Yahoo data breach: What does it mean for you?

Yahoo has finally acknowledged a 2014 hack of their servers that resulted in the leak of login information belonging to an estimated 500 million users . While this is not the first hack of this kind, it’s certainly the largest that we’re aware of. If one were to just glance at the list of breaches in recent memory, chances are high that your data has already been compromised. Yahoo? 500 million accounts. MySpace? 360 million accounts. LinkedIn? 165 million accounts. Ebay? 145 million. Sony PSN? 102 million. Dropbox? 68 million. The list goes on. And these are only the high-profile ones. Smaller gaming forums, shopping sites, government websites and the like get hacked all the time and it’s unlikely that all of them use state-of-the-art security. Assuming that your usernames and passwords and other such personal information is in the hands of hackers and has been since at least 2014, has it impacted you? Probably not, but that doesn’t mean that you can relax. You’re a drop in the ocean, but every drop counts  While news of a hack might send you into a tizzy and you worry yourself to death over compromised photos, leaked information and whatever else was in that particular closet. The fact remains, however, that you’re one among millions, nay, hundreds of millions. For a hacker to specifically target you and extract your information so he can look at your compromised photos and other information is just too arduous a task. Unless he has good reason to do that of course.  Hackers today deal in bulk. Most of this compromised information ends up in a database of sorts. Hackers can sift through this database and target user ids from a specific domain like .gov for example. Say, China wants to hack the FBI, they’ll sift through the database for IDs that they know are affiliated to such institutes and target them. This database also helps hackers generate ever more accurate hacking algorithms that will make decrypting future password databases easier. Others might use the information to set up ghost accounts to, say, boost App reviews, to generate spam, send malicious email (phishing attacks, malicious code, etc.). As Business Insider points out, hackers can even use this information to create fake IDs and buy and resell medical equipment, make fraudulent purchases online and more. The possibilities are endless. The bottom line is just this: The average person is not significant to a hacker. Your information may have been breached, but unless it’s orders of magnitude more important than that of everyone else and the hackers know about it and the hackers want it, your personal information is relatively safe. You may not be directly or immediately affected by a breach, but that doesn’t mean you can get complacent about it. Your password is safe. Maybe.  The easiest way to protect yourself is to use trusted services that respect your privacy. Anyone can crack a password, what matters is the cost (time, computing power, etc.) of cracking that password. Newer encryption standards like bcrypt can raise the cost of cracking a password by a million fold or more. We’re not exaggerating. As  ArsTechnica explains, information encrypted with the more prevalent MD5 and SHA1 protocols can be decrypted at the rate of millions of attempts a second, sometimes billions. If Yahoo’s leaked database was only using MD5, the entire database could have been hacked in a matter minutes, at most. Protocols like bcrypt, which Yahoo does use (though not on all affected accounts, sadly), bring down the decryption rate from millions to the low hundreds. Passwords can still be hacked, but it can take tens of thousands of years for a hacker to get through a large database. Sure, Yahoo’s database was breached, but it’s unlikely that hackers have your password. Still, change your password. Ever heard of the optimism bias? Yours might be the first password they crack. Safe practices The best way to keep your information safe is to only give out personal information on trustworthy sites. And even then, avoid giving out any information unless absolutely necessary. Never, repeat, never, use the same login information on multiple accounts. It’s the easiest way to get hacked. Use different passwords, enable two-step authentication if you have the option and, if nothing else, use services like LastPass to generate and manage secure passwords. Most importantly, stay vigilant and trust your instincts. If something looks phishy, it probably is.