The world’s largest hacking of Yahoo also effects BT and Sky email users.
It now transpires that both BT and Sky used Yahoo’s email system and labelled it as their own. Which is particularly ironic given that Sky’s parent company Fox has had to pay out hundreds of millions to people it had itself hacked it’s customers.
What is even more worrying is customer inertia- that’s because stubborn user behavior and the economics of darknet markets mean the chances of a serious breach at another major internet service increase dramatically with each hack.
The user behavior part is that people like to reuse their passwords—a lot.
One estimate, from Cambridge University’s Security Group, puts password reuse as high as 49%.
That is, we use the same password for every two accounts that require a log-in.
When a big cache of hacked passwords ends up traded on darknet markets, it often gets added to password databases. These databases can be used by corporations to ensure their users don’t use previously published, insecure passwords—or more maliciously by hackers, who will try to find passwords reused on other services.
It’s the equivalent of trying millions of different keys on a particular door, except it’s all automated and can be done in days, as the password cracker Jeremi Gosney has detailed for Ars Technica.
Password reuse and marketplaces for stolen data mean that password databases grow larger and more robust with each major breach. For example, LinkedIn was hacked in 2012 for more than 100 million user accounts. Parts of those stolen credentials wound up in darknet data dumps.
One of those log-ins belonged to a Dropbox employee, who apparently reused a password, allowing a hacker to enter the file-sharing platform’s corporate network. This led to the theft of 70 million Dropbox user passwords, which the company confirmed in August. One massive hack leads to another, forming a daisy-chain of insecurity.
The Yahoo breach is five times the size of the LinkedIn theft. That’s a lot more data to add to password-cracking lists.
The only thing we internet users have going for us now is to hope the “state-sponsored actor” that Yahoo says is behind the hack doesn’t dump the data in public, or sell it for profit. When that happens, we’re due for a password reset.
You can check if your email has been hacked and touted online at: https://haveibeenpwned.com/