500 million Yahoo e-mail accounts stolen in 2014
Yahoo hit by one of worst security breaches in history, unclear how many S'pore accounts affected
Marketing director and blogger Ian Tan had not used his Yahoo e-mail account in years.
But he was forced to log in yesterday after receiving an e-mail notification that his account may have been compromised in what several media, including BBC and CNBC, are calling one of the largest security breaches in history.
In a press release on Thursday, Yahoo confirmed that data associated with about 500 million of its e-mail accounts had been stolen in late 2014.
Mr Tan, 40, told The New Paper he was not surprised.
"This may be the largest-scale hack ever but I've simply become accustomed to it," he said, adding that his personal blog receives attempted hacks every hour.
"For my really important accounts, (such as my) Gmail (account), I use extra measures like two-factor authentication (2FA) and change my passwords regularly. It's a hassle... but at least I get some peace of mind."
Yahoo! Inc, which has one billion monthly active users, published the press release on its investor relations website.
It said that the information stolen from Yahoo may have included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and in some cases, security questions and answers.
However, the breach did not include unprotected passwords, payment card data or bank account information.
Yahoo believes that the hacking was done by a "state-sponsored actor", a term used for an individual acting on behalf of a government.
When TNP contacted Yahoo Singapore yesterday afternoon to find out how many Singapore accounts were compromised as part of the breach, a spokesman said it needed to check with its corporate headquarters.
Experts here say that while the breach may have been massive, the actual damage done may be limited.
Associate Professor Zhenkai Liang, from the National University of Singapore's School of Computing, told TNP that the hackers are not an immediate danger because they do not have the users' bank account information.
However, he added that there is cause for concern: "For example, if you own a website and you use your Yahoo e-mail to register it, the hackers can change your password and claim the domain as their own."
Mr David Maciejak, head of Fortinet's FortiGuard Lion R&D team for Asia Pacific, told TNP that stolen personal accounts sold on underground markets can be used to start spamming and phishing campaigns.
"If you own a website and you use your Yahoo e-mail to register it, the hackers can change your password and claim the domain as their own."
- Associate Professor Zhenkai Liang from the National University of Singapore's School of Computing
How to protect your account
At least 500 million Yahoo e-mail users had their data stolen in a recent cyber attack. Here's what to do if you suspect that data from any of your e-mail accounts may have been stolen:
1 Enable dual factor authentication (2FA)
Associate Professor Zhenkai Liang suggests signing up for 2FA to add an extra layer of security. Those who use 2FA will have a confirmation request on their mobile phones whenever they log in to their Internet accounts.
Google, Yahoo, Facebook, SingPass and several banks provide 2FA services.
2 Change your passwords, especially if you are using them for other sites
Mr Sumit Bansal, director for Asean at IT security company Sophos, said cyber criminals are now using tools that can sniff out passwords that are reused on other more valuable sites, such as banking sites, as many people use the same password for multiple accounts.
You should create different passwords for your more sensitive accounts.
3 Change passwords regularly
"Users should change their passwords every three months, and not use the same password for different online services," said Mr Maciejak.
Mr Bansal said: "It's always good practice to update your passwords, password manager and security questions, if you hear of a potential data breach that might affect you.
"Even data breaches from several years ago could still impact you today."
4 Use a strong password
A strong password is one with a minimum length of 12 characters, including upper and lower case characters, with numbers and symbols if permitted, say experts. These make them harder to crack.
5 Be conscious of your own cyber security
Prof Liang said cyber security is "always changing", so it is very difficult to make your accounts absolutely secure.
This is not the first case involving massive account leaks. Gmail and LinkedIn have been hacked into before.
Prof Liang added that you should also think about the information that you put online. Sensitive information such as your credit card details or IC number should never be broadcast.