The real lesson of the Yahoo hack, in which 500 million user account details were stolen, is this: any account details you enter into an online storage system will probably get hacked at some point. It might just be your email and (encrypted) password, or it might – as with Yahoo – be more details such as name, address, phone number, birthday and even answers to security questions you use to verify who you are.
Yahoo has in effect admitted that it will never now know whether a login attempt comes from the verified user or not: if you send a password reset request to a Yahoo.com account that has been compromised, what’s to stop the hacker from logging in and doing the reset?
But it’s worse for Yahoo’s users. If you used the same email and password for your Yahoo account as you do on, say, Amazon, then someone will eventually get hold of it and use it: you’ll find mysterious purchases (probably of high-value tokens sent to an email address, which will then use them to buy the real goods).
Obviously, the mantra that you should use different passwords everywhere (use a password manager like 1Password or LastPass; or use a consistent system involving names or abbreviations and numbers that you can remember) is one to obey. But more broadly, it’s simply another reminder that pretty much nothing is safe. Of the top ten sites in the world, only Google (with YouTube), Facebook, Amazon, Apple and Microsoft have not suffered widespread intrusions into their user databases.
That’s not for want of trying by hackers; and even Google suffered a minor attack in 2010 by Chinese hackers backed by its government. (The iCloud “hacks” in September 2014 weren’t a widespread break-in to Apple’s servers, but weak passwords and security on individual user accounts.)
The difference is that these companies can — and for their reputation must — devote substantial resources to security. But for smaller sites, it’s too hard. The complexity of modern database systems, allied to the subtle weaknesses in web security protocols (which can go unnoticed for years) means there are many targets for hackers. They look for old systems, which haven’t been updated, or for new weaknesses in recently-updated systems.
And as everything becomes more connected, the “attack surface” grows bigger and bigger. Earlier this week two hackers showed off how they could take control of a Tesla electric car; that followed similar incidents, also with Teslas, in 2014 and 2015.
Sometimes, the security is just poorly executed; in June of 2011, Dropbox admitted that a “programmer error” meant that for a four-hour stretch, anyone could access any of its accounts by using any password. At the time it had 25 million users. Now it has around 500 million, but that didn’t stop it being hacked again in 2012, when the details of 68 million accounts were leaked. LinkedIn was hacked during the same time. Adobe, maker of Photoshop but also the notoriously flawed Flash plugin, said details of about 152 million accounts were leaked.
We can’t control this, and we can’t opt out. All you can do is protect yourself: use “two-factor authentication” on your email account (logins from different machines require a code sent to your phone, or generated by an app); check your credit card details. Hacking isn’t going away. But neither is our reliance on the web.
You can get a glimpse of how widespread the problem is by looking at haveibeenpwned.com, a site set up by Troy Hunt, an Australian web security expert. It checks and documents claims of hacks; you can check whether an email you own appears in any hack by just entering it. (It doesn’t ask for passwords; don’t trust sites that do.)
The web site Haveibeenpwnd contains 1.4 billion email addresses that have appeared in hacks, led presently by MySpace (359 million) and LinkedIn (164 million). Yahoo will soon be able to claim that it’s No.1 in one place, at least. But that’s probably not the epitaph Marissa Mayer would have chosen for her time at Yahoo.