Why do companies hide their security features? Yahoo! users have ‘account key’ at their fingertips.

Tony Anscombe 15 Dec 2016

More than one billion Yahoo accounts hacked. Avast shares tips on how you can protect your account.

News outlets are proclaiming this is the biggest breach of its kind, and all we do is yawn and continue our everyday business. Are we in danger of becoming complacent when data breaches are disclosed, even when they grow in size?

Changing passwords, protecting email accounts, enabling two-step authentication, and generally being more vigilant about securing our online activities will all help stop the bad guys from gaining access to our online life and private information.

But let’s considerthat yesterday’s Yahoo! data breach, which happened in 2013, affects an estimated one billion user accounts – in addition to the 500 million Yahoo user accounts breached in 2014. The data exposed may include email addresses, phone numbers, date of birth details, encrypted passwords, and, in some cases, security questions. Even if you change your passwords today, there may already be an opportunity for cybercriminals to reset or access your other online accounts, as some of this information has already been released by the hackers.

In the face of a breach with such far-reaching implications, maybe it's not that we are complacent, but that we simply don’t know what we can do after the fact. There are a few simple actions we can take, however, that will help.

For starters, stop trusting the traditional password and start allowing a password manager, such as Avast Passwords, to step in and create complex passwords and manage them on your behalf.

Avast Passwords uses secure encryption to generate secure passwords for all your accounts. Meaning you don’t have to remember lengthy passwords and can easily change them on a frequent basis. A proactive feature also alerts you if your email address may have been compromised and allows you to change your passwords for all accounts associated with the email.

Move to two-step authentication where possible, if you haven’t already. This may sound complicated, but it’s a concept you already use, every time you withdraw money from an ATM. You have the card, and you know the PIN; but without both parts, you can't get cash. That’s two-step in action.

For an online account, the two factors might be your phone and the contents of a text message sent to you at log-in. It doesn’t have to be inconvenient, either. Some companies only invoke this stronger log-in process when you try accessing an account from a new device, which seems like a good compromise.

For Yahoo users, it might be a relief to know that Yahoo has a fairly unique security system called account key. If you are about to change your Yahoo password, I recommend taking the extra step and switching this service on. It simplifies log-in by connecting your login request with the Yahoo app on your phone. The browser log-in screen asks for your Yahoo ID, then displays a page that says it’s waiting for confirmation to login.

Yahoo reset password.png

Meanwhile, your phone will receive a notification asking you to confirm log-in with a simple yes or no click.

Yahoo data breach.png

I'm sure we're not far from a day when a company is going to enforce two-step authentication to access their service. The US government attempted to implement this about six months ago for the social security system. Due to some users' not having mobile devices, they stepped back and had to make it optional. While we all understand the limitations with this example, a technology company that targets users of mobile devices could make two-factor authentication mandatory, and I am sure they will consider doing so in the near future.

--> -->