In this week’s episode I’ll be discussing what to do in light of the Yahoo hack, and how to safeguard your information going forward whether or not you were affected by this hack.
Last week (9/22/2016), Yahoo announced that, in 2014, hackers made off with over 500 million users account information. This included names, email address, telephone numbers, birthdates, security questions, and salted and hashed passwords. Incredibly, Yahoo released a statement detailing the breach and that they believe the hack was carried out by a country.
It feels as though hacks like these are becoming commonplace. And yet the recent Yahoo hack is one of the largest known hacks in history. The scary part is that these are huge companies. I mean we are talking Anthem, Target, MySpace, Ebay, and Home Depot. What’s more is that the stock price of these companies generally is unaffected by such breaches. It’s clear from these hacks that consumers need to be very wary about what data they give away to companies. Be smart about how you handle your digital identity!
What Was Stolen in the Yahoo Hack?
Let’s first look at the data that was stolen. Yahoo believes that names, email addresses, telephone numbers, birthdates, security questions, and hashed passwords were stolen. The one item out of those that probably has most people scared is the ‘hashed passwords’ but I'm least worried about this.
Here’s why. When passwords are stored correctly, they are never stored in what is called plain text. Plain text is if you wrote down your password on a piece of paper, someone could just copy it and use it. This is why passwords in plain text are worrisome when stored by companies with millions of users—because if someone breaks in and steals all of the data, they instantly have access to all of the passwords just by looking at them.
That is where hashing comes in. Hashing is a way that companies store your passwords securely with a one-way function. The best way to think of this is to picture a blender with a ton of different types of fruit. When you submit a password, you’re selecting a specific recipe to be blended. When you turn on the blender and let it run for a couple of minutes, you’ll have a nice smoothie with a certain color. This is how your password is stored via hashing. The company only knows the color of your smoothie, not all of the elements that went into it.
The beauty with this is that you can always make the same smoothie with the same color. The company can always check the color to make sure it’s yours, and if a hacker were to try and steal the recipe, they would have a really hard time figuring out what ingredients you put in to get that exact right password.
This is how Yahoo stores its passwords. This means that while they have your password, they still only have the color of your smoothie, not the recipe. So all the hackers have is a very hard to guess recipe. Now there is a lot of math, science, and programming that go into it, but that’s what hashing does in a nutshell. If a hacker wanted to get all of the plain text passwords from the data they hacked, they would have to spend a lot of time and a lot of resources having computers guess thousands of times a second what your password is.