Yahoo Data Breach: Stolen Passwords Were Encrypted, but That Doesn't Mean Users Are Safe

The most dangerous losses could be security questions and answers

Most of the passwords stolen in the massive data breach at Yahoo were encrypted, the company says, but that doesn't mean consumers are safe, according to security experts interviewed by Consumer Reports.

On Thursday, Yahoo confirmed that information from a half-billion user accounts had been stolen from the company’s databases in late 2014. According to a statement by Bob Lord, Yahoo's chief information security officer, the stolen data may have included "names, email addresses, telephone numbers, dates of birth," and security information including passwords, plus security questions and answers.

According to Lord, most of the passwords had been cryptographically secured with a hashing scheme known as bcrypt. This uses a mathematical function to convert plain-text passwords into a long string of text that is then stored on the company’s servers. But does that mean the data is safe?

Jeremiah Grossman, chief of security strategy at SentinelOne, a security firm, and a former information security officer at Yahoo, is very familiar with the technology. “Bcrypt is a pretty strong hash, one of the best,” he says. “It can slow down the bad guys and brute force attacks,” in which powerful computers try to run through every possible combination of characters to crack a password.

But other information was probably not as secure. “All the giants—Google, Facebook, Yahoo—will hash passwords," Grossman says. "But other data, like your date of birth, they won’t. These are advertising companies, and they need to get to that data easily. Hashing it would be a direct violation of their business model." And that information can make consumers vulnerable to identity theft.

It's still unclear who launched the attack, though Yahoo is saying it was sponsored by a national government. “At this stage, attribution is really hard, but I’ll give Yahoo the benefit of the doubt on this,” Grossman says. “I know several people who work on security there. They’re competent. But I haven’t spoken with them—they’re on fire right now” as they respond to the crisis.

What You Should Do

If you have a Yahoo account, there are a few steps to take right away.

  • First, change your Yahoo password—make it strong, long and unique.
  • Set up two-factor authentication (2FA) on the account. Then, even if a criminal gains access to your password, he won't be able to log in to the account unless he also somehow gets access to your text messages. If you were using the same password on other accounts—a major security no-no—change those and set up 2FA if possible, too.
  • Finally, change your security questions and answers—and not just on your Yahoo account. “What’s disconcerting to me is the breach of the password-recovery data,” says Lujo Bauer, a security researcher and associate professor at Carnegie Mellon University. Bauer recommends identifying a handful of your most high-value accounts and changing your recovery questions and answers. Don't use real information, such as your mother's maiden name or the street you lived on as a child. “You can make up answers and record them in your password manager or write them down in a secure place,” Bauer advises.