup email address on another personal email service rather than using your work address. If you use Outlook.com, have your backup on iCloud.com. You don’t even need to use your backup address for anything other than account recovery.
Even though it is not related to this story, another tip is don’t access work and personal email using the same email client. Autocomplete might send your work email out to a friend, which could be mildly regrettable to a terminatable offense.