The huge violation of Yahoo's data from hackers by a government agency serves as a reminder of some basic security tips. The data at least 500 millions of leaked accounts are the biggest data violation ever.
What are the potential effects on user safety?
The fifty shades of cryptographic fragmentation
Yahoo stated that the "vast majority" of stolen passwords was hashed with bcrypt. Hashing or fragmentation is a one-way encryption mode that converts data into a set of random characters representing characters that can be read by humans. This is called hash.
The hashes are supposed to be non-reversible and so it's a good way to store passwords. The login password passes through a fragmentation algorithm and compares it with a stored fragmentation.
This provides a way to control passwords without having to store them in plain text in the database.
But not all fragmentation algorithms offer enough protection against Password crackers trying to guess which plaintext passwords generate a particular hash.
Unlike the ancient MD5 algorithm, which is quite easy to break if additional security measures (salt) are applied, bcrypt is considered much stronger algorithm.
This means that, in theory, the chances of hackers breaking the "vast majority" of passwords they stole from Yahoo are very low.
We should mention that with persistence, patience, and a very strong system, nothing can be considered that safe. Of course in such mega-leaks as Yahoo's, the man-hours required multiply depending on the volume of data, and the simple or complex encryption.
But let's see where it is problem in Yahoo's case:
The wording of Yahoo shows that most of their codes (but not all) have been hashed with bcrypt.
We do not know how many of these passwords have been fragmented with another algorithm, or just one. The fact that this does not refer to the publication of hack notification or Yahoo's FAQ indicates that the company did not want to give this information to the attackers.
In conclusion, there is no way to safely say if your account was among those whose passwords were hashed with bcrypt or some other algorithm.
So the safest option at this point is to change the password as well as an e-mail company.
Think about whether some people ask about your personal information
Among the information that was in Yahoo's accounts was real usernames, phone numbers, birthdates and, in some cases, unsolicited security questions and responses. Some of these items are very sensitive and used for verification by banks and possibly government agencies.
There are very few cases that a website should have your actual date of birth. Also, do not give real answers to security questions if you can avoid it.
Check your email promotion regularly
Email promotion is one of those "once you do it and forget about it." The option is buried somewhere in your account settings and you may never have checked it.
Hackers know this. All they need to do is access your email once, and create a promotion on their own emails. So they will receive every e-mail that comes with you without having to connect again. In this way, the service will not send you alerts for repeated suspicious logins from unrecognizable devices and IP addresses.
Identify two factors everywhere
Enable two-factor authentication and enable two-factor authentication. Enable two-factor authentication.
Do not reuse the same password again
There are many password manager solutions that are available and work on different platforms (use password managers that store codes locally rather than cloud, for example Keepass). There is no excuse not to use a unique, complex password for each account you own.
Here comes phishing
Major data breaches are usually followed by phishing e-mail attempts as crooks try to take advantage of the public display of e-mails.
These messages can be disguised as security alerts, they can contain instructions to download malicious programs as security tools, they can direct users to websites that ask for additional information under the guise of "verifying" their accounts and so so on.
Be on the alert because such messages are already circulating and will be released more after Yahoo hack.