The huge violation of Yahoo's data from hackers by a government agency serves as a reminder of some basic security tips. The data at least 500 millions of leaked accounts are the biggest data violation ever.
What are the potential effects on user safety?
The fifty shades of cryptographic fragmentation
Yahoo said the "vast majority" of stolen passwords access it was hashed with bcrypt. Hashing is a one-way encryption operation that converts data into a set of random characters that represent human-readable characters. This is called a hash.
The hashes are supposed to be non-reversible and so it's a good way to store passwords. The login password passes through a fragmentation algorithm and compares it with a stored fragmentation.
This provides a way to control passwords without having to store them in plain text in the database.
But not all fragmentation algorithms offer enough protection against Password crackers trying to guess which plaintext passwords generate a particular hash.
Unlike the ancient MD5 algorithm, which is fairly easy to break, if additional salt measures are applied, bcrypt is considered a much stronger algorithm.
This means that, in theory, the chances of hackers breaking the "vast majority" of passwords they stole from Yahoo are very low.
We must say that with perseverance, patience, and a very powerful system, nothing can be considered as safe. Of course, in such mega-leaks like Yahoo, the required hours are multiplied according to the volume of data, and simple or complex encryption.
But let's look at the problem with Yahoo:
The wording of Yahoo shows that most of their codes (but not all) have been hashed with bcrypt.
We do not know how many of these passwords have been fragmented with another algorithm, or just one. The fact that this does not refer to the publication of hack notification or Yahoo's FAQ indicates that the company did not want to give this information to the attackers.
In conclusion, there is no way to safely say if your account was among those whose passwords were hashed with bcrypt or some other algorithm.
So the safest option at this point is to change the password as well as an e-mail company.
Think about whether some people ask about your personal information
Among the information contained in the accounts hijacked by Yahoo were real user names, phone numbers, dates of birth and, in some cases, unencrypted security questions and answers. Some of these details are very sensitive and are used for verification by banks and possibly governments services.
There are very few cases that a website should have your actual date of birth. Also, do not give real answers to security questions if you can avoid it.
Check your email promotion regularly
Email marketing is one of those “do it once and forget it” things. The option is buried somewhere in the settings of your account and you may never have checked it.
Hackers know this. All they need to do is access your email once, and create a promotion on their own emails. So they will receive every e-mail that comes with you without having to connect again. In this way, the service will not send you alerts for repeated suspicious logins from unrecognizable devices and IP addresses.
Identify two factors everywhere
Enable two-factor authentication and enable two-factor authentication. Enable two-factor authentication.
Do not reuse the same password again
There are many password manager solutions that are available and work on different platforms (use password managers that store codes locally rather than cloud, for example Keepass). There is no excuse not to use a unique, complex password for each account you own.
Here comes phishing
Major data breaches are usually followed by email phishing attempts, as fraudsters try to take advantage of public appearance of e-mails.
These messages can be disguised as security alerts, they can contain instructions to download malicious programs as security tools, they can direct users to websites that ask for additional information under the guise of "verifying" their accounts and so so on.
Be on the alert because such messages are already circulating and will be released more after Yahoo hack.