Should you be worried about the latest Yahoo security breach?

Should you be worried about the latest Yahoo security breach?

Yahoo email has experienced yet another security breach by hackers. Should you be worried about this? Even if you do not currently have a Yahoo email address, it is my opinion that you still need to be concerned.

Email account hacking has been a recurring theme for Yahoo in recent years and the timing couldn’t be worse. Yahoo has been trying to facilitate a sale to Verizon for months, and stories of security breaches just keep coming like clockwork. The number of hacked email accounts is said to have exceeded 1 Billion. Yes, that’s billion with a “B”.

So back to my original question – should you be worried about the latest Yahoo security breach? In a word, yes. Here are some reasons:

Yahoo is everywhere, and you may have an email address on their servers without knowing it. The domains they handle include the following domains:

  • Yahoo.com (of course)
  • Prodigy.net
  • Sbcglobal.net
  • Ameritech.net
  • Att.net
  • Pacbell,net
  • Ymail.com
  • Flash.net
  • Swbell.net

Frankly this is the tip of the iceberg, as there are simply too many to list here. While I can’t be certain, a breach of Yahoo’s mail servers could put users of their other domains at the same level of risk.

Yahoo email isn’t only for individuals – Businesses use it too. If your company isn’t on Office 365, Google G-Suite (formerly known as Google Apps) or an internally hosted email system, there’s a chance you may be on the Yahoo mail system. Again, I don’t know whether a hack infecting Yahoo’s primary mail service puts other domains at risk, but the potential is there nonetheless.

Even if you don’t use Yahoo, you probably interact with people or companies who do. Here’s how this can pose a problem. Let’s say you exchange emails with someone who uses Yahoo email. The email messages may include financial or medical information, or perhaps sensitive passwords. It is safe to assume that any hacked Yahoo email account will be parsed for anything of value, including personally identifiable information (PII) such as full name, date of birth, mother’s maiden name, social security number, place of birth, and so on. If you have ever exchanged messages containing sensitive information via email, you need to assume that the information is still out there.

Okay, I think I have your attention! Now, what should you do about it? Here are some suggestions:

  1. If you are personally using Yahoo (or one of its affiliates), you should stop. Or at least stop using it for anything sensitive. If you are a personal user, I would encourage you to switch to Google’s Gmail or Microsoft’s Live email accounts. While anybody can get their email account hacked (as John Podesta can attest), it is far more difficult on either platform.
  2. If you are a business using a Yahoo personal email address, I strongly encourage you to stop using it altogether. Purchase a domain name (such as www.mycompany.com) and use it for your email service, preferably on Microsoft’s Office 365 platform. Any decent IT provider can help.
  3. If the previous points don’t apply but you have interacted with individuals or businesses who do use Yahoo, assume the worst and start paying close attention to your bank and credit card statements. This is especially true if your insurance agent, broker, medical provider, or tax preparer uses Yahoo email.
  4. If your insurance agent, broker, medical provider or tax preparer uses a free email account, seriously consider changing providers. If they’re too frugal to pay for business-class email service, you can assume they’re cutting corners elsewhere too, such as security software and IT services.
  5. Pay close attention to your own email. Spammers who gain access to your name, email address, and a few pertinent details will often use the information in targeted “spearfishing” attacks. They will have just enough information to convince you they are legitimate, causing you to click something you really shouldn’t click.
  6. If you have sent emails containing passwords, be sure to change the passwords in question. I strongly encourage periodic password changes anyway, but this just gives you another reason to do so.

In conclusion, you should always avoid sending sensitive information via email. Once it’s out there, it just seems to hang around forever. Sooner or later it will get breached, and once it does, you could eventually become the target of well-crafted attack.