I’m as tired of “hold my beer” jokes as you are, but this news seems to beg for one. While Equifax CEO Richard Smith was saying very little about his former firm’s massive hack during a three-hour hearing before Congress yesterday, Yahoo (now, called Oath, and part of Verizon) quietly announced a most remarkable thing: 3 billion Yahoo account holders were impacted by a 2013 hack at the firm. In other words, every Yahoo account worldwide was hacked.
Yahoo had said in December that far fewer accounts were hacked.
“At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected,” the notice, filed with the Securities and Exchange Commission, reads. “Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts.”
It might seem like 3 billion trumps 145 million, but don’t forget that a) These are both unimaginably large numbers and b) The data stolen from Equifax is far more sensitive, so the Yahoo hack pales in comparison.
Still, it’s hard to get your head around a number like 3 billion. That was the entire population of Earth when I was a kid, for example. (Now it’s more than double that, but you get the point). Of course, many people have multiple accounts, so we can’t say about half of all global citizens were hacked during the Yahoo incident.
We can say this: Some very high percentage of Internet users worldwide had better change their passwords. Yahoo forced password changes after the incident, of course, but it’s highly likely that victims re-used those Yahoo passwords in other places. All those passwords are now toxic. At an absolute bare minimum, you should change passwords that you haven’t touched since 2013. Some computer somewhere — probably hundreds of them — is currently churning through all 3 billion user/pass combinations at every site and service imaginable, looking for “keys” that fit a lock. It’s only a matter of time.
I know many of you reading think you are way to smart to fall for that, but we all have accounts we’ve long forgotten.
Last year, I attended a very visceral demonstration of this.
The folks at Mozilla and the Tactical Technology Collective set up a clever art installation/ pop-up shop in lower Manhattan called “The Glass Room” to make several points about privacy. It had several exhibits, but the relevant one here: visitors could look at an encyclopedia-style pile of books in which every password stolen from LinkedIn was printed. They were listed alphabetically, so every few minutes someone exclaimed when they found their password printed in the volumes. Here’s a video of that.