NSHE Security Advisory – Yahoo Breach and Password Reuse

email icon

Nobody wants to get through 2016 quicker than Yahoo.  After announcing a massive breach of accounts several months ago they have now reported that a separate incident has compromised the up to a billion more accounts.   The two breaches, according to Yahoo, are separate incidents though they may have been associated with the same state actor (a country that sponsors cyber attacks).  There are several news stories available that give the details of this attack.  The purpose of this advisory is to identify risks that may impact NSHE.

If you use the same password for your work accounts and personal accounts this creates a substantial risk to NSHE data.  A breach of your Yahoo account may reveal to an attacker the credentials needed to access our resources.  If you have used the same account on Yahoo, today would be a good day to change your NSHE passwords.  The best advise is to use different passwords for all of your accounts and to use a password vault application such as LastPass to store them securely.

Additionally, the common e-mail vendors have optional security measures that you can use to further protect your account.  Since we mentioned Yahoo, consider  using the Yahoo Account Key, a simple authentication tool that eliminates the use of a password altogether.  It sends the login request to your mobile device and you can approve or decline the login.   In other words, if a bad guy tries to login to your account it will require approval via a notice sent to your phone.  If it’s not you logging in, deny the request.

The bottom line is protect NSHE information resources by not using the same password you use for personal accounts and consider using enhanced security functions offered by most of the personal e-mail sites today.