Recently in the news, Yahoo! was reported to have been hacked and had more than 400,000 user credentials stolen. And the hackers apparently wanted to make their feat publicly known by posting them online. According to them, “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” What a thoughtful way to go about helping Yahoo! Who cares about the 400K+ users who are inconvenient by the incident. Do you know the trouble a Yahoo user had to go through to change their password? I’m talking about those who are ATT users as well, who had one time or another had their Yahoo user account merged with their ATT account. It took me half an hour of searching through the internet to finally accomplish that. And considering the fact that I am a computer guy. What about the thousands of users out there who relied only on the customer support to do that. For the lucky ones, they get it done without too much further woes. But others like those I read on the forums, who spent hours on the phone and got directed from one party to another. The ATT support told them to contact Yahoo support and vice-versa. What a mess! Thankfully with more search on Google, I got that resolved fairly quickly less further frustrations.
Anyhow this hack raised some questions about the security measures taken by some of these companies. Especially the bigger ones who have the resources to do better. Even if the hacker were to steal the user data, it would have taken them a long, long time to extract those encrypted passwords, assuming that they were encrypted. So to be able to get those 400K+ passwords posted (I have not seen those posted data myself and rely only not the news reports) will mean one of two things (if not more). The passwords were not encrypted (which would be a “shame on you” thing) and in plain text on the database. Or they have such weak encryption that could easily be broken fairly quickly. Either cases is no excuse, especially for a large corporation which supposedly has the resources to do better.
How can we tell if the service provider has good password encryption process to keep your private data private? I’m sure there are many ways to do that but for me the simplest way to find out is to use their “Forgot your password?” link. If the provider sends you back the password in the email in plain text that you can read, you better avoid using their service from here on. This is a good sign that they are using a weak encryption method or worse no encryption at all. A secure company should not be able to show you your password because even if they want to, they won’t be able to. So they will send you a link to reset your password, after further verification of course using some security questions and answers that only you know.
Well, if after knowing that the service provider (that means any website services that you use) isn’t secure and you still would want to continue using their website, in this case I would recommend that you use a one of a kind password with that site. Meaning that password will not be used in any other websites, and also that website has nothing important with regards to your privacy data. By that I mean something like a game site or something. You decide what is important to you. And if it is a site like your email service provider, I suggest that you change your provider quickly with our further risk of compromise. I can tell that there are a lot of email users whose account had been compromised and it is not only inconvenient but sensitive data too has been compromised. So be aware that everyday there are actual living beings out there somewhere in some dark corners of this earth who are at this moment trying to break into your account. Just a week ago, I received an email that supposedly come from someone I know, but judging by the email, I know instantly it wasn’t from him but definitely the work of someone who has hacked into that account. If I were to tell you how easy it is to hack into someone’s gmail account (at least at one time. Hopefully Gmail has updated their security process since), you would not believe it. I did not either until I saw it on YouTube. Well, if it is on YouTube, you can be assured that thousands if not millions others have also seen the video, and probably also learned how to do it in the process. This is real on the cyber world. But by taking the necessary precaution, you will be a little safer, although no security is 100%.