On September 22, Yahoo confirmed that a data breach orchestrated by a "state-sponsored actor" in late 2014 has resulted in at least 500 million user accounts being compromised. The stolen data included names, email addresses, telephone numbers, dates of birth, hashed passwords, and even encrypted or unencrypted security questions and answers; but not credit card data.
While this is definitely a cybercatastrophe for Yahoo, it has to be said that this is just one in a constant drumbeat of hacks in recent memory. In May, LinkedIn discovered more than 117 million account details originating from a 2012 breach had surfaced on the dark web; and shortly after, Time confirmed a MySpace hack had compromised 360 million accounts. In fact, as of this writing, a data dump of 68 million Dropbox accounts from a 2012 breach has just been made available for download - for free.
We hate to say this, but such security breaches will continue to happen. As we conduct more and more activities online, we're also storing more and more personal records online. Put simply, this mountain of data on servers are to hackers what money in banks are to bank robbers.
If there's any consolation, it's that companies, big and small, in general are moving towards adopting better security practices. No semi-decent web services today will store passwords as unsalted SHA-1 hashes, as these are so, so easily cracked. Better companies will use at least a salted hash and well-designed hashing functions like bcrypt, and many companies will encrypt user data when they're in transit and at rest. We like to check a company's security policy before we sign up for its service - we recommend that you do it too.
1. Never reuse the same password
Using a strong password is the first must-do (here’s how to make stronger passwords). The second is not to use it for other accounts. A repeatedly used strong password will immediately become a weak password for all your other accounts the moment one of them is compromised.
2. Fake answers to security questions
Don't use simple answers to account security questions. Since they may be known even to acquaintances, I actually suggest that you fake them. Because tell me, who could have guessed that your mother's maiden name is "Pirates of the Caribbean"?