There are no world championships in poor information security. Nonetheless, Yahoo has been doing its utmost to be prepared should such an event ever come around. On September 22, 2016, they announced that account information from over 500 million accounts had been stolen. That’s more than half a billion accounts. Billion. (With a B.)
Seemingly worried that they hadn’t quite cemented their place on the podium for the (nonexistent) Worst Security of the Century awards, just three months later Yahoo announced that information from at least a billion additional accounts had also been compromised.
Do you have a Yahoo account but have forgotten your password? No worries – you can probably find it online. Along with lots of other information you (also) didn’t want to get out. (Which is a separate thing altogether from that whole thing about Yahoo monitoring its users’ emails on behalf of the NSA.)
When databases with user information – passwords, security question answers, credit card information, etc. – are stolen this is what’s commonly called a data breach. And, unfortunately, new data breaches seem to be popping up almost as frequently as unhinged presidential tweets. So it’s a good idea to sacrifice a few minutes of your life to learn at least the absolute basics about data breaches. (And, as convenient happenstance would have it – that’s what this article is about!)
How can you know if one of your accounts has been involved in a data breach?
Like with the lack of world championships in poor security, there is also no world championship for Most Useful Website. But if such a competition did exist, Australian security expert Troy Hunt might well take home the prize.
Hunt maintains a website where you can check to see if your data was included in any of a long list of known data breaches. The site is called Have I Been Pwned, and can be found at www.haveibeenpwned.com. (“Pwned” is Internet slang for owned, and is used e.g. in online games when someone has dominated another player.)
Checking to see if your accounts have been involved in any of the data breaches included on the site is easy:
- Go to the address www.haveibeenpwned.com
- Type in your email address in the window
- Press return or click on “pwned?”
www.haveibeenpwned.com – your new best friend in the age of pwnage
You can then see if the given address was linked to any known data breaches listed in its database. If you have several email addresses, check them all.
But wait – there’s more! If you click on “Notify me” you can enter your email and then get a notification sent to it if that email address is ever included in a future data breach that makes it to haveibeenpwned’s list. (You will need to verify the email address first, by simply clicking on a link sent to your email.)
Aaaaaaargh, haveibeenpwned says i have been pwned – what now?
What can you do if you’ve been cought up in a data breach? Unfortunately, the answer is: not a whole heck of a lot. And even that is a glass-half-full answer. The real answer is: (practically) nothing. If your data has leaked out online then it has. While you can’t do anything about that, what you can (and should) do is minimize how much additional damage can come of it. The two most important things are:
- Change your password and security questions on the breached site
- Change your password and security questions on any other site where you used the same password or security questions
Data breaches are one of the main reasons why it’s such a bad idea to reuse passwords or security questions. The bad guys have realized that we are very mindful of not spending too much of our valuable time coming up with new (or even particularly strong) passwords. If they get hold of one of our passwords they can try it on a bunch of other sites or services to see if we’ve reused it. (So pleeeease don’t reuse passwords.) The same is true of security questions. Even though you don’t know someone’s password you can still access their account if you know the answer to the security question(s).
If you’re lucky the breached data is encrypted, making life a lot more difficult for the bad guys. (I’ll talk more about different kinds of encryption in later blog posts.) But you can’t trust that all the important information will have been encrypted: sometimes none of it is, sometimes the passwords are but not the security questions, and so on.
Check my previous blog entry for tips on coming up with stronger passwords. Check upcoming blog entries for other important stuff like two-factor verification, password managers, and safer answers to security questions (spoiler alert: lie!). And if you’re on Twitter, check out @troyhunt and @haveibeenpwned to stay up-to-date with all things pwnage-related. (And if you aren’t on Twitter but decide to join, pleeeease don’t reuse a password.) (And if you decide to reuse a password anyway, pleeeease don’t reuse the one you used for Yahoo.) (And if you decide to reuse the one from Yahoo anyway but can’t remember what it was, shoot me en email.)