Security Alerts - Information Security Office
Friday, September 23rd
To: All University of Massachusetts Medical School Faculty, Staff and Students
Subject: Yahoo Confirms 500 Million Accounts Stolen in Largest Breach in History
As many of you are aware, Yahoo confirmed yesterday (9/22/2016) that data associated with half a billion accounts has been stolen. If you use Yahoo Mail or any of its services (Tumblr, Flickr, Fantasy Football), you need to act now. The company confirmed on Thursday that a massive data breach affected at least 500 million user accounts. Leaked account information may include names, email addresses, telephone numbers, dates of birth, hashed passwords, encrypted or unencrypted security questions and answers.
In a statement from Yahoo yesterday:
"Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven't changed their passwords since 2014 do so."
If you, or someone you know, uses Yahoo for their personal email, UMass Medical School Information Security recommends you take action immediately. Internet criminals will use this information in a variety of ways. For instance, it’s been reported already that “fake” emails from Yahoo security are making their way around the internet, claiming you need to reset your Yahoo account. In actuality, these are classic “phishing” emails looking just like the real ones.
1) Open your browser and go to Yahoo. Do not use a link in any email. Update your Yahoo account with a new password and new security questions.
2) If you were using that same password on multiple websites, you need to stop. Hackers could use the information taken from Yahoo to obtain access to other online accounts that contain even more sensitive information. If you did use your Yahoo passwords on other sites, go to those sites and change the password there too.
3) Watch out for any phishing emails that relate to Yahoo in any way and that ask for information. Also, be alert for any suspicious activity.
4) Turn on Two Factor Authentication (2FA). On its own, a password isn't a strong line of defense. Adding a second type of authentication, like a one-time code sent over text message or generated by an app, can greatly secure your online accounts. Yahoo is recommending people turn on its two-factor authentication tool: Yahoo Account Key. While it's certainly an extra step, make it a part of your daily routine. Next time there's a story about a massive data breach, you'll be glad you did.
Although this is more focused on personal accounts, the UMass Medical School Information Security Department is happy to answer any questions related to the Yahoo breach. Please reach out to Brian Coleman personally or email ITSecurity@umassmed.edu.
Additional alerts from previous concerns are listed below: