As you likely have read by now, Yahoo has fallen victim to the biggest user account breach in history. Bob Lord, its chief information security officer, acknowledges that in August 2013, an unauthorized third party stole data associated with more than a billion accounts.

Jeremiah Grossman

Jeremiah Grossman, chief of security strategy, SentinelOne

This is the latest disclosure of a long string of major security breaches at Yahoo—many of which have come to light in the past few months.

Yahoo claims that it doesn’t know exactly who broke in or how, but it does know that usernames, email addresses, telephone numbers, dates of birth, and hashed passwords were all illegally accessed.

The situation is bad—and not just because Yahoo is in the process of being acquired by Verizon (though that may change.)

A closer look at Lord’s statement—particularly the paragraph about the hackers’ ability to forge valid cookies to take over user accounts—indicates that the intruders managed to work deep into some of Yahoo’s most sensitive data and systems.

Separately, we previously disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.

Because Yahoo is unable to determine the threat actor, or perhaps even the original source of entry, it will be extremely difficult to provide assurance that its system is now “safe.”

Yahoo users weighing the risks of maintaining their accounts must first understand that the damage has been done. Accounts and data have been compromised; there is no going back. This eventuality was the foretold danger of cloud computing and free online systems. Users have limited control over their data and limited indication if they’ve been victimized.

You’re sure to hear the standard suggestions: change your passwords, select hard-to-guess passwords, protect your accounts with two-factor authentication, patch your systems, think before you click or download—the list goes on.



READ MORE ON YAHOO

‘Yahoo is not safe to use,’ former company engineer says
How to dump your Yahoo, Flickr, and Tumblr accounts
How to recover from a Tumblr hack
Why Yahoo should have fought the NSA like Apple fought the FBI


While all good ideas, these practices will do next to nothing to protect you and your data when the online service provider, the custodian of your data, is hacked. And this is guaranteed to happen to every one of them, at some point in time.

Think about where your email and various private messages are physically stored: If this data isn’t directly on your computer, it can be exposed by a hacker exploiting a third-party system over which you have no control. Yes, that means Yahoo, but it also means Facebook, Google, Microsoft, LinkedIn, Twitter, and every other Internet service.

Let’s consider some advice you don’t often hear: If any of the aforementioned companies have data that you cannot afford to expose, it’s time to delete it. Delete your archived email, private messages, contacts, files, photos, and so on. Unfortunately, it’s hard to confirm whether a host has actually deleted data from its systems, but deleting it from your account interface at least creates a speed bump for someone who hacks directly into your account.

As a nuclear option, you could also delete accounts you don’t use, or from providers you no longer trust. If you’re unable to do either, well, you take your chances.

Many people, including security experts, routinely purge private messages that are more than a couple of months old from their various online social and email accounts. While this does not sound like a pleasant option, it really is the best way to protect yourself from exposure to security breaches beyond your control.

The only way to guarantee that data is truly secure is to encrypt it from everyone except the people meant to read it. To safely store data such as photos, spreadsheets, and other files, you can use encrypted storage devices or online services that handle encryption for you. Cloud hosts such as Yahoo and Google rely on the information they gather about their users for revenue and thus don’t typically encrypt your stored data.  

Although you cannot control when or how a host like Yahoo will get hacked, you can lessen the personal impact of a hack by taking a deep look at all of the personal data you’re throwing out there—and limiting it.