Updated on by

RSN™ Special Report: It’s Time To Leave Yahoo Mail

It’s Been Two Years Since Yahoo’s Data Breach – What Have You Done To Stay Safe?

Far Too Often Victims Believe “THEM, NOT ME”

Except, 3 billion Yahoo accounts were hacked

The massive data breach can be an opportunity to do some cleanup and implement security recommendations.

If you had a Yahoo account in 2013, your name and password were stolen. Not maybe, they were!

Yahoo expanded the scope of its massive data breach on Monday. In December, the Internet giant announced a hack that affected over a billion accounts, making it by far the largest data breach in history. Now, the company says that every Yahoo account in existence in 2013—more than 3 billion—was breached. The hackers walked away with password hashes that can be easily cracked.

If you’re a Yahoo user you should consider yourself betrayed.

Your password was compromised and you should take all the necessary steps to secure all of your accounts.

Of course, you should follow all of Yahoo’s recommendations for securing your Yahoo account, such as changing your password and watching for suspicious account activity, but perhaps it is also time to demonstrate that enough is enough and simply walk away from unsafe online services such as: Yahoo mail, Google+, Google Hangouts, and many more. You may not even know what services you have signed up for – many people do not. One way to find out is to take a day and go through old emails and see. Cancel what you do not use.

Here are a few more advanced tips that you should have in mind.

Never Reuse Passwords

There are many secure password management solutions available today that work across different platforms. There’s really no excuse for not having unique, complex passwords for every single account that you own. If you do want memorable passwords for a few critical accounts use passphrases instead: sentences made up of words, numbers and even punctuation marks.

Change your passwords to use passphrases: two or three word phrases with punctuation and numbers!

According to Yahoo, this breach happened in August 2013, at a time when the company hadn’t yet switched to the more secure “bcrypt” password hashing algorithm. As a result, most passwords that were stolen are in the form of “MD5” hashes, which are highly vulnerable to cracking.

If you made the mistake of using your Yahoo password elsewhere and haven’t changed it yet, you should do so immediately and review the security settings of those accounts too.

It’s very likely that hackers have already cracked your password and had three years to abuse it.

Two-Factor Authentication Everywhere

Turn on two-factor authentication—this is sometimes called two-step verification—for any account that supports it. This will prompt the online service to ask for a one-time-use code sent via text message, phone call, email or generated by a smartphone app when you try to access the account from a new device. This code is required in addition to your regular password, but if you stay with Yahoo they also have a feature called Account Key that does away with regular passwords completely and instead requires sign-in approval via phone notifications.

Two-factor authentication is an important security feature that could keep your account secure even if hackers steal your password.

Don’t Save Emails You Don’t Need

Because space is no longer a problem with most email services, users tend to never delete emails. While that’s extremely convenient, it’s not a very good idea, because it allows hackers to easily discover what other online accounts are tied to that address by searching for sign-up or notification emails from various online service providers. Sadly in this digital age, get a paper notebook, like a “Moleskin” and keep a record of your accounts.

Aside from exposing the link between your email address and accounts on other websites, sign-up and notification emails can also expose specific account names that you’ve chosen and are different from the email address.

You might want to consider cleaning your mailbox of welcome emails, password reset notifications and other such communications. Sure, there might be other ways for hackers to find out if you have an account on a certain website or even a number of websites, but why make it easier for them to compile a full list?

Check Your Email Forwarding And Reply-To Settings

Email forwarding is one of those “set it and forget it” features. The option is buried somewhere in the email account settings and if it’s turned on there’s little to no indication that it’s active.

Hackers know this. They only need to gain access to your email account once, set up a rule to receive copies of all your emails and never log back in again. This also prevents the service from sending you notifications about repeated suspicious log-ins from unrecognized devices or IP addresses.

Another technique that attackers might use to get a copy of your emails is to change the reply-to address in your email settings, although this is noisier and can be spotted more easily than a forwarding rule.

The reply-to field is included in every email message that you send and allows the recipient’s email client to automatically populate the To field with an address you chose when they hit reply. If a hacker changes the reply-to value with an address that he controls, he will receive all email replies intended for you and these typically include the original emails that you sent.

In order to ensure that you also get those replies, the attacker can set up a forwarding rule in their own email account and automatically forward those replies to your address.

To check for “reply-to” changes just send yourself an email from your account and look at the reply address!

Phishing Follows Breaches

Large data breaches are typically followed by email phishing attempts, as cybercriminals try to