No payment card or banking information was compromised in the latest 1 billion-user breach at Yahoo, according to expert reports. But what if there had been? The truth is that for most users it would be annoying, but not the end of the world.
So, why is this big news?
First of all, Yahoo can now claim two of the biggest security breaches in history. It is noteworthy that such a distinction should be attributable to a single entity. The response to the latest breach news has been huge. Ask any three experts and you'll probably get three different figures, but according to ZDNet, the users exposed in the two Yahoo breaches exceed the total number of records compromised between 2005 and 2013 by nearly double.
"We believe that the August 2013 incident is likely distinct from the incident we disclosed on September 22, 2016," a Yahoo spokesperson said. However, "there is some overlap in the population of potentially affected users accounts across the 2013 and 2014 events," according to a source familiar with the situation.
The post-breach news commentaries have been many and various. There are some experts who advocate foregoing any digital connection to the security-challenged giant. Others predict that the latest bad news will negatively impact Yahoo's sale to Verizon further, if not kill it. Within days of the breach, there were various articles advising how you could replace Yahoo services and delete your Yahoo account. That said, Yahoo is not the problem per se.
First of all, let's be crystal clear: This latest news does not refer the to 500 million Yahoo users who were affected by the breach reported this September. While there may be some overlap, this is a different breach with different issues. It occurred way back in 2013, but that's not really even the bad news here, though, yes, it is less than awesome that user information -- including poorly encrypted security questions and passwords that could be used in an account takeover -- has been out there for three years.
The bad news here is not limited to the fact that Yahoo didn't know about this breach until law enforcement officials told the company that their stolen user data was offered for sale on the dark web. The bad news is not even, as PC World reported, that in a separate incident an intruder was able to crack Yahoo's proprietary code and forge cookies, which would allow a hacker to get access to user information without a password. This last frightening bit of news seems to be related to the state-sponsored hack reported in September.
The bad news here is that this unsettling state of affairs -- of having your information out there at the fingertips of bad players looking to make a quick buck -- is not confined to Yahoo users. The real bad news is that we are all willing and/or unwitting conspirators in the exploitation of our own information, which has been sloshing around the hold of a virtual -- and somewhat unmanned -- freighter for years.
It Always Already Happened
There is, however, a bit of good news here. There are ways you can better protect yourself. All the subscriptions to identity theft monitoring cannot replace your active participation in your own defense. You are your best guardian.
Whether or not you choose to stay with Yahoo, it's a good idea to change your behavior to stay safe, and that means changing your outlook and approach to the digital world. The main point is this: We are always about to "get got." You don't need breaking news coverage to know that you are exposed. With literally billions of compromised files floating around, you have to be exceedingly lucky not to be within easy reach of a sticky-fingered thief looking to make bank at your inconvenience.
While there is no way out of the information inferno we all inhabit, there is a way to live in it peaceably. I go into the details more thoroughly in my book, "Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves," but the basics of the practice I explain there can be summed up by three Ms: Minimize, Monitor and Manage.
Minimize Your Risk of Exposure: This can be anything from how you use the internet to what you choose to carry in your wallet. The goal is to decrease your attackable surface.
Monitor Your Identity: Get a free copy of your credit reports from each of the major credit reporting agencies at least once a year (some states permit more than one) at AnnualCreditReport.com. Consider subscribing to a credit and identity monitoring service. Set up transaction notices with your bank and credit card accounts, and pay attention. If you stay on top of things, you make it harder for crooks to get a foothold into your financial life. And if you have reason to believe you've been the victim of identity theft -- unexplained accounts and mysterious addresses are two warning signs -- don't ignore it. You can view two of your free credit scores, updated every 14 days, on Credit.com.
Manage the Damage: Notify the authorities if you have become a victim. Get an identity theft incident report that you can use to straighten out your credit and identity issues. Check with your insurance agent, financial services rep or the human resources department where you work to see if they offer an identity theft protection services program and if you are enrolled. You may be pleasantly surprised to learn that they do and you are enrolled free, or can access it at a discount as a perk of your relationship. You may also want to consider freezing or placing a fraud alert on your credit as well, depending on what's been compromised.
Never forget -- the ultimate guardian of the consumer is the consumer, and no one has a bigger stake in protecting your economic security and well-being than you.