The huge violation of Yahoo's data from hackers by a government agency serves as a reminder of some basic security tips. The data at least 500 millions of leaked accounts are the biggest data violation ever.
What are the potential effects on user safety?
The fifty shades of cryptographic fragmentation
Yahoo said the "vast majority" of stolen passwords access ήταν hashed με bcrypt. To Hashing ή κατακερματισμός είναι μια μονόδρομη λειτουργία κρυπτογράφησης που μετατρέπει τα data to a set of random characters representing human readable characters. This is called a hash.
Hashes are supposed to be irreversible and so are a good way to store passwords. THE codeaccess during login, is passed through a hashing algorithm and compared to a stored hash.
This provides a way to control passwords without having to store them in plain text in the database.
However, not all algorithms of shredding offer enough protection from password crackers trying to guess what plaintext password they are creating a particular hash.
Unlike the ancient MD5 algorithm, which is fairly easy to break, if additional salt measures are applied, bcrypt is considered a much stronger algorithm.
This means that, in theory, the chances of hackers breaking the "vast majority" of passwords they stole from Yahoo are very low.
We must say that with perseverance, patience, and a very powerful system, nothing can be considered as safe. Of course, in such mega-leaks like Yahoo, the required hours are multiplied according to the volume of data, and simple or complex encryption.
But let's look at the problem with Yahoo:
The wording of Yahoo shows that most of their codes (but not all) have been hashed with bcrypt.
We do not know how many of these passwords have been fragmented with another algorithm, or just one. The fact that this does not refer to the publication of hack notification or Yahoo's FAQ indicates that the company did not want to give this information to the attackers.
In conclusion, there is no way to safely say if your account was among those whose passwords were hashed with bcrypt or some other algorithm.
So the safest option at this point is to change the password as well as an e-mail company.
Think about whether some people ask about your personal information
Among the information that was in Yahoo's accounts was real usernames, phone numbers, birthdates and, in some cases, unsolicited security questions and responses. Some of these items are very sensitive and used for verification by banks and possibly government agencies.
There are very few cases that a website should have your actual date of birth. Also, do not give real answers to security questions if you can avoid it.
Check your email promotion regularly
Email promotion is one of those "once you do it and forget about it." The option is buried somewhere in your account settings and you may never have checked it.
Hackers know this. All they need to do is access your email once, and create a promotion in their own email. So they will receive every e-mail that comes your way without having to log in again. This way, the service will not send you notifications about repeated suspicious log-ins from unrecognizable Appliances and IP addresses.
Identify two factors everywhere
Enable two-factor authentication and enable two-factor authentication. Enable two-factor authentication.
Do not reuse the same password again
There are many password manager solutions that are available and work on different platforms (use password managers that store codes locally rather than cloud, for example Keepass). There is no excuse not to use a unique, complex password for each account you own.
Here comes phishing
Major data breaches are usually followed by phishing e-mail attempts as crooks try to take advantage of the public display of e-mails.
These messages can be disguised as security alerts, they can contain instructions to download malicious programs as security tools, they can direct users to websites that ask for additional information under the guise of "verifying" their accounts and so so on.
Be on the alert because such messages are already circulating and will be released more after Yahoo hack.