The huge violation of Yahoo's data from hackers by a government agency serves as a reminder of some basic security tips. The data at least 500 millions of leaked accounts are the biggest data violation ever.
What are the potential effects on user safety?
The fifty shades of cryptographic fragmentation
Yahoo stated that the "vast majority" of stolen passwords was hashed with bcrypt. Hashing or fragmentation is a one-way encryption mode that converts data into a set of random characters representing characters that can be read by humans. This is called hash.
Hashes are supposed to be irreversible and so are a good way to store passwords. THE Password upon login, it is passed through a hashing algorithm and compared to a stored hash.
This provides a way to control passwords without having to store them in plain text in the database.
However, not all algorithms of shredding offer enough protection from password crackers trying to guess what plaintext password they are creating a particular hash.
Unlike the ancient MD5 algorithm, which is quite easy to break, if additional security measures (salt) are applied, bcrypt is considered a much stronger algorithm.
This means that, in theory, the chances of hackers breaking the "vast majority" of passwords they stole from Yahoo are very low.
We must say that with perseverance, patience, and a very powerful system, nothing can be considered as safe. Of course, in such mega-leaks like Yahoo, the required hours are multiplied according to the volume of data, and simple or complex encryption.
But let's look at the problem with Yahoo:
The wording of Yahoo shows that most of their codes (but not all) have been hashed with bcrypt.
We do not know how many of these passwords have been fragmented with another algorithm, or just one. The fact that this does not refer to the publication of hack notification or Yahoo's FAQ indicates that the company did not want to give this information to the attackers.
In conclusion, there is no way to safely say if your account was among those whose passwords were hashed with bcrypt or some other algorithm.
So the safest option at this point is to change the password as well as an e-mail company.
Think about whether some people ask about your personal information
Among the information that was in Yahoo's accounts was real usernames, phone numbers, birthdates and, in some cases, unsolicited security questions and responses. Some of these items are very sensitive and used for verification by banks and possibly government agencies.
There are very few cases that a website should have your actual date of birth. Also, do not give real answers to security questions if you can avoid it.
Check your email promotion regularly
Email promotion is one of those "once you do it and forget about it." The option is buried somewhere in your account settings and you may never have checked it.
Hackers know this. All they need to do is access your email once, and create a promotion on their own emails. So they will receive every e-mail that comes with you without having to connect again. In this way, the service will not send you alerts for repeated suspicious logins from unrecognizable devices and IP addresses.
Authentication two factors everywhere
Enable two-factor authentication and enable two-factor authentication. Enable two-factor authentication.
Do not reuse the same password again
There are many password manager solutions that are available and work on different platforms (use password managers that store codes locally rather than cloud, for example Keepass). There is no excuse not to use a unique, complex password for each account you own.
Here comes phishing
Major data breaches are usually followed by email phishing attempts, as fraudsters try to take advantage of public appearance of e-mails.
These messages can be disguised as security alerts, they can contain instructions to download malware such as tools for security, they may direct users to websites that ask them for additional information under the guise of "verifying" their accounts and so on.
Be on the alert because such messages are already circulating and will be released more after Yahoo hack.